redhat:base-redhat:selinux-redhat

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
redhat:base-redhat:selinux-redhat [2017/08/23 09:58] – [Role-Based Access Control (RBAC)] michaelredhat:base-redhat:selinux-redhat [2018/05/08 11:22] (current) – [Multi-Category Security (MCS)] michael
Line 4: Line 4:
 ===== Introduction ===== ===== Introduction =====
  
-**Security-Enhanced Linux (SELinux)** is a mandatory access control (MAC) security mechanism implemented in the kernel. SELinux was first introduced in CentOS 4 and significantly enhanced in later CentOS releases. These enhancements mean that content varies as to how to approach SELinux over time to solve problems.+**Security-Enhanced Linux (SELinux)** ist ein obligatorischer Zugriffskontrollmechanismus - //mandatory access control// (MAC), der im Kernel implementiert ist. SELinux wurde zuerst in CentOS 4 / Red Hat 4 eingeführt und in späteren Versionen erheblich verbessert.
  
-<WRAP center box 100%>+ 
 +<WRAP center important 100%>
 ==== Some of the Problems ==== ==== Some of the Problems ====
 In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. For example: In order to better understand why SELinux is important and what it can do for you, it is easiest to look at some examples. Without SELinux enabled, only traditional discretionary access control (DAC) methods such as file permissions or access control lists (ACLs) are used to control the file access of users. Users and programs alike are allowed to grant insecure file permissions to others or, conversely, to gain access to parts of the system that should not otherwise be necessary for normal operation. For example:
  
-  * Administrators have no way to control users: A user could set world readable permissions on sensitive files such as ssh keys and the directory containing such keys, customarily: ~/.ssh/ +  * ''Administrators have no way to control users: A user could set world readable permissions on sensitive files such as ssh keys and the directory containing such keys, customarily: ~/.ssh/'' 
-  * Processes can change security properties: A user's mail files should be readable only by that user, but the mail client software has the ability to change them to be world readable +  * ''Processes can change security properties: A user's mail files should be readable only by that user, but the mail client software has the ability to change them to be world readable'' 
-  * Processes inherit user's rights: Firefox, if compromised by a **trojaned** version, could read a user's private ssh keys even though it has no reason to do so.+  * ''Processes inherit user's rights: Firefox, if compromised by a **trojaned** version, could read a user's private ssh keys even though it has no reason to do so.''
  
 Essentially under the traditional DAC model, there are two privilege levels, root and user, and no easy way to enforce a model of least-privilege. Many processes that are launched by root later drop their rights to run as a restricted user and some processes may be run in a chroot jail but all of these security methods are discretionary. Essentially under the traditional DAC model, there are two privilege levels, root and user, and no easy way to enforce a model of least-privilege. Many processes that are launched by root later drop their rights to run as a restricted user and some processes may be run in a chroot jail but all of these security methods are discretionary.
Line 68: Line 69:
 <WRAP center round important 100%> <WRAP center round important 100%>
 ''**Note:** When switching from Disabled to either Permissive or Enforcing mode, it is highly recommended that the system be rebooted and the filesystem relabeled.'' ''**Note:** When switching from Disabled to either Permissive or Enforcing mode, it is highly recommended that the system be rebooted and the filesystem relabeled.''
 +</WRAP>
 +
 +----
 +
 +<WRAP center box 100%>
 +===== RPM dependencies to manage SELinux =====
 +Throughout this text, we already saw programs such as ''**semanage** from the rpm **policecoreutils-python** package **to manage our SELinux environment**''. If you missed installing it, we will begin this recipe by doing so (skip step 1 if you have already done this before):
 +
 +  - Log in as root and install the following basic toolkit to work with SELinux: <code># yum install policycoreutils-python</code>
 +  - Now, we need some additional tools that will also be needed later in the SELinux Debugging:<code># yum install setools setools-console setroubleshoot*</code>
 +  - Next, install and configure the SELinux manual pages as they are not available by default on CentOS 7, but are important for getting detailed information about specific policies, security contexts, and SELinux Booleans later. First, we need to install another package: <code># yum install policycoreutils-devel</code>
 +  - Afterwards, let's generate all the man pages for all SELinux security context policies currently available on the system, and then update the manual pages database afterwards: <code># sepolicy manpage -a -p /usr/share/man/man8; mandb</code>
 +
 +
 </WRAP> </WRAP>
  
