Skip to content


Configurer et maitriser SELinux sous CentOS

Introduction

Il existe différentes manières de sécuriser son système d'exploitation GNU/Linux. L'une d'entre elle est de mettre en place SELinux ou GRSecurity, etc.

Nous allons survoler un peu dans cet article SELinux. Survoler en effet car SELinux est si puissant qu'il nous faudrait plus d'un article à y consacrer.

"Security-Enhanced Linux, abrégé SELinux, est un Linux security module (LSM), qui permet de définir une politique de contrôle d'accès obligatoire aux éléments d'un système basé sur Linux.

Son architecture dissocie l'application de la politique d'accès et sa définition. Il permet notamment de classer les applications d'un système en différents groupes, avec des niveaux d'accès plus fins. Il permet aussi d'attribuer un niveau de confidentialité pour l'accès à des objets systèmes, comme des descripteurs de fichiers, selon un modèle de sécurité multiniveau (MLS pour Multi level Security). SELinux utilise le modèle Bell LaPadula complété par le mécanisme Type enforcement de contrôle de l'intégrité, développé par SCC. Il s'agit d'un logiciel libre, certaines parties étant sous licences GNU GPL et BSD"

Prérequis

Installez :

  • policycoreutils
  • setools-console
  • setools

Configuration SELinux

Le premier fichier à regarder est /etc/selinux/config

# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

Analyse de audit.log

Pourquoi analyser le journal d'audit ?

La première raison est d'analyser ce journal afin d'apporter des corrections dans la politique choisie de SELinux. En effet il arrive que la politique choisie ne vous permette pas d'effectuer telle ou telle action (par exemple Apache+PHP non autorisés à envoyer des mails !).

Ou que le branchement à chaud d'une clef USB soit proscrite ! etc...

Pour analyser le journal la commande "less" est la première qui soit disponible, puis vient "grep" , etc.

Cependant si vous avez une interface graphique d'autres outils sont disponibles "seaudit" et "system-config-selinux". Cependant il est très rare d'avoir une interface graphique sur un serveur GNU/Linux... 🙁

Les entrées de audit.log

Ce présentent comme suit :

type=USER_ACCT msg=audit(1365956951.637:14): user pid=1453 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="pmsiadmin" exe="/usr/sbin/sshd" hostname=192.168.1.7 addr=192.168.1.7 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1365956951.642:15): user pid=1453 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1457 suid=74 rport=53730 laddr=192.168.1.41 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.7 terminal=? res=success'
type=USER_AUTH msg=audit(1365956951.654:16): user pid=1453 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=success acct="pmsiadmin" exe="/usr/sbin/sshd" hostname=? addr=192.168.1.7 terminal=ssh res=success'
type=CRED_ACQ msg=audit(1365956951.674:17): user pid=1453 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="pmsiadmin" exe="/usr/sbin/sshd" hostname=192.168.1.7 addr=192.168.1.7 terminal=ssh res=success'
type=LOGIN msg=audit(1365956951.674:18): pid=1453 uid=0 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 old auid=4294967295 new auid=500 old ses=4294967295 new ses=1
type=USER_ROLE_CHANGE msg=audit(1365956951.836:19): user pid=1453 uid=0 auid=500 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/sbin/sshd" hostname=192.168.1.7 addr=192.168.1.7 terminal=ssh res=success'
type=USER_START msg=audit(1365956951.844:20): user pid=1453 uid=0 auid=500 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="pmsiadmin" exe="/usr/sbin/sshd" hostname=192.168.1.7 addr=192.168.1.7 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1365956951.848:21): user pid=1453 uid=0 auid=500 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=session fp=? direction=both spid=1453 suid=0 rport=53730 laddr=192.168.1.41 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.7 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1365956951.850:22): user pid=1497 uid=0 auid=500 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=37:c1:6a:2e:04:68:25:24:3b:65:4e:00:11:11:3c:ee direction=? spid=1497 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.7 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1365956951.850:23): user pid=1497 uid=0 auid=500 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=27:86:40:b4:a9:c2:3e:51:ed:1d:8a:ac:54:b3:a2:cd direction=? spid=1497 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.1.7 terminal=? res=success'
type=CRED_ACQ msg=audit(1365956951.854:24): user pid=1497 uid=0 auid=500 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="pmsiadmin" exe="/usr/sbin/sshd" hostname=192.168.1.7 addr=192.168.1.7 terminal=ssh res=success'
type=USER_LOGIN msg=audit(1365956951.919:25): user pid=1453 uid=0 auid=500 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=500 exe="/usr/sbin/sshd" hostname=192.168.1.7 addr=192.168.1.7 terminal=/dev/pts/1 res=success'
type=USER_START msg=audit(1365956951.920:26): user pid=1453 uid=0 auid=500 ses=1 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=500 exe="/usr/sbin/sshd" hostname=192.168.1.7 addr=192.168.1.7 terminal=/dev/pts/1 res=success'
type=USER_AUTH msg=audit(1365956957.260:27): user pid=1574 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:authentication acct="pmsiadmin" exe="/bin/su" hostname=? addr=? terminal=console res=success'
type=USER_ACCT msg=audit(1365956957.261:28): user pid=1574 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:accounting acct="pmsiadmin" exe="/bin/su" hostname=? addr=? terminal=console res=success'
type=USER_START msg=audit(1365956957.273:29): user pid=1574 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_open acct="pmsiadmin" exe="/bin/su" hostname=? addr=? terminal=console res=success'
type=CRED_ACQ msg=audit(1365956957.274:30): user pid=1574 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="pmsiadmin" exe="/bin/su" hostname=? addr=? terminal=console res=success'
type=USER_AUTH msg=audit(1365956959.504:31): user pid=1536 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/1 res=failed'
type=USER_AUTH msg=audit(1365956964.212:32): user pid=1689 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=USER_ACCT msg=audit(1365956964.232:33): user pid=1689 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=USER_START msg=audit(1365956964.243:34): user pid=1689 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=CRED_ACQ msg=audit(1365956964.243:35): user pid=1689 uid=500 auid=500 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/1 res=success'
type=CRED_DISP msg=audit(1365956965.961:36): user pid=1574 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:setcred acct="pmsiadmin" exe="/bin/su" hostname=? addr=? terminal=console res=success'
type=USER_END msg=audit(1365956965.967:37): user pid=1574 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:initrc_t:s0 msg='op=PAM:session_close acct="pmsiadmin" exe="/bin/su" hostname=? addr=? terminal=console res=success'

