Created
March 15, 2014 00:52
-
-
Save Supermathie/9560149 to your computer and use it in GitHub Desktop.
selinux notes
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Since the most likely thing I expect to trip up on tomorrow will be selinux, here are some quick notes on it for everyone else as well: | |
| # check selinux audit log | |
| $ sudo seaudit-report /var/log/audit/audit.log | |
| ... | |
| Jan 14 14:46:23 (null) (null): audit(1389728783.896:402159): avc: denied { read } for pid=10210 comm=zabbix_server name=SNMPv2-MIB ino=5246 dev=dm-5 scontext=unconfined_u:system_r:zabbix_t:s0 tcontext=unconfined_u:object_r:var_lib_t:s0 tclass=file | |
| ... | |
| # hmmm zabbix server can't read the SNMP MIBs. What can he read? | |
| $ sesearch --allow -R -s zabbix_t | |
| Found 394 semantic av rules: | |
| allow zabbix_t cert_type : file { ioctl read getattr lock open } ; | |
| allow zabbix_t cert_type : dir { ioctl read getattr lock search open } ; | |
| ... | |
| # maybe he can read a type relating to snmp | |
| $ sesearch --allow -R -s zabbix_t -t snmp | |
| Found 26 semantic av rules: | |
| allow zabbix_t snmpd_var_lib_t : file { ioctl read getattr lock open } ; | |
| allow zabbix_t snmpd_var_lib_t : dir { ioctl read getattr lock search open } ; | |
| allow zabbix_t snmpd_var_lib_t : lnk_file { read getattr } ; | |
| # what files have this context type? | |
| $ sudo semanage fcontext -l | grep snmpd_var_lib_t | |
| /usr/share/snmp/mibs/\.index regular file system_u:object_r:snmpd_var_lib_t:s0 | |
| /var/agentx(/.*)? all files system_u:object_r:snmpd_var_lib_t:s0 | |
| ... | |
| # that looks sensible! Let's give that to the custom mibs I've placed | |
| into /var/lib/mibs for zabbix: | |
| $ sudo restorecon -R /var/lib/mibs | |
| $ ls -alZ /var/lib/mibs/ | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 . | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 iana | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ietf | |
| $ sudo semanage fcontext -a -t snmpd_var_lib_t "/var/lib/mibs(.*)?" | |
| $ ls -alZ /var/lib/mibs/ | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 . | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 iana | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 ietf | |
| $ sudo restorecon -R /var/lib/mibs | |
| $ ls -alZ /var/lib/mibs/ | |
| drwxr-xr-x. root root system_u:object_r:snmpd_var_lib_t:s0 . | |
| drwxr-xr-x. root root system_u:object_r:var_lib_t:s0 .. | |
| drwxr-xr-x. root root system_u:object_r:snmpd_var_lib_t:s0 iana | |
| drwxr-xr-x. root root system_u:object_r:snmpd_var_lib_t:s0 ietf | |
| # booleans | |
| $ sudo semanage boolean -l | |
| SELinux boolean State Default Description | |
| ftp_home_dir (off , off) Allow ftp to read and write files in the user home directories | |
| ... | |
| # nonstandard ports | |
| $ sudo semanage port -a -p tcp -t http_port_t 8082 | |
| # policy files | |
| http://www.crypt.gen.nz/papers/selinux_introduction.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment