SELinux基础使用手册

1) 确认SELinux当前模式
# 模式说明:
enforcing: 开启SELinux以及MAC[强制访问控制] (默认模式)
permissive: MAC[强制访问控制]并未开启,但会被审计并记录审计日志
disabled: 关闭SELinux

[root@srv1 ~]# getenforce
Enforcing

[root@srv1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             targeted
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

2) 临时切换SELinux模式
[root@srv1 ~]# getenforce
Enforcing

[root@srv1 ~]# setenforce 0
[root@srv1 ~]# getenforce
Permissive

[root@srv1 ~]# setenforce 1
[root@srv1 ~]# getenforce
Enforcing
[root@srv1 ~]# 

3) 永久切换SELinux模式
[root@srv1 ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

[root@srv1 ~]# reboot

4) 模式切换注意事项
# 从Disable切换到enforcing/permissive模式请注意:
1. SELinux在Disable状态时，可能创建了许多文件或目录。但SELinux当时处于disable状态，并没有对其进行标记。
2. 当切换至enforcing/permissive模式时，需要重新标记
[root@srv1 ~]# touch /.autorelabel
[root@srv1 ~]# reboot

# 注意事项
1. 如果SELinux处于“Enforcing/Permissive”状态，则可以选择Policy Type
2. 果有需要，可以为自己的系统环境选择所需要的Policy Type。
2. 可以在/etc/selinux/config文件中设置Policy Type。CentOS7默认策略为"targeted"
3. 如果更改Policy Type，则需要安装Policy文件。对于CentOS 7 Minimal，默认情况下只安装“targeted”策略。
4. 如果在未安装其他的Policy文件的情况下更改为未安装的Policy类型，系统将无法启动。

1) 确认当前的Policy类型
[root@srv1 ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted
 
2) 安装一个Policy文件
[root@srv1 ~]# yum search selinux-policy -y
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
====== N/S matched: selinux-policy ============================
selinux-policy.noarch : SELinux policy configuration
selinux-policy-devel.noarch : SELinux policy devel
selinux-policy-doc.noarch : SELinux policy documentation
selinux-policy-minimum.noarch : SELinux minimum base policy
selinux-policy-mls.noarch : SELinux mls base policy
selinux-policy-sandbox.noarch : SELinux policy sandbox
selinux-policy-targeted.noarch : SELinux targeted base policy

  Name and summary matches only, use "search all" for everything.

[root@srv1 ~]# yum install selinux-policy-minimum -y

3) 确认minimum策略安装的路径及相关文件
[root@srv1 ~]# ls -l /etc/selinux/minimum
total 16
drwx------. 3 root root  257 Feb 27 02:22 active
-rw-r--r--. 1 root root 2623 Dec  3 01:51 booleans.subs_dist
drwxr-xr-x. 4 root root 4096 Feb 27 02:22 contexts
drwxr-xr-x. 2 root root    6 Dec  3 01:51 logins
drwxr-xr-x. 3 root root   20 Feb 27 02:22 modules
drwxr-xr-x. 2 root root   23 Feb 27 02:22 policy
-rw-------. 1 root root    0 Dec  3 01:51 semanage.read.LOCK
-rw-------. 1 root root    0 Dec  3 01:51 semanage.trans.LOCK
-rw-r--r--. 1 root root  607 Dec  3 01:51 setrans.conf
-rw-r--r--. 1 root root  176 Feb 27 02:22 seusers

4) 更改策略类型
[root@srv1 ~]# vim /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=minimum

[root@srv1 ~]# touch ./autorelabel
[root@srv1 ~]# reboot

5) 确认当前的策略类型
proot@srv1 ~]# sestatus
SELinux status:                 enabled
SELinuxfs mount:                /sys/fs/selinux
SELinux root directory:         /etc/selinux
Loaded policy name:             minimum
Current mode:                   enforcing
Mode from config file:          enforcing
Policy MLS status:              enabled
Policy deny_unknown status:     allowed
Max kernel policy version:      31

6) RPM包提供的3种策略的说明
1. Target 策略
    主要对系统中的服务进程进程访问控制，同时，它还可以限制其他进程和用户。服务进程都被放入沙盒，在此环境中，服务进程会被严格限制，以便使通过此类进程所引发的恶意攻击不会影响到其他服务或 Linux 系统。
    沙盒（sandbox）是一种环境，在此环境中的进程可以运行，但对其他进程或资源的访问会被严格控制。换句话说，位于沙盒中的各个进程，都只是运行在自己的域（进程所运行的区域被称为“域”）内，它们无法访问其他进程或资源（除非被授予特殊的权限）。

