SElinux 및 TCP 추적 경로

SElinux 및 TCP 추적 경로

브라우저에서 TCP Traceroute를 실행해야 하는데 일부 SElinux 경고가 표시됩니다.

예를 들어 경고를 제거 하고 audit2allow정책을 생성하려고 시도했지만 추적 경로가 여전히 작동하지 않고 다음 메시지를 반환합니다 . 이러한 정책을 추가한 후에는 AVC 경고가 없습니다. 서버에서 다시 보낸 메시지 입니다 .ausearch -c 'traceroute' --raw | audit2allow -M my-traceroutesemodule -i my-traceroute.pp
traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"],…] 0: ["traceroute to example.com (93.184.216.34), 30 hops max, 60 byte packets↵"] 1: ["send: Permission denied↵"send: Permission denied↵

나는 심지어 내 자신의 정책을 만들려고 노력했습니다.

module traceroute 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };

그리고

checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp

그러나 이것은 별 효과가 없는 것 같습니다.

SElinux를 Traceroute로 설정하면 permissive문제 없이 실행됩니다.

참고: /usr/bin/traceroute에 cap_net_raw+ep를 설정하는 등 루트가 아닌 사용자로 Traceroute를 실행할 수 있는 기능을 설정했습니다.

어떤 아이디어가 있나요? ?

경보:

SELinux is preventing /usr/bin/traceroute from create access on the rawip_socket labeled httpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traceroute should be allowed create access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ rawip_socket ]
Source                        traceroute
Source Path                   /usr/bin/traceroute
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2019-03-05 15:45:17 GMT
Last Seen                     2019-03-05 16:06:36 GMT
Local ID                      a747c347-fced-47ae-a1e8-97753dfde465

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108250): avc:  denied  { create } for  pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=AVC msg=audit(1551801996.735:1108250): avc:  denied  { net_raw } for  pid=24122 comm="traceroute" capability=13  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability permissive=1


type=SYSCALL msg=audit(1551801996.735:1108250): arch=x86_64 syscall=socket success=yes exit=ESRCH a0=2 a1=3 a2=6 a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,create

-----------------------

SELinux is preventing /usr/bin/traceroute from bind access on the rawip_socket labeled httpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traceroute should be allowed bind access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ rawip_socket ]
Source                        traceroute
Source Path                   /usr/bin/traceroute
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   10
First Seen                    2019-03-02 16:32:38 GMT
Last Seen                     2019-03-05 16:06:36 GMT
Local ID                      82af42ef-6a01-4a8f-84da-79e2119e65b3

Raw Audit Messages
type=AVC msg=audit(1551801996.735:1108251): avc:  denied  { bind } for  pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1

type=AVC msg=audit(1551801996.735:1108251): avc:  denied  { node_bind } for  pid=24122 comm="traceroute" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=rawip_socket permissive=1

type=SYSCALL msg=audit(1551801996.735:1108251): arch=x86_64 syscall=bind success=yes exit=0 a0=3 a1=7ffea5136340 a2=1c a3=7ffea5135da0 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,bind

---------------------

SELinux is preventing /usr/bin/traceroute from setopt access on the rawip_socket labeled httpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traceroute should be allowed setopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ rawip_socket ]
Source                        traceroute
Source Path                   /usr/bin/traceroute
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2019-03-05 16:06:36 GMT
Last Seen                     2019-03-05 16:06:36 GMT
Local ID                      104114b1-9024-412d-a195-57eef1be45e3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108252): avc:  denied  { setopt } for  pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108252): arch=x86_64 syscall=setsockopt success=yes exit=0 a0=3 a1=0 a2=a a3=7ffea5136398 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,setopt

------------------

SELinux is preventing /usr/bin/traceroute from connect access on the rawip_socket labeled httpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traceroute should be allowed connect access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp

Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ rawip_socket ]
Source                        traceroute
Source Path                   /usr/bin/traceroute
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   10
First Seen                    2019-03-02 16:32:38 GMT
Last Seen                     2019-03-05 16:06:36 GMT
Local ID                      ad1eedfa-b54a-4dfb-b719-3d402a686d95

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108253): avc:  denied  { connect } for  pid=24122 comm="traceroute" lport=6 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108253): arch=x86_64 syscall=connect success=yes exit=0 a0=3 a1=60f4d0 a2=1c a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,connect

-----------------

SELinux is preventing /usr/bin/traceroute from getattr access on the rawip_socket labeled httpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traceroute should be allowed getattr access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ rawip_socket ]
Source                        traceroute
Source Path                   /usr/bin/traceroute
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   10
First Seen                    2019-03-02 16:32:38 GMT
Last Seen                     2019-03-05 16:06:36 GMT
Local ID                      cdd75a7d-152b-49fe-a7c8-b9e437655d63