Line 87: Line 102:
 The **targeted** SELinux policy on Redhat/CentOS ships with **4 forms of access control**: The **targeted** SELinux policy on Redhat/CentOS ships with **4 forms of access control**:
  
-  * <wrap em>Type Enforcement (TE):</wrap> Type Enforcement is the primary mechanism of access control used in the targeted policy +  * ''<wrap em>Type Enforcement (TE):</wrap>'' Type Enforcement is the primary mechanism of access control used in the targeted policy 
-  * <wrap em>Role-Based Access Control (RBAC):</wrap> Based around SELinux users (not necessarily the same as the Linux user), but not used in the default configuration of the targeted policy +  * ''<wrap em>Role-Based Access Control (RBAC):</wrap>'' Based around SELinux users (not necessarily the same as the Linux user), but not used in the default configuration of the targeted policy 
-  * <wrap em>Multi-Level Security (MLS):</wrap> Not commonly used and often hidden in the default targeted policy. +  * ''<wrap em>Multi-Level Security (MLS):</wrap>'' Not commonly used and often hidden in the default targeted policy. 
-  * <wrap em>Multi-Category Security(MCS):</wrap> An extension of Multi-Level Security, used in the targeted policy to implement compartmentalization of virtual machines and containers through sVirt.+  * ''<wrap em>Multi-Category Security(MCS):</wrap>'' An extension of Multi-Level Security, used in the targeted policy to implement compartmentalization of virtual machines and containers through [[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/selinux_users_and_administrators_guide/chap-security-enhanced_linux-svirt|sVirt]].
  
 ''<wrap em>All processes and files have an SELinux security context!</wrap> Let's see these in action by looking at the SELinux security context of the Apache homepage: '/var/www/html/index.html''' ''<wrap em>All processes and files have an SELinux security context!</wrap> Let's see these in action by looking at the SELinux security context of the Apache homepage: '/var/www/html/index.html'''
Line 133: Line 148:
 here we see the type is user_home_t, the default type for files in a user's home directory. here we see the type is user_home_t, the default type for files in a user's home directory.
  
-Access is only allowed between similar types, so Apache running as httpd_t can read /var/www/html/index.html of type httpd_sys_content_t. Because Apache runs in the httpd_t domain and does not have the userid:username, it can not access **/home/username/myfile.txt** even though this file is world readable because **/home/username/myfile.txt** SELinux security context is not of type httpd_t. If Apache were to be exploited, assuming for the sake of this example that the **root** account right needed to effect a SELinux re-labeling into another context were not obtained, it would not be able to start any process not in the httpd_t domain (which prevents escalation of privileges) or access any file not in an httpd_t related domain.+Access is only allowed between similar types, so Apache running as ''httpd_t'' can read /var/www/html/index.html of type ''httpd_sys_content_t''. Because Apache runs in the httpd_t domain and does not have the userid:username, it can not access **/home/username/myfile.txt** even though this file is world readable because **/home/username/myfile.txt** SELinux security context is not of type httpd_t. If Apache were to be exploited, assuming for the sake of this example that the **root** account right needed to effect a SELinux re-labeling into another context were not obtained, it would not be able to start any process not in the httpd_t domain (which prevents escalation of privileges) or access any file not in an httpd_t related domain.
  
  
Line 140: Line 155:
 Although the default configuration of the targeted policy is to use unconfined logins, the administrator can quite easily switch to the **Role-Based Access Control** model. This model also switches to 'strict' mode for user domains, to allow targeting each program individually. To enable this, use **semanage-login** to add a login mapping for your user. Although the default configuration of the targeted policy is to use unconfined logins, the administrator can quite easily switch to the **Role-Based Access Control** model. This model also switches to 'strict' mode for user domains, to allow targeting each program individually. To enable this, use **semanage-login** to add a login mapping for your user.
  
