SELinux : ログを確認する2025/10/22 |
|
SELinux によるアクセス可否の決定は一旦キャッシュされ、アクセスが拒否の場合はメッセージがログに記録されます。 SELinux のキャッシュは AVC (Access Vector Cache) と呼ばれ、アクセス拒否は AVC 拒否とも呼ばれます。
AVC 拒否のログは、Systemd Journald または Audit サービス経由で出力されます。 |
|
| [1] | Systemd Journald や Rsyslog サービスが有効の場合は、ログは Journald のログや [/var/log/messages] に記録されます。 |
|
dlp:~ # journalctl -t setroubleshoot Oct 22 11:45:52 dlp.srv.world setroubleshoot[2044]: SELinux is preventing rsyslogd from getattr access on the file /run/rsyslog> Oct 22 11:45:52 dlp.srv.world setroubleshoot[2044]: SELinux is preventing rsyslogd from getattr access on the file /run/rsyslog> ..... .....dlp:~ # grep "setroubleshoot" /var/log/messages 2025-10-22T11:53:29.488357+09:00 dlp setroubleshoot: SELinux is preventing httpd-prefork from name_bind access on the tcp_socket port 85. For complete SELinux messages run: sealert -l fa5c5bfe-dd41-410f-84c5-c5c353a3842e 2025-10-22T11:53:29.495297+09:00 dlp setroubleshoot[1245]: SELinux is preventing httpd-prefork from name_bind access on the tcp_socket port 85.#012#012***** Plugin bind_ports (99.5 confidence) suggests ************************#012#012If you want to allow httpd-prefork to bind to network port 85#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 85#012 where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.#012#012***** Plugin catchall (1.49 confidence) suggests **************************#012#012If you believe that httpd-prefork should be allowed name_bind access on the port 85 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd-prefork' --raw | audit2allow -M my-httpdprefork#012# semodule -X 300 -i my-httpdprefork.pp#012 2025-10-22T11:53:31.079744+09:00 dlp setroubleshoot: SELinux is preventing httpd-prefork from name_bind access on the tcp_socket port 85. For complete SELinux messages run: sealert -l fa5c5bfe-dd41-410f-84c5-c5c353a3842e 2025-10-22T11:53:31.086752+09:00 dlp setroubleshoot[1245]: SELinux is preventing httpd-prefork from name_bind access on the tcp_socket port 85.#012#012***** Plugin bind_ports (99.5 confidence) suggests ************************#012#012If you want to allow httpd-prefork to bind to network port 85#012Then you need to modify the port type.#012Do#012# semanage port -a -t PORT_TYPE -p tcp 85#012 where PORT_TYPE is one of the following: http_cache_port_t, http_port_t, jboss_management_port_t, jboss_messaging_port_t, ntop_port_t, puppet_port_t.#012#012***** Plugin catchall (1.49 confidence) suggests **************************#012#012If you believe that httpd-prefork should be allowed name_bind access on the port 85 tcp_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd-prefork' --raw | audit2allow -M my-httpdprefork#012# semodule -X 300 -i my-httpdprefork.pp#012 |
| [2] | Audit サービスが有効の場合は、ログは [/var/log/audit/audit.log] に出力されます。 |
|
dlp:~ # grep "avc: .denied" /var/log/audit/audit.log
type=AVC msg=audit(1761101149.745:138): avc: denied { getattr } for pid=2041 comm="rsyslogd" path="/run/rsyslog/additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1761101149.745:139): avc: denied { getattr } for pid=2041 comm="rsyslogd" path="/run/rsyslog/additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1761101149.745:140): avc: denied { getattr } for pid=2041 comm="rsyslogd" path="/run/rsyslog/additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
type=AVC msg=audit(1761101187.870:226): avc: denied { getattr } for pid=2101 comm="rsyslogd" path="/run/rsyslog/additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1761101187.870:227): avc: denied { read } for pid=2101 comm="rsyslogd" name="additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1761101187.870:228): avc: denied { open } for pid=2101 comm="rsyslogd" path="/run/rsyslog/additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=1
type=AVC msg=audit(1761101604.691:114): avc: denied { name_bind } for pid=1230 comm="httpd-prefork" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
type=AVC msg=audit(1761101604.691:115): avc: denied { name_bind } for pid=1230 comm="httpd-prefork" src=85 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:reserved_port_t:s0 tclass=tcp_socket permissive=0
|
| [3] | Auditd 経由のログは [ausearch] コマンドを使用すると、時刻等を見易い形式で出力できます。 |
|
dlp:~ # ausearch -m AVC
----
time->Wed Oct 22 11:45:49 2025
type=AVC msg=audit(1761101149.745:138): avc: denied { getattr } for pid=2041 comm="rsyslogd" path="/run/rsyslog/additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
----
time->Wed Oct 22 11:45:49 2025
type=AVC msg=audit(1761101149.745:139): avc: denied { getattr } for pid=2041 comm="rsyslogd" path="/run/rsyslog/additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
----
time->Wed Oct 22 11:45:49 2025
type=AVC msg=audit(1761101149.745:140): avc: denied { getattr } for pid=2041 comm="rsyslogd" path="/run/rsyslog/additional-log-sockets.conf" dev="tmpfs" ino=1914 scontext=system_u:system_r:syslogd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file permissive=0
|
| [4] | Auditd 経由のログは [aureport] コマンドを利用すると、サマリ出力できます。 |
|
dlp:~ # aureport --avc AVC Report =============================================================== # date time comm subj syscall class permission obj result event =============================================================== 1. 10/22/25 11:45:49 rsyslogd system_u:system_r:syslogd_t:s0 0 file getattr unconfined_u:object_r:var_run_t:s0 denied 138 2. 10/22/25 11:45:49 rsyslogd system_u:system_r:syslogd_t:s0 0 file getattr unconfined_u:object_r:var_run_t:s0 denied 139 3. 10/22/25 11:45:49 rsyslogd system_u:system_r:syslogd_t:s0 0 file getattr unconfined_u:object_r:var_run_t:s0 denied 140 4. 10/22/25 11:46:27 rsyslogd system_u:system_r:syslogd_t:s0 0 file getattr unconfined_u:object_r:var_run_t:s0 denied 226 5. 10/22/25 11:46:27 rsyslogd system_u:system_r:syslogd_t:s0 0 file read unconfined_u:object_r:var_run_t:s0 denied 227 6. 10/22/25 11:46:27 rsyslogd system_u:system_r:syslogd_t:s0 0 file open unconfined_u:object_r:var_run_t:s0 denied 228 7. 10/22/25 11:53:24 httpd-prefork system_u:system_r:httpd_t:s0 0 tcp_socket name_bind system_u:object_r:reserved_port_t:s0 denied 114 8. 10/22/25 11:53:24 httpd-prefork system_u:system_r:httpd_t:s0 0 tcp_socket name_bind system_u:object_r:reserved_port_t:s0 denied 115 |
| Sponsored Link |
|
|