SElinux和Traceroute
SElinux和Traceroute
提问于 2019-03-05 18:42:49
我需要在浏览器中运行Traceroute,但是会收到一些SElinux警报。
我尝试用audit2allow (例如ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute和semodule -i my-traceroute.pp )创建一个策略来删除警报,但是traceroute仍然不能工作,并返回消息:
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"。添加这些策略后,没有AVC警报。只是从服务器发送回来的send: Permission denied↵消息。
我甚至试图制定我自己的政策
module traceroute 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };和
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp但这似乎什么也做不了。
如果我将SElinux设置为permissive,则traceroute将无问题地运行。
注意:我已经设置了允许traceroute作为非root用户运行的功能,例如在/usr/bin/traceroute上设置cap_net_raw+ep。
有什么主意吗?
警报:
SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 2
First Seen 2019-03-05 15:45:17 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID a747c347-fced-47ae-a1e8-97753dfde465
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc: denied { create } for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108250): avc: denied { net_raw } for pid=24122 comm="traceroute" capability=13 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1
type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,create
-----------------------
SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 82af42ef-6a01-4a8f-84da-79e2119e65b3
Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc: denied { bind } for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=AVC msg=audit(1551801996.735:1108251): avc: denied { node_bind } for pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind
---------------------
SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 104114b1-9024-412d-a195-57eef1be45e3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc: denied { setopt } for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt
------------------
SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID ad1eedfa-b54a-4dfb-b719-3d402a686d95
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc: denied { connect } for pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect
-----------------
SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID cdd75a7d-152b-49fe-a7c8-b9e437655d63
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc: denied { getattr } for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr
------------------
SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects Unknown [ rawip_socket ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 1
First Seen 2019-03-05 16:06:36 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 97c5dfcd-ffe3-48e4-83ef-dfc526487bba
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc: denied { getopt } for pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1
type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt
---------------
SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects tcp_ecn [ file ]
Source traceroute
Source Path /usr/bin/traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 10
First Seen 2019-03-02 16:32:38 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 8f5dab14-4937-4ca5-abc8-23c0c5cb12f3
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied { read } for pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,read
----------------
SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:sysctl_net_t:s0
Target Objects /proc/sys/net/ipv4/tcp_ecn [ file ]
Source traceroute
Source Path traceroute
Port <Unknown>
Host di-staging
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Permissive
Host Name di-staging
Platform Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count 3
First Seen 2019-03-04 13:32:25 GMT
Last Seen 2019-03-05 16:06:36 GMT
Local ID 7f65540c-60f9-4566-8ab7-52d4f48d6389
Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc: denied { open } for pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1
Hash: traceroute,httpd_t,sysctl_net_t,file,open回答 1
Unix & Linux用户
回答已采纳
发布于 2019-03-05 21:11:21
我自己想好了所以我会回答我自己的问题。
答案是做我在OP中已经尝试过的两件事,但同时使用它们。以前,我只尝试使用audit2allow来创建策略,当它不起作用时,禁用这些策略并尝试创建自己的策略。
因此,要使其首先工作,请使用audit2allow从警报中创建策略。
ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
那就跑
semodule -i my-traceroute.pp
然后创建另一个自定义策略,它基本上允许为非根用户打开原始IP套接字,这是执行traceroute命令所必需的。
创建一个名为traceroute.tt的文件,并向其中添加以下内容:
module traceroute 1.0;
require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}
#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };然后运行以下命令(以root用户身份):
checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp已完成:)
页面原文内容由Unix & Linux提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://unix.stackexchange.com/questions/504562
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号