Certaines contiennent les information relatives à un bloquage mais dont l'action est pourtant légitime selon vous !

Par exemple j'ai sur mon système un serveur qui fonctionne avec "memcache" et qui se trouvait +/- bloqué !

# grep denied /var/log/audit/audit.log | grep memcache
type=AVC msg=audit(1365929456.586:639): avc: denied { getattr } for pid=4486 comm="ps" path="/proc/1164" dev=proc ino=46787 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365929667.992:740): avc: denied { search } for pid=4646 comm="ps" name="1164" dev=proc ino=50418 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365929668.771:830): avc: denied { search } for pid=4652 comm="ps" name="1164" dev=proc ino=50418 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365930042.982:950): avc: denied { search } for pid=5394 comm="ps" name="1164" dev=proc ino=54499 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365930043.944:1044): avc: denied { search } for pid=5415 comm="ps" name="1164" dev=proc ino=54499 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365930288.701:1152): avc: denied { search } for pid=5621 comm="ps" name="1164" dev=proc ino=55953 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365930289.203:1239): avc: denied { search } for pid=5626 comm="ps" name="1164" dev=proc ino=55953 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365930306.195:1330): avc: denied { search } for pid=5637 comm="ps" name="1164" dev=proc ino=55953 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365930307.033:1421): avc: denied { search } for pid=5642 comm="ps" name="1164" dev=proc ino=55953 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=dir type=AVC msg=audit(1365952324.896:31171): avc: denied { read } for pid=2176 comm="ps" name="stat" dev=proc ino=12230 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=file type=AVC msg=audit(1365952325.002:31269): avc: denied { read } for pid=2181 comm="ps" name="stat" dev=proc ino=12230 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=file

Or ceci était légitime sur mon système.... Mais regardons de plus près une entrée de audit.log

type=AVC msg=audit(1365952325.002:31269): avc: denied { read } for pid=2181 comm="ps" name="stat" dev=proc ino=12230 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=file

On peut remarquer que le contexte "httpd_t" (apache) à tenté une action sur un autre contexte "memcached_t" (memcache) sur un fichier "tclass=file" qui n'était pas bon !

# echo "type=AVC msg=audit(1365952325.002:31269): avc: denied { read } for pid=2181 comm="ps" name="stat" dev=proc ino=12230 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=file" | audit2why
 
type=AVC msg=audit(1365952325.002:31269): avc: denied { read } for pid=2181 comm=ps name=stat dev=proc ino=12230 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:memcached_t:s0 tclass=file
 
        Was caused by:
                Missing type enforcement (TE) allow rule.
 
                You can use audit2allow to generate a loadable module to allow this access.

Plus loin nous verrons comment y remédier !

Choix et création de stratégies sous formes de modules

Nous avons vu juste avant que certaines actions pouvaient être bloquées et qui peuvent-être légitimes. Si par exemple Apache est autorisé à accéder aux fichier de memcache, nous allons créer un module le permettant !

