我正在尝试在启用了 selinux 的 CentOS 6.4 上运行 OpenLDAP 服务器,但是slapd在通过 启动时它就死机了/etc/init.d/slapd start。(init 脚本报告 OK;之后一切正常setenforce 0。
发现这些消息的位置/var/log/audit/audit.log:
类型 = AVC 消息 = 审核 (1372888328.397:3262):avc:拒绝对 pid = 1492 进行 { 写入 } comm =“slapd”name =“slapd.log”dev = dm-0 ino = 4348 scontext = unconfined_u:system_r:slapd_t:s0 tcontext = unconfined_u:object_r:var_log_t:s0 tclass = file
类型 = SYSCALL msg = 审核(1372888328.397:3262):arch = 40000003 syscall = 5 成功 = 否退出 = -13 a0 = 1bd1018 a1 = 241 a2 = 1b6 a3 = 7ea191 项目 = 0 ppid = 1491 pid = 1492 auid = 0 uid = 0 gid = 0 euid = 0 suid = 0 fsuid = 0 egid = 0 sgid = 0 fsgid = 0 tty = pts1 ses = 337 comm =“slapd”exe =“/usr/sbin/slapd”subj = unconfined_u:system_r:slapd_t:s0 key =(null)
类型 = AVC 消息 = 审核 (1372888328.408:3263):avc:拒绝 pid = 1492 的 { sys_nice } comm =“slapd”功能 = 23 scontext = unconfined_u:system_r:slapd_t:s0 tcontext = unconfined_u:system_r:slapd_t:s0 tclass = 能力
类型 = SYSCALL msg = 审核(1372888328.408:3263):arch = 40000003 syscall = 156 成功 = 是退出 = 0 a0 = 5d4 a1 = 0 a2 = bfe64968 a3 = b787a6c0 项目 = 0 ppid = 1491 pid = 1492 auid = 0 uid = 0 gid = 0 euid = 0 suid = 0 fsuid = 0 egid = 0 sgid = 0 fsgid = 0 tty = pts1 ses = 337 comm =“slapd”exe =“/usr/sbin/slapd”subj = unconfined_u:system_r:slapd_t:s0 key =(null)
类型 = AVC 消息 = 审核 (1372888328.424:3264): avc: 拒绝 { 读取 } pid = 1493 comm = “slapd” name = “log.0000000001” dev = dm-0 ino = 263969 scontext = unconfined_u:system_r:slapd_t:s0 tcontext = unconfined_u:object_r:var_log_t:s0 tclass = file
类型 = SYSCALL msg = 审核(1372888328.424:3264):arch = 40000003 syscall = 5 成功 = 否退出 = -13 a0 = 1c78270 a1 = 8000 a2 = 0 a3 = 0 项目 = 0 ppid = 1 pid = 1493 auid = 0 uid = 0 gid = 0 euid = 0 suid = 0 fsuid = 0 egid = 0 sgid = 0 fsgid = 0 tty =(无)ses = 337 comm =“slapd”exe =“/usr/sbin/slapd”subj = unconfined_u:system_r:slapd_t:s0 key =(null)
但是我不知道该如何修复它。我该如何告诉 selinux 允许 LDAP 守护进程运行?
我试过
restorecon -v -F -R /etc/openldap
restorecon -v -F -R /var/lib/ldap
但这不起作用(事实上,它似乎破坏了我启动 slapd 的能力即使禁用了 selinux)收到了很多类似这样的信息
restorecon 重置 /etc/openldap/cacerts 上下文 unconfined_u:object_r:etc_t:s0->system_u:object_r:etc_t:s0
答案1
如果您过滤审计日志audit2allow(1),audit2why您将大致了解正在发生的事情:
#============= slapd_t ==============
allow slapd_t self:capability sys_nice;
allow slapd_t var_log_t:file { write read };
------------------------------------
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1372888328.408:3263): avc: denied { sys_nice } for pid=1492 comm=slapd capability=23 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:system_r:slapd_t:s0 tclass=capability
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=AVC msg=audit(1372888328.424:3264): avc: denied { read } for pid=1493 comm=slapd name=log.0000000001 dev=dm-0 ino=263969 scontext=unconfined_u:system_r:slapd_t:s0 tcontext=unconfined_u:object_r:var_log_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
检查标签
标签恢复不太可能阻止您启动服务如果 SELinux 处于宽容模式。另外,为什么-F要切换?
要知道是否必须恢复目录或文件的标签,首先找出文件或目录应该具有的上下文:
# matchpathcon /etc/openldap/
/etc/openldap system_u:object_r:etc_t:s0
然后列出其安全上下文:
# ls -ldZ /etc/openldap/
drwxr-xr-x. root root system_u:object_r:etc_t:s0 /etc/openldap//
在此示例中,无需采取进一步行动。
关于你的问题,问题不在于标签本身,但缺少一条type enforcement规则,即允许标记过程过渡例如,从一个受限域到另一个受限域,或者读取具有特定标签的文件。
创建 SELinux 模块
您可以尝试构建一个模块,允许slapd_t执行 中出现的操作audit.log。您可能需要进一步调整代码。使用audit2allow、make和 来完成此任务。所有命令都在其各自的手册页中进行了很好的记录。该过程大致如下(将相关信息复制到 之后audit.txt):
audit2allow -i audit.txt -m slapd -o slapd.te
make -f /usr/share/selinux/devel/Makefile load
另外,请检查是否已经存在与此问题有关的 SELinux 策略的错误报告。