我启动一个 bash 脚本(从 java 同步作为玻璃鱼user)作为另一个用户启动命令(比方说我的用户):
#!/bin/bash
echo myPassword | su -c "command" myUser &
当我从 bash shell 以 glassfish 用户身份启动此脚本时,该命令会立即执行。但是当我从java启动这个脚本时,命令在10-15秒后执行。
看起来像是登录安全超时?
我想知道这是否与SELINUX有关?以下是启动 java 程序(Glassfish)的命令行:
/usr/share/glassfish3/glassfish/bin/asadmin start-domain
以下是 asadmin 启动脚本的 SELINUX 状态:
$ ls -Z /usr/share/glassfish3/bin/asadmin
-rwxr-xr-x. glassfish glassfish unconfined_u:object_r:bin_t:s0 /usr/share/glassfish3/bin/asadmin
我正在运行: - GNU bash,版本 4.2.53(1)-release (x86_64-redhat-linux-gnu) 在 Centos 6.4 - java 1.6.45 X86_64 和 Glassfish 3.1.2.2
更新:回应@larsks 评论
SeLinux 处于强制模式。该脚本在执行时会产生以下审核日志来自爪哇:
BEFORE THE COMMAND
type=SERVICE_START msg=audit(1438862733.335:8932): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="fprintd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_AVC msg=audit(1438862733.336:8933): pid=883 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.2520 spid=16027 tpid=16026 scontext=system_u:system_r:fprintd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
HERE IS THE 10-15s WAIT
type=USER_AUTH msg=audit(1438862758.408:8934): pid=16026 uid=1001 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:authentication acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_ACCT msg=audit(1438862758.410:8935): pid=16026 uid=1001 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:accounting acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_ACQ msg=audit(1438862758.411:8936): pid=16026 uid=1001 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1438862758.422:8937): pid=16026 uid=1001 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1438862758.429:8938): pid=16026 uid=1001 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1438862758.429:8939): pid=16026 uid=1001 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'
NOW THE COMMAND HAS BEEN EXECUTED
该脚本在执行时会产生以下审核日志来自 bash:
BEFORE THE COMMAND
type=SERVICE_START msg=audit(1438863622.854:9013): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' comm="fprintd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=USER_AUTH msg=audit(1438863622.877:9014): pid=16215 uid=1001 auid=0 ses=1116 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=USER_ACCT msg=audit(1438863622.879:9015): pid=16215 uid=1001 auid=0 ses=1116 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=CRED_ACQ msg=audit(1438863622.879:9016): pid=16215 uid=1001 auid=0 ses=1116 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=USER_START msg=audit(1438863622.882:9017): pid=16215 uid=1001 auid=0 ses=1116 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=USER_END msg=audit(1438863622.888:9018): pid=16215 uid=1001 auid=0 ses=1116 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=CRED_DISP msg=audit(1438863622.888:9019): pid=16215 uid=1001 auid=0 ses=1116 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="administrator" exe="/usr/bin/su" hostname=? addr=? terminal=pts/1 res=success'
NOW THE COMMAND HAS BEEN EXECUTED
答案1
如果您获得了 selinux AVC,则可以使用该工具设置本地策略以允许特定操作audit2allow
:
# audit2allow -M local -a
这将创建一个策略 ( local.pp
),该策略将允许在审核日志中导致 selinux 拒绝的任何行为。然后,您可以通过运行以下命令来激活该模块:
# semodule -i local.pp
你可以在文件中看到源码local.te
。
您问题中的 AVC 将导致:
module local 1.0;
require {
type fprintd_t;
type initrc_t;
class dbus send_msg;
}
#============= fprintd_t ==============
allow fprintd_t initrc_t:dbus send_msg;