SELinux 阻止 in:imjournal 取消对文件 imjournal.state 的链接访问

SELinux 阻止 in:imjournal 取消对文件 imjournal.state 的链接访问

我在 Fedora 36 上遇到了 rsyslog、selinux 和 /var/log/messages 组件的问题。

如你看到的:

AVC avc:  denied  { unlink } for  pid=XXX comm="in:imjournal" name="imjournal.state" dev="XXX" ino=654207 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:syslogd_var_lib_t:s15:c0.c1023".

Selinux 拒绝访问,并在 /var/log/messages 中生成日志消息:

Nov 12 10:29:57 fedora setroubleshoot[262936]: 
Nov 12 10:30:13 fedora setroubleshoot[262957]: 
Nov 12 10:30:26 fedora setroubleshoot[262957]: 
Nov 12 10:30:38 fedora setroubleshoot[262957]: 
Nov 12 10:30:54 fedora setroubleshoot[263003]: 
Nov 12 10:30:59 fedora setroubleshoot[263003]: 
Nov 12 10:31:15 fedora setroubleshoot[263029]: 
Nov 12 10:31:28 fedora setroubleshoot[263029]: 

等等...所以文件 /var/log/messages 越来越大...这将导致硬盘很快被填满...并且还会产生大量警报。

其他信息:

 10:40:48 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:01 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:16 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]
 10:41:22 fedora rsyslogd[704]: imjournal: rename() failed for new path: '/var/lib/rsyslog/imjournal.state': Permission denied [v8.2204.0-2.fc36 try https://www.rsyslog.com/e/0 ]

ls -Zl /var/lib/rsyslog/imjournal.state

-rw-------. 1 root root system_u:object_r:unlabeled_t:s0 121 10-08 12:42 /var/lib/rsyslog/imjournal.state

密封剂:

Additional Information:
Source Context             system_u:system_r:syslogd_t:s0
Target Context             system_u:object_r:unlabeled_t:s0
Target Objects              imjournal.state [ file ]
Source                        in:imjournal
Source Path              in:imjournal
Port                          <Unknown>
Host                      fedora
Source RPM Packages          
Target RPM Packages          
Policy RPM selinux-policy-targeted-36.16-1.fc36.noarch
Local policy RPM   selinux-policy-targeted-36.16-1.fc36.noarch
Selinux Enabled         True
Policy Type                  targeted
Enforcing Mode               Enforcing
Host Name               fedora
Platform                     Linux fedora 5.15.70-xm1.0.fc36.x86_64 #1 SMP Sun
                              Sep 25 00:28:06 UTC 2022 x86_64 x86_64
Alert Count                44744
First Seen               2022-10-27 18:07:47 CEST
Last Seen                2022-11-12 10:44:37 CET
Local ID         67b7c558-292c-44d6-866b-a236712de092

Raw Audit Messages
type=AVC msg=audit(1668246277.176:46386): avc:  denied  { unlink } for  pid=xxx comm="in:imjournal" name="imjournal.state" dev="xxx" ino=654207 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0 trawcon="system_u:object_r:syslogd_var_lib_t:s15:c0.c1023"


Hash: in:imjournal,syslogd_t,unlabeled_t,file,unlink

有什么帮助吗?

答案1

目标上下文system_u:object_r:unlabeled_t:s0可能是原因之一。可能有一条规则允许scontext=system_u:system_r:syslogd_t:s0对 类型的文件执行操作syslogd_var_lib_t,我认为 SELinux 上下文应该是该/var/lib/rsyslog/imjournal.state文件的上下文。在我的系统上,有一个 fcontext 规则可以设置它:

/var/lib/r?syslog(/.*)?  all files  system_u:object_r:syslogd_var_lib_t:s0

修复可能很简单restorecon -v /var/lib/rsyslog/imjournal.state,然后进行确认检查ls -lZ /var/lib/rsyslog/imjournal.state

我手头没有 Fedora 系统来确认这一点,因此您可以通过检查 syslogd_t 的源上下文(在审计中显示)和 syslogd_var_lib_t 的目标上下文之间允许的操作来确认该理论:

sesearch --allow -s syslogd_t -t syslogd_var_lib_t

以及寻找 fcontext 规则:

semanage fcontext -l | grep 'syslog.*syslogd_var_lib_t'

如果我是对的,你会看到:

Found 8 semantic av rules:
...
   allow syslogd_t syslogd_var_lib_t : file { ioctl read write create getattr setattr lock append map unlink link rename open } ;
...

...在搜索输出中,并且:

...
/var/lib/r?syslog(/.*)?                            all files          system_u:object_r:syslogd_var_lib_t:s0
...

...在 semanage 输出中。

如果您默认没有该sesearch命令,它应该在“setools”或“setools-console”包中可用。

相关内容