SELinux : ログを確認する2025/01/02 |
|
SELinux によるアクセス可否の決定は一旦キャッシュされ、アクセスが拒否の場合はメッセージがログに記録されます。 SELinux のキャッシュは AVC (Access Vector Cache) と呼ばれ、アクセス拒否は AVC 拒否とも呼ばれます。
AVC 拒否のログは、Systemd Journald または Audit サービス経由で出力されます。 |
|
| [1] | Systemd Journald や Rsyslog サービスが有効の場合は、ログは Journald のログや [/var/log/messages] に記録されます。 |
|
[root@dlp ~]# journalctl -t setroubleshoot Jan 02 13:32:01 dlp.srv.world setroubleshoot[2399]: SELinux is preventing /usr/sbin/smbd from write access on the directory share. For complete SELinux messages run: sealert -l b4266c9e-dd94-48ae-8a2b-96f801280e1b Jan 02 13:32:01 dlp.srv.world setroubleshoot[2399]: SELinux is preventing /usr/sbin/smbd from write access on the directory share. ..... .....[root@dlp ~]# grep "setroubleshoot" /var/log/messages Jan 2 13:32:00 dlp systemd[1]: Starting setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs... Jan 2 13:32:00 dlp systemd[1]: Started setroubleshootd.service - SETroubleshoot daemon for processing new SELinux denial logs. Jan 2 13:32:01 dlp setroubleshoot[2399]: SELinux is preventing /usr/sbin/smbd from write access on the directory share. For complete SELinux messages run: sealert -l b4266c9e-dd94-48ae-8a2b-96f801280e1b Jan 2 13:32:01 dlp setroubleshoot[2399]: SELinux is preventing /usr/sbin/smbd from write access on the directory share.#012#012***** Plugin catchall_boolean (47.5 confidence) suggests ******************#012#012If you want to allow samba to enable home dirs#012Then you must tell SELinux about this by enabling the 'samba_enable_home_dirs' boolean.#012#012Do#012setsebool -P samba_enable_home_dirs 1#012#012***** Plugin catchall_boolean (47.5 confidence) suggests ******************#012#012If you want to allow samba to export all rw#012Then you must tell SELinux about this by enabling the 'samba_export_all_rw' boolean.#012#012Do#012setsebool -P samba_export_all_rw 1#012#012***** Plugin catchall (6.38 confidence) suggests **************************#012#012If you believe that smbd should be allowed write access on the share directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'smbd[10.0.0.212' --raw | audit2allow -M my-smbd1000212#012# semodule -X 300 -i my-smbd1000212.pp#012 |
| [2] | Audit サービスが有効の場合は、ログは [/var/log/audit/audit.log] に出力されます。 |
|
[root@dlp ~]# grep "avc: .denied" /var/log/audit/audit.log
type=AVC msg=audit(1735792319.628:274): avc: denied { write } for pid=2398 comm="smbd[10.0.0.212" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1735792932.561:371): avc: denied { write } for pid=2651 comm="smbd[10.0.0.215" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1735792957.697:376): avc: denied { write } for pid=2651 comm="smbd[10.0.0.215" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
|
| [3] | Auditd 経由のログは [ausearch] コマンドを使用すると、時刻等を見易い形式で出力できます。 |
|
[root@dlp ~]# ausearch -m AVC
----
time->Thu Jan 2 13:31:59 2025
type=PROCTITLE msg=audit(1735792319.628:274): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
type=SYSCALL msg=audit(1735792319.628:274): arch=c000003e syscall=258 success=no exit=-13 a0=9 a1=55c4ec628e10 a2=1ff a3=80 items=0 ppid=2392 pid=2398 auid=4294967295 uid=65534 gid=0 euid=65534 suid=0 fsuid=65534 egid=65534 sgid=0 fsgid=65534 tty=(none) ses=4294967295 comm="smbd[10.0.0.212" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1735792319.628:274): avc: denied { write } for pid=2398 comm="smbd[10.0.0.212" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
----
time->Thu Jan 2 13:42:12 2025
type=PROCTITLE msg=audit(1735792932.561:371): proctitle=2F7573722F7362696E2F736D6264002D2D666F726567726F756E64002D2D6E6F2D70726F636573732D67726F7570
type=SYSCALL msg=audit(1735792932.561:371): arch=c000003e syscall=258 success=no exit=-13 a0=9 a1=55c4ec629310 a2=1ff a3=80 items=0 ppid=2392 pid=2651 auid=4294967295 uid=65534 gid=0 euid=65534 suid=0 fsuid=65534 egid=65534 sgid=0 fsgid=65534 tty=(none) ses=4294967295 comm="smbd[10.0.0.215" exe="/usr/sbin/smbd" subj=system_u:system_r:smbd_t:s0 key=(null)
type=AVC msg=audit(1735792932.561:371): avc: denied { write } for pid=2651 comm="smbd[10.0.0.215" name="share" dev="dm-0" ino=16990672 scontext=system_u:system_r:smbd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir permissive=0
|
| [4] | Auditd 経由のログは [aureport] コマンドを利用すると、サマリ出力できます。 |
|
[root@dlp ~]# aureport --avc AVC Report =============================================================== # date time comm subj syscall class permission obj result event =============================================================== 1. 01/02/2025 13:31:59 smbd[10.0.0.212 system_u:system_r:smbd_t:s0 258 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 274 2. 01/02/2025 13:42:12 smbd[10.0.0.215 system_u:system_r:smbd_t:s0 258 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 371 3. 01/02/2025 13:42:37 smbd[10.0.0.215 system_u:system_r:smbd_t:s0 257 dir write unconfined_u:object_r:user_home_dir_t:s0 denied 376 |
| Sponsored Link |
|
|