Selinux 政策 - 不起作用
[英]Selinux policy - not working
问题描述
each day I have error messages because of clam AV scan - it is a selinux problem - I already have a selinux module created - but the error is not solved.
由于 clam AV 扫描,我每天都会收到错误消息 - 这是一个 selinux 问题 - 我已经创建了一个 selinux 模块 - 但错误没有解决。 could anyone have a look at it?有人可以看看吗? I think the module should allow write, read access to the files for clamscan?我认为该模块应该允许对 clamscan 的文件进行写、读访问?
selinux error: selinux错误:
Additional Information:
Source Context system_u:system_r:antivirus_t:s0-s0:c0.c1023
Target Context system_u:object_r:httpd_sys_rw_content_t:s0
Target Objects sess_604rv54bntl70jig0bjf1lfja4 [ file ]
Source clamscan
Source Path /usr/bin/clamscan
Port <Unknown>
Host myserver.com
Source RPM Packages clamav-0.99.1-1.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-60.el7_2.3.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name myserver.com
Platform Linux myserver.com
3.10.0-327.18.2.el7.x86_64 #1 SMP Thu May 12
11:03:55 UTC 2016 x86_64 x86_64
Alert Count 94
First Seen 2016-05-15 03:56:15 CEST
Last Seen 2016-05-17 03:45:49 CEST
Local ID 68ee97b8-2226-4481-97be-1eeccbb0e566
Raw Audit Messages
type=AVC msg=audit(1463449549.453:49931): avc: denied { read } for pid=9274 comm="clamscan" name="sess_604rv54bntl70jig0bjf1lfja4" dev="dm-1" ino=67123073 scontext=system_u:system_r:antivirus_t:s0-s0:c0.c1023 tcontext=system_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
type=SYSCALL msg=audit(1463449549.453:49931): arch=x86_64 syscall=open success=no exit=EACCES a0=7f16e0aee540 a1=0 a2=0 a3=fffffffffffffb85 items=0 ppid=9135 pid=9274 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=5454 comm=clamscan exe=/usr/bin/clamscan subj=system_u:system_r:antivirus_t:s0-s0:c0.c1023 key=(null)
Hash: clamscan,antivirus_t,httpd_sys_rw_content_t,file,read
and here the policy:这里的政策:
module clamscanlocal 1.0;
require {
type antivirus_t;
type httpd_sys_rw_content_t;
type usr_t;
class dir search;
class file { write read getattr append };
}
#============= antivirus_t ==============
#!!!! This avc can be allowed using the boolean 'antivirus_can_scan_system'
allow antivirus_t httpd_sys_rw_content_t:dir search;
#!!!! This avc can be allowed using the boolean 'antivirus_can_scan_system'
allow antivirus_t httpd_sys_rw_content_t:file getattr;
allow antivirus_t usr_t:file { write read append };
2 个解决方案
解决方案1
0 2016-05-28 09:30:40
why not just enable the boolean as stated by the audit2allow output instead of creating a policy?为什么不只启用由 audit2allow 输出声明的布尔值而不是创建策略?
setsebool -P antivirus_can_scan_system=on
Good SELinux Tutorials: https://wiki.gentoo.org/wiki/SELinux/Tutorials优秀的 SELinux 教程: https : //wiki.gentoo.org/wiki/SELinux/Tutorials
解决方案2
0 2020-07-26 06:21:17
modify policy rule in your file (second last line), additional read permission added here.修改文件中的策略规则(倒数第二行),此处添加了额外的读取权限。
allow antivirus_t httpd_sys_rw_content_t:file {read getattr};
also if possible change your enforcing mode to permissive mode, Ref: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changing-selinux-states-and-modes_using-selinux如果可能,也将您的强制模式更改为许可模式,参考: https : //access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/using_selinux/changed-selinux-states-and-modes_using-selinux
If your error solved, no audit logs found than change enforcing mode to enforce mode.如果您的错误已解决,则除了将强制模式更改为强制模式外,找不到任何审核日志。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.