13日にCentOS4に入れ替えて早2週間。特に問題もなく安定稼動してきたので、ボチボチSELinuxを有効にする事に。
まずはポリシーソース群をインストールしないとならないので、yumのパッケージリストを検索。
$ yum list all | grep selinuxふむ。
libselinux.i386 1.19.1-7.3 installed
libselinux-devel.i386 1.19.1-7.3 installed
selinux-policy-targeted.noarch 1.17.30-2.145 installed
selinux-doc.noarch 1.14.1-1 base
selinux-policy-targeted-sources.noarch 1.17.30-2.145 base
rpm系のパッケージはディストリビューションやバージョンに依って名称が微妙に変わってしまう事があり、悪戯に徒労してしまうケースが多いのだが、CentOS4ではどうやらselinux-policy-targeted-sourcesらしい。というわけで、管理者モードでインストール。
# yum install selinux-policy-targeted-sources
Loading "fastestmirror" plugin
Setting up Install Process
Setting up repositories
Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for selinux-policy-targeted-sources to pack into transaction set.
selinux-policy-targeted-s 100% |=========================| 59 kB 00:00
---> Package selinux-policy-targeted-sources.noarch 0:1.17.30-2.145 set to be updated
--> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
selinux-policy-targeted-sources noarch 1.17.30-2.145 base 169 k
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 169 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): selinux-policy-tar 100% |=========================| 169 kB 00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: selinux-policy-targeted-sour ######################### [1/1]
Installed: selinux-policy-targeted-sources.noarch 0:1.17.30-2.145
Complete!
そして、audit2allowで追加すべきルールを/etc/selinux/targeted/src/policy/domains/addRules.teファイルへ抽出し、ポリシーの再構築。
# cd /etc/selinux/targeted/src/policyとすればいいはずなのだが、
# audit2allow -d -l -o ./domains/addRules.te
# make reload
domains/addRules.te:4:ERROR 'syntax error' at token 'create' on line 3519:というエラーが発生。 どひゃっ、言うに事欠いてsyntax errorですか!?
allow httpd_suexec_t user_home_t:dir { add_name getattr remove_name search write };
allow httpd_suexec_t user_home_t:file append create execute execute_no_trans getattr ioctl read rename unlink write;
/usr/bin/checkpolicy: error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] エラー 1
/etc/selinux/targeted/src/policy/domains/addRules.teをよく見ると、
allow httpd_suexec_t user_home_t:file append create execute execute_no_trans getattr ioctl read rename unlink write;の書き方が微妙に怪しかったので、
allow httpd_suexec_t user_home_t:file { append create execute execute_no_trans getattr ioctl read rename unlink write };な風に修正してOK。 くっ(>_<)、バグかよ?>audit2allow
最終的な/etc/selinux/targeted/src/policy/domains/addRules.teの内容
allow httpd_suexec_t home_root_t:lnk_file read;を確認して、最後に
allow httpd_suexec_t user_home_t:dir { add_name getattr remove_name search write };
allow httpd_suexec_t user_home_t:file { append create execute execute_no_trans getattr ioctl read rename unlink write };
allow httpd_sys_script_t devlog_t:sock_file write;
allow httpd_sys_script_t httpd_sys_script_exec_t:dir { add_name read remove_name write };
allow httpd_sys_script_t httpd_sys_script_exec_t:dir { add_name write };
allow httpd_sys_script_t httpd_sys_script_exec_t:file { create unlink write };
allow httpd_sys_script_t httpd_sys_script_exec_t:file { create write };
allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
allow httpd_sys_script_t self:unix_dgram_socket { connect create ioctl write };
allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
allow httpd_t home_root_t:file { getattr read };
allow httpd_t home_root_t:lnk_file { getattr read };
allow httpd_t httpd_sys_script_exec_t:lnk_file read;
allow httpd_t user_home_dir_t:dir read;
allow httpd_t user_home_t:dir { add_name getattr read remove_name search write };
allow httpd_t user_home_t:file { append create getattr lock read setattr unlink write };
# setenforce EnforcingでEnforecingモードに設定して終了。
【参照】
●ごった煮 http://park1.wakwak.com/~ima/
┣CentOS 4.0導入記(覚え書き)
┣SELinux - ポリシーのソースの導入
┗SELinux - エラーメッセージからポリシーを作成する