 +<code>
 +# semanage login -a -s "staff_u" -r "s0-s0:c0.c1023" <username>
 +</code>
  
 +The semanage-login command maps a Linux username to an SELinux user named "staff_u", with an MLS/MCS range of "s0-s0:c0.c1023". After this, logging in will result in ''**id -Z**'' returning  ''staff_u:staff_r:staff_t:s0-s0:c0.c1023'' opposed to unconfined_u:unconfined_r:unconfined_t:s0. Though staff_r is not a role meant for administration, it is a role that allows the user to change to other roles. When an admin would like to do system administration tasks they should switch to the sysadm_r role using the -r flag in **sudo**,
 +
 +<code>
 +# sudo -r sysadm_r -i
 +</code>
 +
 +This can be automated by adding a configuration file under /etc/sudoers.d/, to map the user to a default admin role.
 +
 +<sxh plain; gutter: false;>
 +%wheel  ALL=(ALL)       TYPE=sysadm_t   ROLE=sysadm_r   ALL
 +</sxh>
 +
 +It is still possible to login as an unconfined user or switch to the unconfined role via **newrole**, although the benefits of confined user domains are then lost. It is also possible to remove the ability to do this by creating a new SELinux user associated with only a select set of roles,
 +
 +<code>
 +# semanage user -a -R "staff_r sysadm_r system_r -r "s0-s0:c0.c1023" my_staff_u
 +</code>
 +
 +Then substituting staff_u for my_staff_u in the semanage-login command. Now attempting to switch to the unconfined_r role will result in an **AVC** and **SELINUX_ERR** message. If the admin wishes to remove the ability to login as an unconfined user completely, they should remap the __default__ login to a more suitable SELinux user, again using semanage-login.
 +
 +<code>
 +# semanage login -m -s "user_u" -r "s0" __default__
 +</code>
 +
 +If a user wishes to login as a role other than their default it is up to the login program to provide this functionality. SSH allows logging in with an alternative SELinux role by specifying it as part of the login identifier (e.g., as a staff user logging in as unconfined_r).
 +
 +<code>
 +# ssh <username>/unconfined_r@hostname.net
 +</code>
 +
 +The strict model that comes with Role-Based Access Control isn't perfect from a perspective of least privilege; running a quick search using policy analysis tools we can see that several confined programs can still read a users private SSH keys.
 +
 +<WRAP center box 100%>
 +<code>
 +# sesearch -ACS -t ssh_home_t -c file -p read
 +</code>
 +
 +<sxh plain; gutter: false;>
 +Found 132 semantic av rules:
 +   allow snapperd_t file_type : file { ioctl read getattr lock open } ; 
 +   allow oddjob_mkhomedir_t user_home_type : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
 +   allow mplayer_t non_security_file_type : file { ioctl read getattr lock open } ; 
 +   allow sendmail_t user_home_type : file { ioctl read getattr lock open } ; 
 +   allow systemd_tmpfiles_t non_auth_file_type : file { ioctl read write create getattr setattr lock relabelfrom relabelto append unlink link rename open } ; 
 +   allow login_pgm ssh_home_t : file { ioctl read getattr lock open } ; 
 +   allow ssh_keygen_t ssh_home_t : file { ioctl read write create getattr setattr lock append unlink link rename open } ; 
 +   allow colord_t user_home_type : file { read getattr } ; 
 +   ... snip ...
 +</sxh>
 +</WRAP>  
 + 
 +''mplayer_t'' likely doesn't need to read SSH private keys, but it is granted access to that transiently by being allowed to read types of content associated with ''non_security_file_type'' that is allowing mplayer to read any content that isn't security related so the user can play multimedia from anywhere on the filesystem. This could be further constrained in the base SELinux policy, but as previously mentioned is not a major focus for the Upstream Vendor.
 +
 +Beyond the strict model, Role-Based Access Control also provides a mechanism for limiting the scope of what a user can do when they use **sudo** to switch to root. It is often desirable to enforce least privilege on users with specific roles like DBAs or auditors and the targeted policy includes several user roles for purposes like those, with documentation in their respective manual pages as mentioned in Policy Documentation.
 +
 +<WRAP center box 100%>
 +<code>
 +# seinfo -r
 +</code>
 +<sxh plain; gutter: false;>
 +Roles: 14
 +   auditadm_r
 +   dbadm_r
 +   guest_r
 +   staff_r
 +   user_r
 +   logadm_r
 +   object_r
 +   secadm_r
 +   sysadm_r
 +   system_r
 +   webadm_r
 +   xguest_r
 +   nx_server_r
 +   unconfined_r
 +</sxh>
 +</WRAP>    
 + 
 +To map a user to one of these admin roles, the same semanage-user command is used as before to create a new SELinux user associated with the desired roles, and then semanage-login to associate the Linux login with the SELinux user. If the user should also be able to start system daemons they administrate from their user domain (i.e., to start mysql as dbadm_r for debugging from a shell) the  system_r role should be included in their list of associated roles.
 +
 +<code>
 +# semanage user -a -R "staff_r system_r auditadm_r" -r "s0-s0:c0.c1023" auditor_u
 +# semanage login -a -s "auditor_u" -r "s0-s0:c0.c1023" <username>
 +</code>
 ====  Multi-Category Security (MCS) ==== ====  Multi-Category Security (MCS) ====
 +
 +Multi-Category Security provides a way to associate a set or range of **compartments** with SELinux contexts. The targeted policy model implements compartmentalization of types associated with  mcs_constrained_type. To understand how this works, it's required to know how to inspect the MLS part of security contexts. This is the part after the user:role:type section, and includes a range, which indicates a low and high security level.
