We should firstly verify whether SELinux is turned on with:
sestatus
By default SELinux writes to /var/log/audit/audit.log file when it blocks a process.
As this log can get pretty noisy we should probably clear it before-hand to make it a little easier for ourselves:
> /var/log/audit/audit.log
We should now launch the suspected program / process that is being triggered and monitor this file:
tail -f /var/log/audit/audit.log
We can also produce more human readable output with the ausearch tool:
ausearch -m avc --start recent (looks at events from the last hour)
or the last 24 hours with:
ausearch -m avc --start today | audit2why
Most of the time we can use audit2why to help us tweak the SELinux configuration to get things working again - for example I often find that web servers (particularly reverse proxies will often use odd ports for downstream servers)
We can take a few approaches:
1. Change the backend server ports (this is not always possible obviously!)
2. Add the ports in the SELinux module ruleset - we can see existing ports with:
semanage port -l | grep -w "http_port_t"
http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
and then add an additional port in with:
semanage port -a -t http_port_t -p tcp 8888
However this is not always possible if the port number is defined elsewhere i.e. in another policy.
3. As a last resort you can tweak the module to disable specific functions - such as allowing the web server to connect to any remote port:
setsebool -P httpd_can_network_connect 1
4. We can also create our own custom policies by installing some utilities to help us analyze the logs:
dnf install setroubleshoot setools
This will generate a report explaining to you what process and action has triggered the alert and how can you remidiate it - if we want to add an exception (system wide) in for a function we can use setsebool - for example:
setsebool -P selinuxuser_execheap 1
or better yet we can generate a custom rule for SELinux with the '-M' switch on audit2allow:
cat /var/log/audit/audit.log | audit2allow -a -M myselinuxcustomrules
and then import it with semodule:
semodule -i myselinuxcustomrules.pp
No comments:
Post a Comment