2. Minimum 策略
    Minimum 策略的意思是“最小限制”，该策略最初是针对低内存计算机或者设备（比如智能手机）而创建的。
    从本质上来说，Minimun 和 Target 类似，不同之处在于，它仅使用基本的策略规则包。对于低内存设备来说，Minumun 策略允许 SELinux 在不消耗过多资源的情况下运行。

3. MLS 策略
    MLS，是 Multi-Level Security 的缩写，该策略会对系统中的所有进程进行控制。它实现了Bell-LaPadula（BLP）模型，并可能应用更复杂的控制。MLS策略不支持X-Window，不能在GUI模式使用这个策略。

1) SELinux上下文说明
# 对目录和文件的访问控制都由SELinux的一些信息来设定的，这些信息被称为Context(上下文)

# 上下文语法规则:
[SELinux 用户]:[角色]:[类型]:[级别]

    SELinux用户: 根据SELinux策略，每个Linux用户都映射到一个SELinux用户

    角色[Role]: RBAC（基于角色的访问控制）属性,它定义了SELinux用户的角色,通过SELinux策略控制哪些定义的角色可以访问域。

    类型[Type]: TE（类型强制）属性,它为进程定义域，也为文件定义类型。
    级别[Level]: MLS（多级安全）和MCS（多级安全）属性,Level语法有[sensitivity]：[category]。

2) 显示SELinux上下文[使用-Z参数)
# 显示目录/文件的SELinux上下文
[root@srv1 ~]# ls -Z /root
-rw-------. root root system_u:object_r:admin_home_t:s0          anaconda-ks.cfg
                      --------:--------:------------:-----
                       用户    : 角色   : 类型        : 级别
                      --------:--------:------------:-----

# 显示进程的SELinux上下文
[root@srv1 ~]# ps -axZ
......
......
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1169 ? Ss   0:00 sshd: root@pts/0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1173 pts/0 Ss+   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1208 pts/0 S+   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1212 pts/0 S+   0:00 tmux new-session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1214 ? Ds   0:00 tmux new-session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1215 pts/1 Ss   0:00 -bash
system_u:system_r:kernel_t:s0    1253 ?        S      0:00 [kworker/1:0]
system_u:system_r:kernel_t:s0    1254 ?        S      0:00 [kworker/1:2]
system_u:system_r:kernel_t:s0    1256 ?        R      0:00 [kworker/1:1]

# 显示属主ID
[root@srv1 ~]# id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023

2) 查看SELinux用户与Linux用户的映射关系
[root@srv1 ~]# semanage login -l
Login Name           SELinux User         MLS/MCS Range        Service
__default__          unconfined_u         s0-s0:c0.c1023       *
root                 unconfined_u         s0-s0:c0.c1023       *
system_u             system_u             s0-s0:c0.c1023       *

# 说明
1. root被映射到了unconfined_u 
2. 系统账户(postfix/http)被映射到了system_u
3. 系统普通账户(__default__)被映射到了unconfined_u 
4. unconfined_u用户将会被分配到unconfined_r角色，由unconfined_u用户启动的进程将作为unconfined_r域进行运行
5. unconfined_r域中的进程不受SELinux控制

[root@srv1 ~]# ps axZ | grep unconfined_t
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1169 ? Ss   0:00 sshd: root@pts/0
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1173 pts/0 Ss+   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1208 pts/0 S+   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1212 pts/0 S+   0:00 tmux new-session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1214 ? Ss   0:00 tmux new-session
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1215 pts/1 Ss   0:00 -bash
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1377 pts/1 R+   0:00 ps axZ
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 1378 pts/1 S+   0:00 grep --color=auto unconfined_t

1) 更改策略类型
[root@srv1 ~]# vim /etc/selinux/config 
......
......
SELINUXTYPE=targeted

