无法创建 selinux 策略以允许 drbdadm 运行

tag-icon tag-icon selinux drbd snmpd
无法创建 selinux 策略以允许 drbdadm 运行

在 snmpd.conf 中我有

exec drbd_cstate /sbin/drbdadm cstate all
exec drbd_role /sbin/drbdadm role all
exec drbd_state /sbin/drbdadm dstate all

将 selinux 设置为宽容,如果我运行 SNMP walk 命令(/usr/bin/snmpwalk -v 2c -c PUBLIC 192.168.1.10 'NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate"'.1),我会在日志中得到:

type=AVC msg=audit(1619795855.717:214829): avc:  denied  { read } for  pid=30859 comm="drbdadm" name="node_id" dev="dm-0" ino=2360185 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:drbd_var_lib_t:s0 tclass=file permissive=1
type=AVC msg=audit(1619795855.717:214829): avc:  denied  { open } for  pid=30859 comm="drbdadm" path="/var/lib/drbd/node_id" dev="dm-0" ino=2360185 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:drbd_var_lib_t:s0 tclass=file permissive=1
type=SYSCALL msg=audit(1619795855.717:214829): arch=c000003e syscall=2 success=yes exit=4 a0=42eee0 a1=0 a2=1 a3=7fff53710560 items=0 ppid=27329 pid=30859 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdadm" exe="/usr/sbin/drbdadm" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.717:214829): proctitle=2F7362696E2F6472626461646D0063737461746500616C6C
type=AVC msg=audit(1619795855.719:214830): avc:  denied  { create } for  pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.719:214830): arch=c000003e syscall=41 success=yes exit=4 a0=10 a1=2 a2=10 a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.719:214830): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214831): avc:  denied  { setopt } for  pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214831): arch=c000003e syscall=54 success=yes exit=0 a0=4 a1=1 a2=7 a3=7ffe12bd3a3c items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214831): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214832): avc:  denied  { bind } for  pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214832): arch=c000003e syscall=49 success=yes exit=0 a0=4 a1=21dd030 a2=c a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214832): proctitle=2F7362696E2F647262647365747570006373746174650072300031
type=AVC msg=audit(1619795855.720:214833): avc:  denied  { getattr } for  pid=30860 comm="drbdsetup" scontext=system_u:system_r:snmpd_t:s0 tcontext=system_u:system_r:snmpd_t:s0 tclass=netlink_socket permissive=1
type=SYSCALL msg=audit(1619795855.720:214833): arch=c000003e syscall=51 success=yes exit=0 a0=4 a1=21dd030 a2=7ffe12bd3a38 a3=7ffe12bd3460 items=0 ppid=30859 pid=30860 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="drbdsetup" exe="/usr/sbin/drbdsetup" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=PROCTITLE msg=audit(1619795855.720:214833): proctitle=2F7362696E2F647262647365747570006373746174650072300031

执行 snmpwalk 时我收到的错误是 NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate".1 = STRING: Creation of /var/lib/drbd/node_id failed: Permission denied

我曾经audit2allow帮助创建过 selinux 的策略,以便它允许我运行此命令。它给我的策略是

module drbd_cstate 1.0;

require {
        type drbd_var_lib_t;
        type snmpd_t;
        class netlink_socket { bind create getattr setopt };
        class file { open read };
}

#============= snmpd_t ==============
allow snmpd_t drbd_var_lib_t:file { open read };
allow snmpd_t self:netlink_socket { bind create getattr setopt };

一旦我添加了新创建的模块并运行 snmpwalk 我就会回来

NET-SNMP-EXTEND-MIB::nsExtendOutLine."drbd_cstate".1 = STRING: <1>failed to send netlink message

执行tail -f /var/log/audit/audit.log不会返回任何结果。如果在执行 snmpwalk 时执行 tcpdump,我会看到它Could not connect to 'drbd' generic netlink family以一个数据包的形式通过网络,然后<1>failed to send netlink message。如果我执行 ,setenforce=permissive一切都会奇迹般地再次正常工作。我做错了什么?

答案1

我使用以下模块解决了这个问题:

module drbd_cstate 1.0;
require {
        type drbd_var_lib_t;
        type snmpd_t;
        class netlink_socket { create setopt bind getattr write read };
        class file { open read write };
}

#============= snmpd_t ==============
allow snmpd_t drbd_var_lib_t:file { open read write };
allow snmpd_t self:netlink_socket { bind create getattr setopt write open };

谢谢磁力链为了semanage dontaudit off诡计

相关内容