 +
 +<sxh plain; gutter: false;>
 +system_u:system_r:httpd_t:s0                  s0:c0.c5
 +                          ▼                     ▼
 +                  Low security level,    High security level, also
 +                  associated with no     associated with compartments
 +                  compartments.          c0, c1, c2, c3, c4 and c5.
 +</sxh>
 +
 +One thing that is noticeable above is the lack of compartments on the low security level, as well as both security levels being the same. The first point is an implementation detail of the MCS model in the targeted policy. When an access vector is computed for a process that is associated with mcs_constrained_type, only the MCS compartments of the high level are compared. The second point is due to the fact that MLS is not in use.
 +
 +The compartment part of the above security context is a **category range**, but can also be a set of categories separated by commas. A range of categories results in the context being associated with an inclusive set of categories in that range. Understanding how access is computed for two processes with a set of categories requires looking at the **dominance** rules for SELinux security levels (access is only allowed if the source type's high security level **dominates** the target type's high security level). Those rules are as follows (only accounting for categories, and not MLS security levels)
 +
 +  * Source dominates the target if the categories in the source context are the same as or a superset of those in the target context.
 +  * Source is dominated by the target if the categories in the source context are a subset of the categories of the target context.
 +  * Source and target are equal and dominate each other if the set of categories are the same in each context.
 +
 +With that in mind, we know that a context with a category set of c0.c5 will be granted access to a context with a category set of c0,c3, but not a category set of c0,c6, or c0.c1023. This rule is the reason that sVirt generates a random set of categories, so there will be no overlap where one virt domain will dominate another. The Android project also does the same thing, to put applications in isolated domains.
 +
 +An example use of Multi-Category Security could be using NGINX with multiple vhosts that connect to backend servers that are also running as httpd domains (e.g., PHP-FPM). Normally these instances of the backend servers would be able to modify and manage each others domains simply due to type-enforcement rules. If they're associated with categories, they can only do so if one backend server dominates the other. Since NGINX itself is a HTTPD domain, it should dominate all backend servers, so if we have categories c0 through c5 available for HTTPD domains we would want to run NGINX as ''system_u:system_r:httpd_t:s0-s0:c0.c5'', so it could connect to the upstream servers. Each backend server would run with a single category within c0-c5, and a context such as  ''system_u:system_r:httpd_t:s0-s0:c1''.
 +
 +There are a couple of presequities to achieving this. First, ''httpd_t'' must be associated with the ''mcs_constrained_type'' attribute that is currently only associated with the following types on CentOS 7:
 +
 +<WRAP center box 100%>
 +<code>
 +# seinfo -xamcs_constrained_type
 +</code>
 +<sxh plain; gutter: false;>
 +   mcs_constrained_type
 +      netlabel_peer_t
 +      openshift_t
 +      openshift_app_t
 +      sandbox_min_t
 +      sandbox_x_t
 +      sandbox_web_t
 +      sandbox_net_t
 +      svirt_t
 +      svirt_tcg_t
 +      svirt_lxc_net_t
 +      svirt_qemu_net_t
 +      svirt_kvm_net_t
 +</sxh>
 +</WRAP>
 +
 +To add to this list of types it is necessary to create a local policy module that associates the desired type with the attribute. This is done using the typeattribute statement, and can be done like so:
 +
 +<sxh plain; gutter: false;>
 +policy_module(httpd_mcs, 1.0)
 +gen_require(`
 +    type httpd_t;
 +    attribute mcs_constrained_type;
 +')
 +
 +typeattribute httpd_t mcs_constrained_type;
 +</sxh>
 +
 +See FIXME Customizing Local Policy for instructions on building policy modules.
 +
 +Once the type is associated with mcs_constrained_type each backend server must have their content relabeled to include the respective categories in their file context specifications. This can be achieved by adding the file types to /etc/selinux/targeted/contexts/customizable_types, but this can potentially break on a policy upgrade. An alternative is to add new file contexts specifications that include categories using **semanage-fcontext**:
 +
 +<code>
 +# semanage fcontext -a -t httpd_sys_content_t -r "s0-s0:c1" "/srv/backend1(/.*)?"
 +# semanage fcontext -a -t httpd_sys_content_t -r "s0-s0:c2" "/srv/backend2(/.*)?"
 +</code>
 +
 +The next step is making sure the backend servers are started with the correct security context. On CentOS 7 with systemd this can be achieved with the ''**SELinuxContext=**'' directive in the unit file, and in previous versions can be achieved using the ''**runcon**'' command.
 +
 +<code>
 +# runcon "system_u:system_r:httpd_t:s0-s0:c1" "/usr/local/bin/backend-server"
 +</code>
 +
 +Or in the systemd unit:
 +
 +<sxh plain; gutter: false;>
 +SELinuxContext=system_u:system_r:httpd_t:s0-s0:c1
 +</sxh>
 +
 +Now each backend server should be isolated from the other, while allowing NGINX access to manage and send messages to both of them.
  