[root@srv1 ~]# reboot

2) 查看SELinux的当前布尔值的设定
[root@srv1 ~]# getsebool -a
......
......
xen_use_nfs --> off
xend_run_blktap --> on
xend_run_qemu --> on
xguest_connect_network --> on
xguest_exec_content --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_clients_write_xshm --> off
xserver_execmem --> off
xserver_object_manager --> off
zabbix_can_network --> off
zabbix_run_sudo --> off
zarafa_setrlimit --> off
zebra_write_config --> off
zoneminder_anon_write --> off
zoneminder_run_sudo --> off

2) 查看SELinux布尔值的说明
[root@srv1 ~]# semanage boolean -l
......
......
samba_enable_home_dirs         (off  ,  off)  Allow samba to enable home dirs
mcelog_client                  (off  ,  off)  Allow mcelog to client
tomcat_use_execmem             (off  ,  off)  Allow tomcat to use execmem
nfs_export_all_ro              (on   ,   on)  Allow nfs to export all ro
cron_can_relabel               (off  ,  off)  Allow cron to can relabel

# 如果semanage命令不存在，请安装policycoreutils-python工具

3) 设置匿名FTP账户创建目录权利(SELinux开启后，默认不允许创建)
[root@srv1 ~]# semanage boolean -l | grep ftpd_anon_write
ftpd_use_cifs                  (off  ,  off)  Allow ftpd to use cifs
ftpd_connect_db                (off  ,  off)  Allow ftpd to connect db
ftpd_use_fusefs                (off  ,  off)  Allow ftpd to use fusefs
ftpd_full_access               (off  ,  off)  Allow ftpd to full access
ftpd_use_passive_mode          (off  ,  off)  Allow ftpd to use passive mode
ftpd_use_nfs                   (off  ,  off)  Allow ftpd to use nfs
ftpd_connect_all_unreserved    (off  ,  off)  Allow ftpd to connect all unreserved
ftpd_anon_write                (off  ,  off)  Allow ftpd to anon write

[root@srv1 ~]# setsebool -P ftpd_anon_write on

[root@srv1 ~]# setsebool -P ftpd_use_passive_mode on
[root@srv1 ~]# setsebool -P ftpd_full_access on

4) 定义httpd的index.html上下文
[root@srv1 ~]# echo "hello 1000cc.net" > ./index.html
[root@srv1 ~]# mv index.html /var/www/html/

因文件是在/root上创建的，所有其"类型"为admin_home.此时客户端无法访问

(1) 查看SELinux的httpd_sys_content_t
[root@srv1 ~]# semanage fcontext -l | grep httpd_sys_content_t

(2) 更改index.html类型为httpd_sys_content_t
[root@srv1 ~]# chcon -t httpd_sys_content_t /var/www/html/index.html
客户端访问成功

5) 恢复所修改的SELinux上下文
[root@srv1 ~]# restorecon -R /var/www/html/index.html

1) 确认SELinux上下文所在位置(一般在policy目录下,本实验是基于targeted)
[root@srv1 ~]# ls -l /etc/selinux/targeted/contexts/files
total 1832
-rw-r--r--. 1 root root  384423 Feb 27 03:14 file_contexts
-rw-r--r--. 1 root root 1415647 Feb 27 03:14 file_contexts.bin
-rw-r--r--. 1 root root   13338 Feb 27 03:14 file_contexts.homedirs
-rw-r--r--. 1 root root   45344 Feb 27 03:14 file_contexts.homedirs.bin
-rw-r--r--. 1 root root       0 Dec  3 01:48 file_contexts.subs
-rw-r--r--. 1 root root     514 Dec  3 01:48 file_contexts.subs_dist
-rw-r--r--. 1 root root     139 Dec  3 01:47 media

2) 查看上下文内容
[root@srv1 ~]# head /etc/selinux/targeted/contexts/files/file_contexts
/.*     system_u:object_r:default_t:s0
/[^/]+  --      system_u:object_r:etc_runtime_t:s0
/a?quota\.(user|group)  --      system_u:object_r:quota_db_t:s0
/nsr(/.*)?      system_u:object_r:var_t:s0
/sys(/.*)?      system_u:object_r:sysfs_t:s0
/xen(/.*)?      system_u:object_r:xen_image_t:s0
/mnt(/[^/]*)?   -d      system_u:object_r:mnt_t:s0
/mnt(/[^/]*)?   -l      system_u:object_r:mnt_t:s0
/bin/.* system_u:object_r:bin_t:s0
/dev/.* system_u:object_r:device_t:s0

