我在 Fedora 36 上遇到了 rsyslog、selinux 和 /var/log/messages 组件的问题。
如你看到的:
AVC avc: denied { unlink } for pid=XXX comm="in:imjournal" name="imjournal.state" dev="XXX" ino=654207 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:syslogd_var_lib_t:s15:c0.c1023".
Selinux 拒绝访问,并在 /var/log/messages 中生成日志消息:
Nov 12 10:29:57 fedora setroubleshoot[262936]:
Nov 12 10:30:13 fedora setroubleshoot[262957]:
Nov 12 10:30:26 fedora setroubleshoot[262957]:
Nov 12 10:30:38 fedora setroubleshoot[262957]:
Nov 12 10:30:54 fedora setroubleshoot[263003]:
Nov 12 10:30:59 fedora setroubleshoot[263003]:
Nov 12 10:31:15 fedora setroubleshoot[263029]:
Nov 12 10:31:28 fedora setroubleshoot[263029]:
等等...所以文件 /var/log/messages 越来越大...这将导致硬盘很快被填满...并且还会产生大量警报。
其他信息:
10:40:48 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
10:41:01 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
10:41:16 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
10:41:22 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
ls -Zl /var/lib/rsyslog/imjournal.state
-rw-------. 1 root root system_u:object_r:unlabeled_t:s0 121 10-08 12:42 /var/lib/rsyslog/imjournal.state
密封剂:
Additional Information:
Source Context system_u:system_r:syslogd_t:s0
Target Context system_u:object_r:unlabeled_t:s0
Target Objects imjournal.state [ file ]
Source in:imjournal
Source Path in:imjournal
Port <Unknown>
Host fedora
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-targeted-36.16-1.fc36.noarch
Local policy RPM selinux-policy-targeted-36.16-1.fc36.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name fedora
Platform Linux fedora 5.15.70-xm1.0.fc36.x86_64 #1 SMP Sun
Sep 25 00:28:06 UTC 2022 x86_64 x86_64
Alert Count 44744
First Seen 2022-10-27 18:07:47 CEST
Last Seen 2022-11-12 10:44:37 CET
Local ID 67b7c558-292c-44d6-866b-a236712de092
Raw Audit Messages
type=AVC msg=audit(1668246277.176:46386): avc: denied { unlink } for pid=xxx comm="in:imjournal" name="imjournal.state" dev="xxx" ino=654207 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:syslogd_var_lib_t:s15:c0.c1023"
Hash: in:imjournal,syslogd_t,unlabeled_t,file,unlink
有什么帮助吗?
答案1
目标上下文system_u:object_r:unlabeled_t:s0可能是原因之一。可能有一条规则允许scontext=system_u:system_r:syslogd_t:s0对 类型的文件执行操作syslogd_var_lib_t,我认为 SELinux 上下文应该是该/var/lib/rsyslog/imjournal.state文件的上下文。在我的系统上,有一个 fcontext 规则可以设置它:
/var/lib/r?syslog(/.*)? all files system_u:object_r:syslogd_var_lib_t:s0
修复可能很简单restorecon -v /var/lib/rsyslog/imjournal.state,然后进行确认检查ls -lZ /var/lib/rsyslog/imjournal.state。
我手头没有 Fedora 系统来确认这一点,因此您可以通过检查 syslogd_t 的源上下文(在审计中显示)和 syslogd_var_lib_t 的目标上下文之间允许的操作来确认该理论:
sesearch --allow -s syslogd_t -t syslogd_var_lib_t
以及寻找 fcontext 规则:
semanage fcontext -l | grep 'syslog.*syslogd_var_lib_t'
如果我是对的,你会看到:
Found 8 semantic av rules:
...
allow syslogd_t syslogd_var_lib_t : file { ioctl read write create getattr setattr lock append map unlink link rename open } ;
...
...在搜索输出中,并且:
...
/var/lib/r?syslog(/.*)? all files system_u:object_r:syslogd_var_lib_t:s0
...
...在 semanage 输出中。
如果您默认没有该sesearch命令,它应该在“setools”或“setools-console”包中可用。