  
Line 147: Line 329:
  
 https://wiki.centos.org/HowTos/SELinux https://wiki.centos.org/HowTos/SELinux
 +
 +
 +
 +
 +----
 +
 +
 +===== SELinux Troubleshooting =====
 +Um SELinux denied Meldungen ausfindig zu machen, mach man am einfachsten ein "cat" auf das SELinux audit.log mit der Kombination von "grep". Beispiel:
 +
 +<WRAP center box 100%>
 +<code># cat /var/log/audit/audit.log | grep avc</code>
 +
 +<sxh plain; gutter: false>
 +type=AVC msg=audit(1505717571.241:949): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717571.241:950): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717571.250:951): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717571.250:952): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717573.862:953): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717573.862:954): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717573.863:955): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717573.863:956): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717592.480:962): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717592.480:963): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717592.481:964): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717592.481:965): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=AVC msg=audit(1505717672.128:996): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +type=USER_AVC msg=audit(1505717701.127:1000): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
 +type=AVC msg=audit(1505717714.165:1003): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +</sxh>
 +
 +</WRAP>
 +
 +Wenn man nun jedoch vor komplizierteren SELinux Problemen steht, empfielt es sich mit den Setools für SELinux zu arbeiten.
 +
 +==== Verwenden von Setools / Setroubleshoot ====
 +
 +  * Installation von den Troubleshoot Packages //(Falls nicht schon vorhanden)//: <code># yum install setroubleshoot setools -y</code>
 +  * Um nun die Fehler aus unserem Audit.log automatisiert auszuwerten folgenden Befehl ausführen: <WRAP center box 100%>
 +<code># sealert -a /var/log/audit/audit.log</code>
 +Jeder hier generierte Report, beschreibt zuerst den Fehler, und erklärt danach möglichst genau, wie das Problem behoben werden kann. Ausgabe des Befehls:
 +
 +<sxh plain; gutter: false>
 +[root@admin-server ~]# sealert -a /var/log/audit/audit.log
 +100% done
 +found 1 alerts in /var/log/audit/audit.log
 +--------------------------------------------------------------------------------
 +
 +SELinux is preventing /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.el7_3.x86_64/jre/bin/java (deleted) from name_connect access on the tcp_socket port 3306.
 +
 +*****  Plugin catchall (100. confidence) suggests   **************************
 +
 +If you believe that java (deleted) should be allowed name_connect access on the port 3306 tcp_socket by default.
 +Then you should report this as a bug.
 +You can generate a local policy module to allow this access.
 +Do
 +allow this access for now by executing:
 +# ausearch -c 'java' --raw | audit2allow -M my-java
 +# semodule -i my-java.pp
 +
 +
 +Additional Information:
 +Source Context                system_u:system_r:tomcat_t:s0
 +Target Context                system_u:object_r:mysqld_port_t:s0