3) 使用context让用户访问CGI
(1) 默认情况如果cgi文件在cgi-bin目录,可直接修改布尔值
[root@srv1 ~]# semanage boolean -l | grep httpd_enable_cgi
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi

(2) 查看context对cgi的定义
[root@srv1 ~]# grep "cgi" /etc/selinux/targeted/contexts/files/file_contexts | grep "httpd"
/usr/.*\.cgi    --      system_u:object_r:httpd_sys_script_exec_t:s0
/opt/.*\.cgi    --      system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/[^/]*/cgi-bin(/.*)?    system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/html/[^/]*/cgi-bin(/.*)?       system_u:object_r:httpd_sys_script_exec_t:s0
/usr/lib/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
/var/www/cgi-bin(/.*)?  system_u:object_r:httpd_sys_script_exec_t:s0
/usr/lib/cgi-bin/(nph-)?cgiwrap(d)?     --      system_u:object_r:httpd_suexec_exec_t:s0
/var/log/cgiwrap\.log.* --      system_u:object_r:httpd_log_t:s0

(3) 查看context对cgi的定义
[root@clinet ~]# curl http://localhost/cgi-bin/index.py
CGI Test Page    # 默认可以访问

(4) 如果cgi存放在其他目录，apache配置正确也无法访问
[root@clinet ~]# curl http://localhost/cgi-1000cc/index.py
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>500 Internal Server Error</title>
</head><body>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error or
misconfiguration and was unable to complete
your request.</p>

(5) 确认cgi-1000cc/index.py的context
[root@srv1 ~]# ls -Z /var/www/html/cgi-1000cc
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.py

(6) 修改cgi-1000cc目录的context
[root@srv1 ~]# chcon -t httpd_sys_script_exec_t /var/www/html/cgi-1000cc/index.py

[root@srv1 ~]# ls -Z /var/www/html/cgi-enabled
-rwxr-xr-x. root root unconfined_u:object_r:httpd_sys_script_exec_t:s0 index.py

[root@client ~]# curl http://localhost/cgi-enabled/index.py
CGI Test Page

4) 永久性保存所设定的context
[root@srv1 ~]# semanage fcontext -a -t httpd_sys_script_exec_t /var/www/html/cgi-1000cc/index.py

[root@srv1 ~]# grep "cgi-enabled" /etc/selinux/targeted/contexts/files/file_contexts.local
/var/www/html/cgi-1000cc/index.py    system_u:object_r:httpd_sys_script_exec_t:s0

#说明:
SELinux将网络端口标记为类型标，因此不可能使用未配置类型的端口来启动服务。

1) 显示端口类型列表
[root@srv1 ~]# semanage port -l
SELinux Port Type              Proto    Port Number

afs3_callback_port_t           tcp      7001
afs3_callback_port_t           udp      7001
afs_bos_port_t                 udp      7007
afs_fs_port_t                  tcp      2040
afs_fs_port_t                  udp      7000, 7005
afs_ka_port_t                  udp      7004
afs_pt_port_t                  tcp      7002
afs_pt_port_t                  udp      7002
afs_vl_port_t                  udp      7003
agentx_port_t                  tcp      705
......
......

2) 将Apache的监听端口改为8222
[root@srv1 ~]# vim /etc/httpd/conf/httpd.conf
# 修改42行，更改如下
Listen 8222

[root@srv1 ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details.    # 启动失败

3) 查看SELinux对httpd的默认的端口配置
[root@srv1 ~]# semanage port -l | grep -E -w "80|443"
http_port_t                    tcp      80, 81, 443, 488, 8008, 8009, 8443, 9000

4) 更改port type
[root@srv1 ~]# semanage port -a -t http_port_t -p tcp 8222

[root@srv1 ~]# semanage port -l | grep "^http_port_t"
http_port_t                    tcp      8222, 80, 81, 443, 488, 8008, 8009, 8443, 9000

5) 测试
[root@srv1 ~]# systemctl restart httpd
[root@srv1 ~]# systemctl is-active httpd
active

[root@srv1 ~]# netstat -lantp | grep 8222
tcp6       0      0 ::: 8222                 :::*                    LISTEN      2174/httpd

1. SELinux的access或deny的确认都被缓存一次，被拒绝的访问将发送到日志中。
2. SELinux的缓存被称为AVC(访问向量缓存).对于拒绝访问也被称之为AVC拒绝。
3. AVC拒绝是通过Rsyslog或Audit服务其中一个完成的。

