Selinux problems - how to solve access issues or disable/change mode
Creating Custom SELinux Policy Modules with audit2allow
Sometimes
there are occasions when none of the above methods deal with a given
situation and we need to extend the SELinux policy by creating a custom
policy module to allow for a certain set of conditions. For example,
consider the postgrey
service add-on for an smtp mail server. Our smtp server needs to
communicate with postgrey over a Unix socket and that is something the
default SELinux policy for our smtp server does not allow. Consequently
the service is blocked by SELinux. This is an issue that can not be
fixed by changing or restoring file type security contexts and isn't
something that has a boolean value we can toggle to allow. We could
disable SELinux protection of the smtp server through a boolean, which
would be better than disabling SELinux completely, but that is still far
from ideal.
If
we switch SELinux into Permissive mode and run our mail server for a
set period of time, we can log SELinux issues whilst still permitting
access. Checking our logs, we see the following SELinux AVC messages:
type=AVC msg=audit(1218128130.653:334): avc: denied { connectto } for pid=9111 comm="smtpd" path="/var/spool/postfix/postgrey/socket"
scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket
type=AVC msg=audit(1218128130.653:334): avc: denied { write } for pid=9111 comm="smtpd" name="socket" dev=sda6 ino=39977017
scontext=system_u:system_r:postfix_smtpd_t:s0 tcontext=system_u:object_r:postfix_spool_t:s0 tclass=sock_file
Then
we can use 'audit2allow' to generate a set of policy rules that would
allow the required actions. We can generate a local postgrey Type
Enforcement policy file (postgreylocal.te):
# grep smtpd_t /var/log/audit/audit.log | audit2allow -m postgreylocal > postgreylocal.te
# cat postgreylocal.te
module postgreylocal 1.0;
require {
type postfix_smtpd_t;
type postfix_spool_t;
type initrc_t;
class sock_file write;
class unix_stream_socket connectto;
}
#============= postfix_smtpd_t ==============
allow postfix_smtpd_t initrc_t:unix_stream_socket connectto;
allow postfix_smtpd_t postfix_spool_t:sock_file write;
Above
we see that we can grep the audit.log file for issues relating to our
smtp server and pipe those issues to audit2allow which generates a set
of rules that it thinks would permit the actions currently denied by the
SELinux policy. Reviewing these rules we see our smtp server wants to
connect and write to a Unix socket which we see from out logs is the
Unix socket that the postgrey service is listening on. As this seems
perfectly reasonable, we can go ahead and use audit2allow to make a
custom policy module to allow these actions:
# grep smtpd_t /var/log/audit/audit.log | audit2allow -M postgreylocal
We then load our postgrey policy module using the 'semodule' command into the current SELinux policy:
semodule -i postgreylocal.pp
which
will add our postgrey policy module to
/etc/selinux/targeted/modules/active/modules/postgreylocal.pp. We can
check the policy module loaded correctly by listing loaded modules with
'semodule -l'.
We
can then continue to monitor our SELinux log files to check that our
custom policy module works and once we are satisfied we can re-enable
SELinux Enforcing mode and again benefit from SELinux protection of our
now fully functional smtp server.
To temporary disable or change :
Get SELinux mode:
# getenforce
Output:Enforcing
or
#sestatus
Output:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
Set SELinux mode to permissive mode
# setenforce 0
# getenforce
Output:# getenforce
Permissive
or
#sestatus
Output:
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
found at: http://wiki.centos.org/HowTos/SELinux/
Comments
Post a Comment