 +Target Objects                port 3306 [ tcp_socket ]
 +Source                        java
 +Source Path                   /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.141-1.b16.el
 +                              7_3.x86_64/jre/bin/java (deleted)
 +Port                          3306
 +Host                          <Unknown>
 +Source RPM Packages           java-1.8.0-openjdk-
 +                              headless-1.8.0.144-0.b01.el7_4.x86_64
 +Target RPM Packages
 +Policy RPM                    selinux-policy-3.13.1-166.el7_4.4.noarch
 +Selinux Enabled               True
 +Policy Type                   targeted
 +Enforcing Mode                Permissive
 +Host Name                     admin-server.blacknet
 +Platform                      Linux admin-server.blacknet
 +                              3.10.0-693.2.2.el7.x86_64 #1 SMP Tue Sep 12
 +                              22:26:13 UTC 2017 x86_64 x86_64
 +Alert Count                   16
 +First Seen                    2017-09-17 13:33:21 CEST
 +Last Seen                     2017-09-18 08:55:14 CEST
 +Local ID                      42523e63-a9ef-438e-8a07-7e8d128d669b
 +
 +Raw Audit Messages
 +type=AVC msg=audit(1505717714.165:1003): avc:  denied  { name_connect } for  pid=1217 comm="java" dest=3306 scontext=system_u:system_r:tomcat_t:s0 tcontext=system_u:object_r:mysqld_port_t:s0 tclass=tcp_socket
 +
 +
 +type=SYSCALL msg=audit(1505717714.165:1003): arch=x86_64 syscall=connect success=yes exit=0 a0=77 a1=7f4cb79f6380 a2=1c a3=504 items=0 ppid=1 pid=1217 auid=4294967295 uid=91 gid=91 euid=91 suid=91 fsuid=91 egid=91 sgid=91 fsgid=91 tty=(none) ses=4294967295 comm=java exe=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.144-0.b01.el7_4.x86_64/jre/bin/java subj=system_u:system_r:tomcat_t:s0 key=(null)
 +
 +Hash: java,tomcat_t,mysqld_port_t,tcp_socket,name_connect
 +
 +</sxh>
 +</WRAP>
 +
 +  * Wie oben ersichtlich, wird zu unserem Problem eine **Lösung durch Eingabe von folgenden zwei Befehlen** empfohlen: <WRAP center box 100%>
 +<code>
 +# ausearch -c 'java' --raw | audit2allow -M guacamole-java
 +# semodule -i guacamole-java.pp
 +</code>
 +
 +  * ''**Der erste Befehl, erstellt im aktuellen Verzeichnis eine neue SELinux Regel** im ***.te Format (Text)** und **kompiliert** sie anschliessend in ein ***.pp Format.** //(Der in der Ausgabe verwendete Namen "my-java" kann beliebig festgelet werden! z.B. wie bei mir: guacamole-java)//''
 +  * ''<wrap em>Mit dem zweiten Befehl, wird die Regel dann permanent aktiviert!</wrap>''
 +
 +</WRAP>
 +
 +
 +  * http://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/
 +  * https://serverfault.com/questions/321301/how-do-i-view-the-contents-of-a-selinux-policy-package
 +  * https://www.centos.org/docs/5/html/Deployment_Guide-en-US/sec-sel-building-policy-module.html
 +  * https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Troubleshooting-Top_Three_Causes_of_Problems.html
 +
 +
 +
 +----
 +
 +===== Redhat Dokumentation zum Thema =====
 +
 +<WRAP center round download 80%>
 +''{{ :redhat:base-redhat:red_hat_enterprise_linux-7-selinux_users_and_administrators_guide-en-us.pdf |}}''
 +</WRAP>
 +
 +
 +
  • redhat/base-redhat/selinux-redhat.1503475130.txt.gz
  • Last modified: 2017/08/23 09:58
  • by michael