1) 查看在audit.log中的AVC信息
[root@srv1 ~]# grep "avc: .denied" /var/log/audit/audit.log
......
......
node=srv1.1000cc.net type=AVC msg=audit(1582840079.884:297): avc:  denied  { name_bind } for  pid=2132 comm="httpd" src=8222 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
node=srv1.1000cc.net type=AVC msg=audit(1582840110.941:299): avc:  denied  { name_bind } for  pid=2146 comm="httpd" src=8222 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
node=srv1.1000cc.net type=AVC msg=audit(1582840110.941:300): avc:  denied  { name_bind } for  pid=2146 comm="httpd" src=8222 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

2) 查看在messages中的AVC信息
[root@srv1 ~]# grep "avc: .denied" /var/log/messages
Feb  27 13:20:06 srv kernel: type=1400 audit(1459743606.523:6): avc: denied  { read } for  pid=1298 
     comm="httpd" name="index.html" dev="dm-0" ino=67206855 scontext=system_u:system_r:httpd_t:s0 
     tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
Feb  27 13:22:13 srv1 kernel: type=1400 audit(1459743733.690:4): avc: denied  { read } for  pid=891 
     comm="httpd" name="index.html" dev="dm-0" ino=67206855 scontext=system_u:system_r:httpd_t:s0 
     tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

3) 对于通过Auditd发送的消息，可以使用ausearch命令搜索它们
[root@srv1 ~]# ausearch -m AVC
......
......
time->Fri Feb 28 05:48:30 2020
node=srv1.1000cc.net type=PROCTITLE msg=audit(1582840110.941:299): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
node=srv1.1000cc.net type=SOCKADDR msg=audit(1582840110.941:299): saddr=0A00201E000000000000000000000000000000000000000000000000
node=srv1.1000cc.net type=SYSCALL msg=audit(1582840110.941:299): arch=c000003e syscall=49 success=no exit=-13 a0=4 a1=55e27ddd6e28 a2=1c a3=7fff5f6e7720 items=0 ppid=1 pid=2146 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
node=srv1.1000cc.net type=AVC msg=audit(1582840110.941:299): avc:  denied  { name_bind } for  pid=2146 comm="httpd" src=8222 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0
----
time->Fri Feb 28 05:48:30 2020
node=srv1.1000cc.net type=PROCTITLE msg=audit(1582840110.941:300): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
node=srv1.1000cc.net type=SOCKADDR msg=audit(1582840110.941:300): saddr=0200201E000000000000000000000000
node=srv1.1000cc.net type=SYSCALL msg=audit(1582840110.941:300): arch=c000003e syscall=49 success=no exit=-13 a0=3 a1=55e27ddd6d68 a2=10 a3=7fff5f6e7b2c items=0 ppid=1 pid=2146 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
node=srv1.1000cc.net type=AVC msg=audit(1582840110.941:300): avc:  denied  { name_bind } for  pid=2146 comm="httpd" src=8222 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

4) 使用aureport查看avc
[root@srv1 ~]# aureport --avc
AVC Report
===============================================================
# date time comm subj syscall class permission obj result event
===============================================================
1. 02/27/2020 02:28:41 sh system_u:system_r:initrc_t:s0 59 file execute system_u:object_r:unlabeled_t:s0 denied 15
2. 02/27/2020 02:28:41 sh system_u:system_r:initrc_t:s0 21 file execute system_u:object_r:unlabeled_t:s0 denied 16
3. 02/27/2020 02:28:41 sh system_u:system_r:initrc_t:s0 21 file read system_u:object_r:unlabeled_t:s0 denied 17
4. 02/27/2020 02:28:41 sh system_u:system_r:initrc_t:s0 59 file execute system_u:object_r:unlabeled_t:s0 denied 18
5. 02/27/2020 02:28:41 sh system_u:system_r:initrc_t:s0 21 file execute system_u:object_r:unlabeled_t:s0 denied 19
6. 02/27/2020 02:28:41 sh system_u:system_r:initrc_t:s0 21 file read system_u:object_r:unlabeled_t:s0 denied 20
......
......

1) 安装auditd
[root@srv1 ~]# yum install audit -y
[root@srv1 ~]# service auditd start
[root@srv1 ~]# systemctl enable auditd

2) 安装SETroubleShoot Server
[root@srv1 ~]# yum install setroubleshoot-server -y

[root@srv1 ~]# vim /etc/tmpfiles.d/setroubleshoot.conf
D /var/run/setroubleshoot 0755 setroubleshoot root -

[root@srv1 ~]# mkdir --context=system_u:object_r:setroubleshoot_var_run_t:s0 \
/var/run/setroubleshoot

[root@srv1 ~]# chown setroubleshoot:root /var/run/setroubleshoot
[root@srv1 ~]# chmod 755 /var/run/setroubleshoot
[root@srv1 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service
[root@srv1 ~]# systemctl restart dbus

3) 将httpd的监听端口改为8220
[root@srv1 ~]# vim /etc/httpd/conf/httpd.conf
# 修改42行，更改如下
Listen 8220

[root@srv1 ~]# systemctl restart httpd
Job for httpd.service failed because the control process exited with error code. See "systemctl status httpd.service" and "journalctl -xe" for details. 

4) 可以通过日志查询信息
[root@srv1 ~]# grep -E 'setroubleshoot|preventing' /var/log/messages
Feb 28 06:18:42 srv1 setroubleshoot: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8220. For complete SELinux messages run: sealert -l a277accc-bbcc-4aea-9253-ffc291d474a7
Feb 28 06:18:42 srv1 python: SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8220.#012#012*****  Plugin bind_ports (92.2 confidence) suggests   ************************#012#012If you want to allow /usr/sbin/httpd to bind to network port 8220#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 8220#012    where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.#012#012*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************#012#012If you want to allow nis to enabled#012Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.#012#012Do#012setsebool -P nis_enabled 1#012#012*****  Plugin catchall (1.41 confidence) suggests   **************************#012#012If you believe that httpd should be allowed name_bind access on the port 8220 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012

5) 查看更多的详细信息
[root@srv1 ~]# sealert -l a277accc-bbcc-4aea-9253-ffc291d474a7
SELinux is preventing /usr/sbin/httpd from name_bind access on the tcp_socket port 8220.

*****  Plugin bind_ports (92.2 confidence) suggests   ************************

If you want to allow /usr/sbin/httpd to bind to network port 8220
Then you need to modify the port type.
Do
# 有提示解决的办法
# semanage port -a -t PORT_TYPE -p tcp 8220
    where PORT_TYPE is one of the following: http_cache_port_t,  http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, pup
pet_port_t.

*****  Plugin catchall_boolean (7.83 confidence) suggests   ******************

If you want to allow nis to enabled
Then you must tell SELinux about this by enabling the 'nis_enabled' boolean.

Do
setsebool -P nis_enabled 1

*****  Plugin catchall (1.41 confidence) suggests   **************************

If you believe that httpd should be allowed name_bind access on the port 8220 tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:unreserved_port_t:s0
Target Objects                port 8220 [ tcp_socket ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          8220
Host                          srv1.1000cc.net
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-252.el7_7.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     srv1.1000cc.net
Platform                      Linux srv1.1000cc.net 3.10.0-1062.el7.x86_64 #1
                              SMP Wed Aug 7 18:08:02 UTC 2019 x86_64 x86_64
Alert Count                   2
First Seen                    2020-02-28 06:18:40 CST
Last Seen                     2020-02-28 06:18:40 CST
Local ID                      a277accc-bbcc-4aea-9253-ffc291d474a7

Raw Audit Messages
type=AVC msg=audit(1582841920.782:379): avc:  denied  { name_bind } for  pid=2803 comm="httpd" src=8220 scontext=system_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0


Hash: httpd,httpd_t,unreserved_port_t,tcp_socket,name_bind

说明:
1. audit2allow可以让在日志中记录的被拒绝的操作转变为SELinux允许的规则
2. 但是,audit2allow会需要更多的允许访问规则。所以还是建议使用restorecon或chcon来进行配置
3. 如果系统中不存在audit2allow命令，可以安装"yum install policycoreutils python -y"

1) 从audit.log中读取AVC拒绝的信息
[root@srv1 ~]# audit2allow -w -a
node=srv1.1000cc.net type=AVC msg=audit(1582741721.916:15): avc:  denied  { execute } for  pid=714 comm="sh" name="abrt-dump-oops" dev="dm-0" 
ino=101115671 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0
        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

......
......

说明:
1. 如果未指定任何日志文件，则audit2allow读取/var/log/audit/audit.log。
2. 如果指定日志文件，请改为设置“-i logfile”选项“-a”选项。

2) 使用ausearch显示指定时间的日志信息
[root@srv1 ~]# ausearch -m AVC --start 02/26/2020 19:00 --end 02/28/2020 19:00 | audit2allow -w
node=srv1.1000cc.net type=AVC msg=audit(1582741721.916:15): avc:  denied  { execute } for  pid=714 comm="sh" name="abrt-dump-oops" dev="dm-0" 
ino=101115671 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=file permissive=0

        Was caused by:
                Unknown - would be allowed by active policy
                Possible mismatch between this policy and the one under which the audit message was generated.

                Possible mismatch between current in-memory boolean settings vs. permanent ones.

......
......

3) 使用-a参数显示需求类型
[root@srv1 ~]# ausearch -m AVC --start 02/26/2020 19:00 --end 02/28/2020 19:00 | audit2allow -a
#============= httpd_t ==============
allow httpd_t admin_home_t:file getattr;

4) 生成允许的规则
[root@srv1 ~]# ausearch -m AVC --start 02/26/2020 19:00 --end 02/28/2020 19:00 | audit2allow -a -M test_rule
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i test_rule.pp

5) 使用4)步骤所显示的命令安装模块
[root@srv1 ~]# semodule -i test_rule.pp

6) 确认模块已被加载
[root@srv1 ~]# semodule -l | grep test_rule
test_rule 1.0

7) 使用audit2allow变更规则
[root@srv1 ~]# curl http://localhost/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /index.html
on this server.</p>
</body></html>

[root@srv1 ~]# ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a

#============= httpd_t ==============
allow httpd_t admin_home_t:file read;

#!!!! This avc is allowed in the current policy
allow httpd_t admin_home_t:file getattr;   # 需要读取权限

[root@srv1 ~]# ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a -M test_rule
[root@srv1 ~]# semodule -i test_rule.pp

[root@srv1 ~]# curl http://localhost/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>

[root@srv1 ~]# ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a
#============= httpd_t ==============
allow httpd_t admin_home_t:file open;

#!!!! This avc is allowed in the current policy
allow httpd_t admin_home_t:file { read getattr }; # 需要开放权限

[root@srv1 ~]# ausearch -m AVC | grep -E 'http|index.html' | audit2allow -a -M test_rule
[root@srv1 ~]# semodule -i test_rule.pp

[root@srv1 ~]# curl http://localhost/index.html
Test Page  # 成功访问

1) 说明
matchpathcon是显示默认SELinux context并可以进行对比的命令

2) 显示index.html默认的context
[root@srv1 ~]# matchpathcon /var/www/html/index.html
/var/www/html/index.html        system_u:object_r:httpd_sys_content_t:s0

3) 比较当前所应用的context与默认的context进行对比(相同)
[root@srv1 ~]# matchpathcon -V /var/www/html
/var/www/html verified.    # 没有不同则显示verified.

3) 比较当前所应用的context与默认的context进行对比(不同)
[root@srv1 ~]# matchpathcon -V /var/www/html/index.html
/var/www/html/index.html has context unconfined_u:object_r:admin_home_t:s0, should be system_u:object_r:httpd_sys_content_t:s0

4) 使用通配符
[root@srv1 ~]# matchpathcon -V /var/www/html/*
/var/www/html/cgi-enabled verified.
/var/www/html/index.html has context unconfined_u:object_r:user_home_t:s0, should be system_u:object_r:httpd_sys_conten_t:s0
/var/www/html/index.php verified.
/var/www/html/index.py verified.
/var/www/html/info.php verified.