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108254): avc:  denied  { getattr } for  pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108254): arch=x86_64 syscall=getsockname success=yes exit=0 a0=3 a1=7ffea5136400 a2=7ffea51363fc a3=7ffea5135e60 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getattr

------------------

SELinux is preventing /usr/bin/traceroute from getopt access on the rawip_socket labeled httpd_t.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traceroute should be allowed getopt access on rawip_socket labeled httpd_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                Unknown [ rawip_socket ]
Source                        traceroute
Source Path                   /usr/bin/traceroute
Port                          <Unknown>
Host                          di-staging
Source RPM Packages           traceroute-2.0.22-2.el7.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   1
First Seen                    2019-03-05 16:06:36 GMT
Last Seen                     2019-03-05 16:06:36 GMT
Local ID                      97c5dfcd-ffe3-48e4-83ef-dfc526487bba

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108255): avc:  denied  { getopt } for  pid=24122 comm="traceroute" laddr=167.86.68.164 lport=6 faddr=93.184.216.34 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=rawip_socket permissive=1


type=SYSCALL msg=audit(1551801996.736:1108255): arch=x86_64 syscall=getsockopt success=yes exit=0 a0=3 a1=0 a2=e a3=7ffea51363f8 items=0 ppid=24121 pid=24122 auid=4294967295 uid=996 gid=993 euid=996 suid=996 fsuid=996 egid=993 sgid=993 fsgid=993 tty=(none) ses=4294967295 comm=traceroute exe=/usr/bin/traceroute subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: traceroute,httpd_t,httpd_t,rawip_socket,getopt

---------------

SELinux is preventing /usr/bin/traceroute from read access on the file tcp_ecn.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traceroute should be allowed read access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                tcp_ecn [ file ]
Source                        traceroute
Source Path                   /usr/bin/traceroute
Port                          <Unknown>
Host                          di-staging
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   10
First Seen                    2019-03-02 16:32:38 GMT
Last Seen                     2019-03-05 16:06:36 GMT
Local ID                      8f5dab14-4937-4ca5-abc8-23c0c5cb12f3

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc:  denied  { read } for  pid=24122 comm="traceroute" name="tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,read

----------------

SELinux is preventing traceroute from open access on the file /proc/sys/net/ipv4/tcp_ecn.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that traceroute should be allowed open access on the tcp_ecn file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
# semodule -i my-traceroute.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:sysctl_net_t:s0
Target Objects                /proc/sys/net/ipv4/tcp_ecn [ file ]
Source                        traceroute
Source Path                   traceroute
Port                          <Unknown>
Host                          di-staging
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-229.el7_6.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Host Name                     di-staging
Platform                      Linux di-staging 3.10.0-957.el7.x86_64 #1 SMP Thu
                              Nov 8 23:39:32 UTC 2018 x86_64 x86_64
Alert Count                   3
First Seen                    2019-03-04 13:32:25 GMT
Last Seen                     2019-03-05 16:06:36 GMT
Local ID                      7f65540c-60f9-4566-8ab7-52d4f48d6389

Raw Audit Messages
type=AVC msg=audit(1551801996.736:1108256): avc:  denied  { open } for  pid=24122 comm="traceroute" path="/proc/sys/net/ipv4/tcp_ecn" dev="proc" ino=5310982 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=file permissive=1


Hash: traceroute,httpd_t,sysctl_net_t,file,open

답변1

나는 그것을 스스로 알아 냈으므로 내 질문에 대답하겠습니다.

대답은 OP에서 이미 시도한 두 가지 작업을 수행하되 동시에 사용하는 것입니다. 이전에는 를 사용하여 정책 생성만 시도해 보았지만 audit2allow효과가 없으면 해당 정책을 비활성화하고 직접 생성해 보았습니다.

따라서 이를 작동시키려면 먼저 audit2allow경고가 포함된 정책을 만드십시오.
ausearch -c 'traceroute' --raw | audit2allow -M my-traceroute
그런 다음 실행
semodule -i my-traceroute.pp

그런 다음 기본적으로 루트가 아닌 사용자에 대해 원시 IP 소켓을 열 수 있도록 허용하는 또 다른 사용자 지정 정책을 만듭니다. 이는 Traceroute 명령을 실행하는 데 필요합니다.

Traceroute.tt라는 파일을 만들고 다음 내용을 추가합니다.

module traceroute 1.0;

require {
type httpd_t;
class capability net_raw;
class rawip_socket { getopt create setopt write read };
}

#============= httpd_t ==============
allow httpd_t self:capability net_raw;
allow httpd_t self:rawip_socket { getopt create setopt write read };

그런 다음 루트 사용자로 다음 명령을 실행합니다.

checkmodule -M -m -o traceroute.mod traceroute.tt
semodule_package -o traceroute.pp -m traceroute.mod
semodule -i traceroute.pp

완벽한:)

관련 정보