SELinux : ログを確認する2023/02/20 |
SELinux によるアクセス可否の決定は一旦キャッシュされ、アクセスが拒否の場合はメッセージがログに記録されます。
SELinux のキャッシュは AVC (Access Vector Cache) と呼ばれ、アクセス拒否は AVC 拒否とも呼ばれます。
AVC 拒否のログは、Systemd Journald または Audit サービス経由で出力されます。
Rsyslog サービス稼働中の場合 (デフォルトは自動起動) は [/var/log/messages] にも記録されます。 よって、いずれかのサービスが起動している必要があります。 |
|
[1] | Systemd Journald や Rsyslog サービスが有効の場合は、ログは Journald のログや [/var/log/messages] に記録されます。 |
[root@dlp ~]# journalctl -t setroubleshoot Mar 10 21:57:34 dlp.srv.world setroubleshoot[1840]: AnalyzeThread.run(): Cancel> Mar 10 21:57:34 dlp.srv.world setroubleshoot[1840]: failed to retrieve rpm info> Mar 10 21:57:35 dlp.srv.world setroubleshoot[1840]: SELinux is preventing /usr/> Mar 10 21:57:35 dlp.srv.world setroubleshoot[1840]: SELinux is preventing /usr/> ..... .....[root@dlp ~]# grep "setroubleshoot" /var/log/messages Mar 10 21:57:35 dlp setroubleshoot[1840]: SELinux is preventing /usr/sbin/smbd from watch access on the directory /home/share. For complete SELinux messages run: sealert -l 08f68245-f415-4f55-a5d5-7a9a27beba12 Mar 10 21:57:35 dlp setroubleshoot[1840]: SELinux is preventing /usr/sbin/smbd from watch access on the directory /home/share.#012#012***** Plugin catchall_boolean (89.3 confidence) suggests ******************#012#012If you want to allow samba to export all rw#012Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.#012#012Do#012setsebool -P samba_export_all_rw 1#012#012***** Plugin catchall (11.6 confidence) suggests **************************#012#012If you believe that smbd should be allowed watch access on the share directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smbd-notifyd' --raw | audit2allow -M my-smbdnotifyd#012# semodule -X 300 -i my-smbdnotifyd.pp#012 |
[2] | Audit サービスが有効の場合は、ログは [/var/log/audit/audit.log] に出力されます。 |
[root@dlp ~]# grep "avc: .denied" /var/log/audit/audit.log type=AVC msg=audit(1644986614.918:178): avc: denied { mac_admin } for pid=1933 comm="restorecon" capability=33 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=capability2 permissive=0 type=AVC msg=audit(1646971053.926:140): avc: denied { watch } for pid=1794 comm="smbd-notifyd" path="/home/share" dev="dm-0" ino=61100 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 type=AVC msg=audit(1646971053.927:141): avc: denied { watch } for pid=1794 comm="smbd-notifyd" path="/home/share" dev="dm-0" ino=61100 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 |
[3] | Auditd 経由のログは [ausearch] コマンドを使用すると、時刻等を見易い形式で出力できます。 |
[root@dlp ~]# ausearch -m AVC ---- time->Thu Mar 10 21:57:33 2022 type=PROCTITLE msg=audit(1646971053.926:140): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570 type=SYSCALL msg=audit(1646971053.926:140): arch=c000003e syscall=254 success=no exit=-13 a0=f a1=7ffcf269679c a2=210003c0 a3=7ffcf2695fd0 items=0 ppid=1792 pid=1794 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd-notifyd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1646971053.926:140): avc: denied { watch } for pid=1794 comm="smbd-notifyd" path="/home/share" dev="dm-0" ino=61100 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 ---- time->Thu Mar 10 21:57:33 2022 type=PROCTITLE msg=audit(1646971053.927:141): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570 type=SYSCALL msg=audit(1646971053.927:141): arch=c000003e syscall=254 success=no exit=-13 a0=f a1=7ffcf269679c a2=210003c6 a3=7ffcf2696740 items=0 ppid=1792 pid=1794 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="smbd-notifyd" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null) type=AVC msg=audit(1646971053.927:141): avc: denied { watch } for pid=1794 comm="smbd-notifyd" path="/home/share" dev="dm-0" ino=61100 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0 |
[4] | Auditd 経由のログは [aureport] コマンドを利用すると、サマリ出力できます。 |
[root@dlp ~]# aureport --avc AVC Report =============================================================== # date time comm subj syscall class permission obj result event =============================================================== 1. 02/15/2022 22:43:19 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 166 2. 02/15/2022 22:43:19 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 167 3. 02/15/2022 22:43:19 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 168 4. 02/15/2022 22:43:34 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 175 5. 02/15/2022 22:43:34 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 176 6. 02/15/2022 22:43:34 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 177 7. 02/15/2022 22:43:34 restorecon unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 189 capability2 mac_admin unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 denied 178 8. 03/10/2022 21:57:33 smbd-notifyd system_u:system_r:smbd_t:s0 254 dir watch unconfined_u:object_r:user_home_dir_t:s0 denied 140 9. 03/10/2022 21:57:33 smbd-notifyd system_u:system_r:smbd_t:s0 254 dir watch unconfined_u:object_r:user_home_dir_t:s0 denied 141 |
Sponsored Link |
|