History

Kernel » Kernel seguridad » Kernel seguridad SELinux »

SELinux Caso 3: Archivo de configuración Apache copiado desde otro servidor

Me traje un archivo de configuración Apache y lo puse en /etc/httpd/conf.d/ , los mensajes de error fueron:

Apr  1 08:41:32 redmine setroubleshoot: SELinux is preventing /usr/sbin/httpd from getattr access on the file /etc/httpd/conf.d/redmine.conf. For complete SELinux messages. run sealert -l 59b7348c-1df0-4c1f-a03b-bdaaf16d5fb5
Apr  1 08:41:32 redmine setroubleshoot: SELinux is preventing /usr/sbin/httpd from read access on the file redmine.conf. For complete SELinux messages. run sealert -l 6bead0b7-9616-439b-9060-c4ea8ee20c5c
Apr  1 08:41:32 redmine setroubleshoot: SELinux is preventing /usr/sbin/httpd from read access on the file redmine.conf. For complete SELinux messages. run sealert -l 6bead0b7-9616-439b-9060-c4ea8ee20c5c

Subcaso 3.1

[root@redmine ~]# sealert -l 59b7348c-1df0-4c1f-a03b-bdaaf16d5fb5
SELinux is preventing /usr/sbin/httpd from getattr access on the file /etc/httpd/conf.d/redmine.conf.

*****  Plugin restorecon (99.5 confidence) suggests  *************************

If you want to fix the label. 
/etc/httpd/conf.d/redmine.conf default label should be httpd_config_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /etc/httpd/conf.d/redmine.conf

*****  Plugin catchall (1.49 confidence) suggests  ***************************

If you believe that httpd should be allowed getattr access on the redmine.conf file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep httpd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

[root@redmine ~]# /sbin/restorecon -v /etc/httpd/conf.d/redmine.conf
/sbin/restorecon reset /etc/httpd/conf.d/redmine.conf context unconfined_u:object_r:admin_home_t:s0->system_u:object_r:httpd_config_t:s0

Recarga, y no se muestran más errores SELinux asociados a este archivo de configuración Apache importado.

Análisis, simple, el contexto de seguridad no estaba establecido, al copiar archivos por la red dichos contextos se pierden o simplemente no estaban en su origen (?).