Selinux 阻止了该模块。seboolean “nis_enabled” 是否足够安全?

huangapple go评论65阅读模式
英文:

Selinux blocking the module. Is seboolean "nis_enabled" secure enough?

问题

我最近使用vmalert模块(Victoriametrics产品)配置了警报系统。在我的系统上,有一个强制性的SELinux策略,必须保持不变。尝试运行vmalert时,它被SELinux阻止。

直到我使用audit.log的内容并将其提供给audit2allow以创建策略之前,才发生了这种情况。此外,我可以通过启用"nis boolean"来确保它在Selinux中运行。但是,我坚信有更好的方法可以让它运行。对于这方面的任何帮助都将不胜感激。以下是建议加载到Selinux中的策略片段:

module vmalert 1.0;

require {
    type init_t;
    type unreserved_port_t;
    type http_port_t;
    class tcp_socket name_connect;
}

#============= init_t ==============

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow init_t http_port_t:tcp_socket name_connect;

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow init_t unreserved_port_t:tcp_socket name_connect;
英文:

I have recently configured alerting system using vmalert module (Victoriametrics product). On my system there is an enforcing SELinux policy, which shall remain so. When trying to run vmalert, it got blocked by SELinux.

It happened until I grep the contents of audit.log and feed it to audit2allow to create a policy. In addition, I can ensure it is working by enabling "nis boolean" in Selinux. However, I strongly believe there is a better way to allow it running. Any assistance in this regard is appreciated. Below is the snippet of policy that is proposed to be loaded into Selinux:


    module vmalert 1.0;

    require {
	type init_t;
	type unreserved_port_t;
	type http_port_t;
	class tcp_socket name_connect;
    }

    #============= init_t ==============

    #!!!! This avc can be allowed using the boolean 'nis_enabled'
    allow init_t http_port_t:tcp_socket name_connect;

    #!!!! This avc can be allowed using the boolean 'nis_enabled'
    allow init_t unreserved_port_t:tcp_socket name_connect;

答案1

得分: 1

你可以允许仅被阻止的部分(对http端口和未保留端口的TCP连接)使用以下方式:

cat << EOF > vmalert.te
module vmalert 1.0;

require {
type init_t;
type unreserved_port_t;
type http_port_t;
class tcp_socket name_connect;
}

#============= init_t ==============

allow init_t http_port_t:tcp_socket name_connect;
allow init_t unreserved_port_t:tcp_socket name_connect;
EOF
checkmodule -M -m -o vmalert.mod vmalert.te
semodule_package -o vmalert.pp -m vmalert.mod
semodule -i vmalert.pp
英文:

You can allow just what is blocked (TCP connections to http ports and unreserved ports) with:

cat << EOF > vmalert.te
module vmalert 1.0;

require {
type init_t;
type unreserved_port_t;
type http_port_t;
class tcp_socket name_connect;
}

#============= init_t ==============

allow init_t http_port_t:tcp_socket name_connect;
allow init_t unreserved_port_t:tcp_socket name_connect;
EOF
checkmodule -M -m -o vmalert.mod vmalert.te
semodule_package -o vmalert.pp -m vmalert.mod
semodule -i vmalert.pp

huangapple
  • 本文由 发表于 2023年5月26日 15:26:03
  • 转载请务必保留本文链接:https://go.coder-hub.com/76338538.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定