我需要在浏览器中运行 TCP Traceroute,但收到一些 SElinux 警报。
我尝试使用 ,audit2allow
例如 创建一个策略,ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
并semodule -i my-traceroute.pp
删除警报,但跟踪路由仍然不起作用并返回消息:
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"
。添加这些策略后,没有 AVC 警报。只是send: Permission denied↵
从服务器发回的消息。
我什至尝试制定自己的政策,例如
module traceroute 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };
和
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
但这似乎没有任何作用。
如果我将 SElinux 设置为permissive
Traceroute,则运行不会出现问题。
注意:我已经设置了允许 Traceroute 以非 root 用户身份运行的功能,例如在 /usr/bin/traceroute 上设置 cap_net_raw+ep
有任何想法吗??
警报:
SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied { create } for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108250): avc: denied { net_raw } for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,create
-----------------------
SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied { bind } for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108251): avc: denied { node_bind } for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind
---------------------
SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied { setopt } for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt
------------------
SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied { connect } for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect
-----------------
SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied { getattr } for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr
------------------
SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied { getopt } for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt
---------------
SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied { read } for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,read
----------------
SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied { open } for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,open
答案1
我自己已经弄清楚了,所以我会回答我自己的问题。
答案是做我已经在OP中尝试过的两件事,但同时使用它们。以前我只尝试过使用audit2allow
来创建策略,当它不起作用时,我会禁用这些策略并尝试创建我自己的策略。
因此,要使其正常工作,首先使用audit2allow
警报创建策略。
ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
然后运行
semodule -i my-traceroute.pp
然后创建另一个自定义策略,该策略基本上允许为非root 用户打开原始IP 套接字,这是执行traceroute 命令所需的。
创建一个名为traceroute.tt的文件并向其中添加以下内容:
module traceroute 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };
然后运行以下命令(以 root 用户身份):
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp
完毕 :)