YANO's digital garage

Copyright ©YANO All rights reserved. https://www.bravotouring.com/~yano/

Last-modified: 2024-04-17 (水)


[一語一絵/IT系]

SELinux on CentOS4 / 2007-06-26 (火)

13日にCentOS4に入れ替えて早2週間。特に問題もなく安定稼動してきたので、ボチボチSELinuxを有効にする事に。

まずはポリシーソース群をインストールしないとならないので、yumのパッケージリストを検索。

$ yum list all | grep selinux
libselinux.i386                          1.19.1-7.3             installed
libselinux-devel.i386                    1.19.1-7.3             installed
selinux-policy-targeted.noarch           1.17.30-2.145          installed
selinux-doc.noarch                       1.14.1-1               base
selinux-policy-targeted-sources.noarch   1.17.30-2.145          base
ふむ。

rpm系のパッケージはディストリビューションやバージョンに依って名称が微妙に変わってしまう事があり、悪戯に徒労してしまうケースが多いのだが、CentOS4ではどうやらselinux-policy-targeted-sourcesらしい。というわけで、管理者モードでインストール。

# yum install selinux-policy-targeted-sources
Loading "fastestmirror" plugin
Setting up Install Process
Setting up repositories
Loading mirror speeds from cached hostfile
Reading repository metadata in from local files
Excluding Packages in global exclude list
Finished
Parsing package install arguments
Resolving Dependencies
--> Populating transaction set with selected packages. Please wait.
---> Downloading header for selinux-policy-targeted-sources to pack into transaction set.
selinux-policy-targeted-s 100% |=========================|  59 kB    00:00
---> Package selinux-policy-targeted-sources.noarch 0:1.17.30-2.145 set to be updated
--> Running transaction check

Dependencies Resolved

=============================================================================
Package                 Arch       Version          Repository        Size
=============================================================================
Installing:
selinux-policy-targeted-sources  noarch     1.17.30-2.145    base              169 k

Transaction Summary
=============================================================================
Install      1 Package(s)
Update       0 Package(s)
Remove       0 Package(s)
Total download size: 169 k
Is this ok [y/N]: y
Downloading Packages:
(1/1): selinux-policy-tar 100% |=========================| 169 kB    00:00
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing: selinux-policy-targeted-sour ######################### [1/1]

Installed: selinux-policy-targeted-sources.noarch 0:1.17.30-2.145
Complete!

そして、audit2allowで追加すべきルールを/etc/selinux/targeted/src/policy/domains/addRules.teファイルへ抽出し、ポリシーの再構築。

# cd /etc/selinux/targeted/src/policy
# audit2allow -d -l -o ./domains/addRules.te
# make reload
とすればいいはずなのだが、
domains/addRules.te:4:ERROR 'syntax error' at token 'create' on line 3519:
allow httpd_suexec_t user_home_t:dir { add_name getattr remove_name search write };
allow httpd_suexec_t user_home_t:file append create execute execute_no_trans getattr ioctl read rename unlink write;
/usr/bin/checkpolicy:  error(s) encountered while parsing configuration
make: *** [/etc/selinux/targeted/policy/policy.18] エラー 1
というエラーが発生。 どひゃっ、言うに事欠いてsyntax errorですか!?

/etc/selinux/targeted/src/policy/domains/addRules.teをよく見ると、

allow httpd_suexec_t user_home_t:file append create execute execute_no_trans getattr ioctl read rename unlink write;
の書き方が微妙に怪しかったので、
allow httpd_suexec_t user_home_t:file { append create execute execute_no_trans getattr ioctl read rename unlink write };
な風に修正してOK。 くっ(>_<)、バグかよ?>audit2allow

最終的な/etc/selinux/targeted/src/policy/domains/addRules.teの内容

allow httpd_suexec_t home_root_t:lnk_file read;
allow httpd_suexec_t user_home_t:dir { add_name getattr remove_name search write };
allow httpd_suexec_t user_home_t:file { append create execute execute_no_trans getattr ioctl read rename unlink write };
allow httpd_sys_script_t devlog_t:sock_file write;
allow httpd_sys_script_t httpd_sys_script_exec_t:dir { add_name read remove_name write };
allow httpd_sys_script_t httpd_sys_script_exec_t:dir { add_name write };
allow httpd_sys_script_t httpd_sys_script_exec_t:file { create unlink write };
allow httpd_sys_script_t httpd_sys_script_exec_t:file { create write };
allow httpd_sys_script_t httpd_sys_script_exec_t:lnk_file read;
allow httpd_sys_script_t self:unix_dgram_socket { connect create ioctl write };
allow httpd_sys_script_t syslogd_t:unix_dgram_socket sendto;
allow httpd_t home_root_t:file { getattr read };
allow httpd_t home_root_t:lnk_file { getattr read };
allow httpd_t httpd_sys_script_exec_t:lnk_file read;
allow httpd_t user_home_dir_t:dir read;
allow httpd_t user_home_t:dir { add_name getattr read remove_name search write };
allow httpd_t user_home_t:file { append create getattr lock read setattr unlink write };
を確認して、最後に
# setenforce Enforcing
Enforecingモードに設定して終了。

【参照】
●ごった煮 http://park1.wakwak.com/~ima/
CentOS 4.0導入記(覚え書き)
SELinux - ポリシーのソースの導入
SELinux - エラーメッセージからポリシーを作成する