1) 安装sesearch
[root@srv1 ~]# yum install setools-console -y

2) 显示全部允许的规则
[root@srv1 ~]# sesearch --allow
......
......
   allow mozilla_t mozilla_t : process execstack ; 
   allow mozilla_t mozilla_t : process execmem ; 
   allow condor_startd_t condor_startd_t : capability2 compromise_kernel ; 
   allow roundup_t nscd_t : nscd { getpwd getgrp gethost } ; 
   allow roundup_t nscd_t : nscd { getpwd getgrp gethost getserv getnetgrp } ; 
   allow roundup_t nscd_t : nscd { shmempwd shmemgrp shmemhost shmemserv shmemnetgrp } ; 
   allow secadm_su_t node_t : node { udp_recv recvfrom } ; 
   allow secadm_su_t node_t : node { udp_send sendto } ; 
   allow secadm_su_t node_t : node { tcp_recv tcp_send recvfrom sendto } ; 
   allow pcp_pmcd_t var_log_t : dir { getattr search open } ; 
   allow pcp_pmcd_t var_log_t : dir { ioctl read getattr lock search open } ; 
   allow zebra_t etc_t : dir { getattr search open } ; 
   allow fsadm_t netif_t : netif { udp_recv ingress } ; 
   allow fsadm_t netif_t : netif { udp_send egress } ; 
   allow fsadm_t netif_t : netif { tcp_recv tcp_send ingress egress } ; 
......
......

3) 显示允许httpd_t域的访问规则
[root@srv1 ~]# sesearch -s httpd_t --allow -d
   allow httpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow httpd_t nfs_t : file { ioctl read getattr lock open } ; 
   allow httpd_t nfs_t : file { ioctl read getattr map execute execute_no_trans open } ; 
   allow httpd_t nfs_t : file { ioctl read getattr lock open } ; 
   allow httpd_t w3c_validator_rw_content_t : sock_file { read write getattr append open } ; 
   allow httpd_t openshift_script_t : process transition ; 
   allow httpd_t nagios_rw_content_t : sock_file { read write getattr append open } ; 

4) 显示哪些域允许可以访问httpd_sys_script_exec_t类型
[root@srv1 ~]# sesearch -t httpd_sys_script_exec_t --allow -d
Found 11 semantic av rules:
   allow httpd_sys_script_t httpd_sys_script_exec_t : dir { ioctl read getattr lock search open } ; 
   allow openshift_domain httpd_sys_script_exec_t : dir { getattr search open } ; 
   allow httpd_sys_script_exec_t httpd_sys_script_exec_t : filesystem associate ; 
   allow httpd_sys_script_t httpd_sys_script_exec_t : file { ioctl read getattr lock map execute execute_no_trans entrypoint open } ; 
   allow httpd_suexec_t httpd_sys_script_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ; 
   allow openshift_domain httpd_sys_script_exec_t : file { ioctl read getattr lock map execute execute_no_trans open } ; 
   allow httpd_exec_scripts httpd_sys_script_exec_t : file { ioctl read getattr lock open } ; 
   allow httpd_exec_scripts httpd_sys_script_exec_t : file { ioctl read getattr map execute execute_no_trans open } ; 
   allow httpd_t httpd_sys_script_exec_t : file { ioctl read getattr map execute execute_no_trans open } ; 
   allow httpd_sys_script_t httpd_sys_script_exec_t : file entrypoint ; 
   allow httpd_suexec_t httpd_sys_script_exec_t : file { ioctl read getattr map execute execute_no_trans open } ; 

5) 显示哪些域允许写入shadow_t类型文件
[root@srv1 ~]# sesearch -t shadow_t -c file -p write --allow
Found 11 semantic av rules:
   allow cockpit_session_t shadow_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow useradd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow passwd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename open } ; 
   allow rpm_t file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow rpm_script_t file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow pegasus_openlmi_account_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow updpwd_t shadow_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow files_unconfined_type file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append map unlink link rename execute swapon quotaon mounton execute_no_trans open audit_access } ; 
   allow groupadd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow sysadm_passwd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
   allow yppasswdd_t shadow_t : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ;

6) 显示ftpd_anon_write的布尔值规则
[root@srv1 ~]# sesearch -b ftpd_anon_write --allow -d
Found 11 semantic av rules:
   allow ftpd_t public_content_rw_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow ftpd_t public_content_rw_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow ftpd_t public_content_rw_t : dir { ioctl read write create getattr setattr lock unlink link rename add_name remove_name reparent search rmdir open } ; 
   allow ftpd_t public_content_rw_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow ftpd_t cifs_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow ftpd_t public_content_rw_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow ftpd_t cifs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow ftpd_t nfs_t : dir { ioctl read write getattr lock add_name remove_name search open } ; 
   allow ftpd_t nfs_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
   allow ftpd_t public_content_rw_t : lnk_file { ioctl read write create getattr setattr lock append unlink link rename } ; 
   allow ftpd_t autofs_t : dir { getattr search open } ;