为自定义 systemd 服务创建 SELinux 策略

tag-icon tag-icon linux fedora systemd security selinux
为自定义 systemd 服务创建 SELinux 策略

我正在使用的Fedora Workstation 27 Live操作系统希望在EnableBIOS.service操作系统启动的同时运行自定义服务。为此,我必须禁用SELinux在我的环境中导致问题的功能。所以,我无法禁用SELinux.

作为替代方案,我尝试SELinux policy为我的自定义服务创建一个,但没有取得任何突破。

该服务正在记录以下消息/var/log/audit/audit.log

type=SERVICE_START msg=audit(1527782475.777:239): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=EnableHBA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1527782475.779:240): avc:  denied  { execute } for  pid=4223 comm="(leHBA.sh)" name="enableHBA.sh" dev="dm-0" ino=38164 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=SERVICE_STOP msg=audit(1527782475.782:241): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=EnableHBA comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=failed'

和,

[root@localserver]# audit2allow -w -a
type=AVC msg=audit(1527782475.779:240): avc:  denied  { execute } for  pid=4223 comm="(leHBA.sh)" name="enableHBA.sh" dev="dm-0" ino=38164 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

为了创建SELinux policy,我执行了以下命令:

[root@localserver]# grep enableHBA /var/log/audit/audit.log | audit2allow -M enablehba
[root@localserver]# semodule -i enablehba.pp

执行此操作后,我尝试再次运行我的服务,记录的消息是:

[root@localserver]# audit2allow -w -a
type=AVC msg=audit(1527782959.912:250): avc:  denied  { read open } for  pid=4612 comm="(leHBA.sh)" path="/root/enableHBA/enableHBA.sh" dev="dm-0" ino=38164 scontext=system_u:system_r:init_t:s0 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

我想知道我哪里做错了或者有没有其他方法可以达到我的要求。

答案1

将脚本移至 /usr/local/sbin 并检查该脚本是否正确标记为bin_t

该脚本应该不受限制地运行并拥有它所需的所有权限

相关内容