- audit log (/var/log/audit/audit.log)
- ls -Z
- ps -AZ
In order to address the policy violations that you might encounter, you will need the audit2why and audit2allow commands. You'll need to install policycoreutils-python
yum install policycoreutils-pythonTo illustrate how to use this, set SELinux to enforcing:
setenforce 1Save your iptables configuration to a file:
iptables-save >myiptables.txtThis file is empty, so check the audit log and you'll see the following message:
type=AVC msg=audit(1307819809.595:16342): avc: denied { write } for pid=22969 comm="iptables-save" path="/root/mytables.txt" dev=sda3 ino=144189 scontext=unconfined_u:unconfined_r:iptables_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=fileCopy this line to a file, say iptables.audit and run:
audit2why < iptables.auditYou'll get this ouput:
Was caused by:This confirms that the issue is with SELinux, so now let's resolve it:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
audit2allow -M iptables -i iptables.auditThis will create a module called iptables.pp, that can be installed with this command:
semodule -i iptables.ppNow you can safely save your iptables configuration.
As mentioned in a previous post, you should actually set SELinux to permissive in dev/testing as you might have more than one SELinux policy violation and then you'll end up creating loads of modules unnecessarily.
No comments:
Post a Comment