在 snmpd.conf 中我有
exec drbd_cstate /sbin/drbdadm cstate all
exec drbd_role /sbin/drbdadm role all
exec drbd_state /sbin/drbdadm dstate all
将 selinux 设置为宽容,如果我运行 SNMP walk 命令(/usr/bin/snmpwalk -v 2c -c PUBLIC 192.168.1.10 'NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate"'.1
),我会在日志中得到:
type=AVC msg=audit(1619795855.717:214829): avc: denied { read } for pid=30859 comm="drbdadm" name="node_id" dev="dm-0" ino=2360185 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:drbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619795855.717:214829): avc: denied { open } for pid=30859 comm="drbdadm" path="/var/lib/drbd/node_id" dev="dm-0" ino=2360185 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:drbd_var_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1619795855.717:214829): arch=c000003e syscall=2 success=yes exit=4 a0=42eee0 a1=0 a2=1 a3=7fff53710560 items=0 ppid=27329 pid=30859 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdadm" exe="/usr/sbin/drbdadm" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.717:214829): proctitle=2F7362696E2F6472626461646D0063737461746500616C6C
type=AVC msg=audit(1619795855.719:214830): avc: denied { create } for pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.719:214830): arch=c000003e syscall=41 success=yes exit=4 a0=10 a1=2 a2=10 a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.719:214830): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214831): avc: denied { setopt } for pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214831): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=7 a3=7ffe12bd3a3c items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214831): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214832): avc: denied { bind } for pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214832): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=21dd030 a2=c a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214832): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214833): avc: denied { getattr } for pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214833): arch=c000003e syscall=51 success=yes exit=0 a0=4 a1=21dd030 a2=7ffe12bd3a38 a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214833): proctitle=2F7362696E2F647262647365747570006373746174650072300031
执行 snmpwalk 时我收到的错误是
NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate".1 = STRING: Creation of /var/lib/drbd/node_id failed: Permission denied
我曾经audit2allow
帮助创建过 selinux 的策略,以便它允许我运行此命令。它给我的策略是
module drbd_cstate 1.0;
require {
type drbd_var_lib_t;
type snmpd_t;
class netlink_socket { bind create getattr setopt };
class file { open read };
}
#============= snmpd_t ==============
allow snmpd_t drbd_var_lib_t:file { open read };
allow snmpd_t self:netlink_socket { bind create getattr setopt };
一旦我添加了新创建的模块并运行 snmpwalk 我就会回来
NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate".1 = STRING: <1>failed to send netlink message
执行tail -f /var/log/audit/audit.log
不会返回任何结果。如果在执行 snmpwalk 时执行 tcpdump,我会看到它Could not connect to 'drbd' generic netlink family
以一个数据包的形式通过网络,然后<1>failed to send netlink message
。如果我执行 ,setenforce=permissive
一切都会奇迹般地再次正常工作。我做错了什么?
答案1
我使用以下模块解决了这个问题:
module drbd_cstate 1.0;
require {
type drbd_var_lib_t;
type snmpd_t;
class netlink_socket { create setopt bind getattr write read };
class file { open read write };
}
#============= snmpd_t ==============
allow snmpd_t drbd_var_lib_t:file { open read write };
allow snmpd_t self:netlink_socket { bind create getattr setopt write open };
谢谢磁力链为了semanage dontaudit off
诡计