# grep httpd_t /var/log/audit/audit.log | grep denied | grep memcached_t | audit2allow -m new_module > new_module.te
# grep httpd_t /var/log/audit/audit.log | grep denied | grep memcached_t | audit2allow -M new_module

La première ligne crée un module descriptif : new_module.te

La deuxième crée un module directement enfichable dans SELinux "new_module.pp"

Voici ce que contient new_module.te

# cat new_module.te

module new_module 1.0;
 
require {
        type unconfined_t;
        type semanage_t;
        type init_t;
        type system_cronjob_t;
        type mysqld_t;
        type syslogd_t;
        type apmd_t;
        type initrc_t;
        type system_dbusd_t;
        type abrt_dump_oops_t;
        type sysctl_fs_t;
        type dhcpc_t;
        type proc_net_t;
        type memcache_port_t;
        type munin_system_plugin_t;
        type kernel_t;
        type munin_t;
        type consolekit_t;
        type auditd_t;
        type httpd_t;
        type udev_t;
        type mysqld_safe_t;
        type local_login_t;
        type sshd_t;
        type hald_t;
        type getty_t;
        type initrc_var_run_t;
        type crond_t;
        type munin_services_plugin_t;
        type memcached_t;
        class tcp_socket name_connect;
        class file read;
        class dir { getattr search };
}
 
#============= httpd_t ==============
allow httpd_t abrt_dump_oops_t:dir { getattr search };
allow httpd_t apmd_t:dir { getattr search };
allow httpd_t auditd_t:dir { getattr search };
allow httpd_t consolekit_t:dir getattr;
allow httpd_t crond_t:dir { getattr search };
allow httpd_t dhcpc_t:dir { getattr search };
allow httpd_t getty_t:dir { getattr search };
allow httpd_t hald_t:dir { getattr search };
allow httpd_t init_t:dir { getattr search };
allow httpd_t initrc_t:dir { getattr search };
allow httpd_t initrc_var_run_t:file read;
allow httpd_t kernel_t:dir { getattr search };
allow httpd_t local_login_t:dir getattr;
allow httpd_t memcache_port_t:tcp_socket name_connect;
allow httpd_t memcached_t:dir { getattr search };
allow httpd_t munin_services_plugin_t:dir getattr;
allow httpd_t munin_system_plugin_t:dir getattr;
allow httpd_t munin_t:dir { getattr search };
allow httpd_t mysqld_safe_t:dir { getattr search };
allow httpd_t mysqld_t:dir { getattr search };
allow httpd_t proc_net_t:file read;
allow httpd_t semanage_t:dir getattr;
allow httpd_t sshd_t:dir { getattr search };
allow httpd_t sysctl_fs_t:dir search;
allow httpd_t syslogd_t:dir { getattr search };
allow httpd_t system_cronjob_t:dir { getattr search };
allow httpd_t system_dbusd_t:dir { getattr search };
allow httpd_t udev_t:dir { getattr search };
allow httpd_t unconfined_t:dir { getattr search };

Mise en oeuvre de la stratégie ou du module

Nous chargeons le module créé !

# semodule -i new_module.pp

Nous vérifions qu'il le soit bien !

# semodule -l | grep new
 
new_module     1.0

Voilà qui est fait

Les booléens

Les booléens sont des paramètres mis à 0 ou 1. Voici pour les lister :

# getsebool -a
abrt_anon_write --> off
abrt_handle_event --> off
allow_console_login --> on
allow_cvs_read_shadow --> off
allow_daemons_dump_core --> on
allow_daemons_use_tcp_wrapper --> off
allow_daemons_use_tty --> on
allow_domain_fd_use --> on
allow_execheap --> off
allow_execmem --> on
allow_execmod --> on
allow_execstack --> on
allow_ftpd_anon_write --> off
allow_ftpd_full_access --> off
allow_ftpd_use_cifs --> off
allow_ftpd_use_nfs --> off
allow_gssd_read_tmp --> on
allow_guest_exec_content --> off
allow_httpd_anon_write --> off
allow_httpd_mod_auth_ntlm_winbind --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_sys_script_anon_write --> off
allow_java_execstack --> off
allow_kerberos --> on
allow_mount_anyfile --> on
allow_mplayer_execstack --> off
allow_nsplugin_execmem --> on
allow_polyinstantiation --> off
allow_postfix_local_write_mail_spool --> on
allow_ptrace --> off
allow_rsync_anon_write --> off
allow_saslauthd_read_shadow --> off
allow_smbd_anon_write --> off
allow_ssh_keysign --> off
allow_staff_exec_content --> on
allow_sysadm_exec_content --> on
allow_unconfined_nsplugin_transition --> off
allow_user_exec_content --> on
allow_user_mysql_connect --> off
allow_user_postgresql_connect --> off
allow_write_xshm --> off
allow_xguest_exec_content --> off
allow_xserver_execmem --> off
allow_ypbind --> off
allow_zebra_write_config --> on
authlogin_radius --> off
cdrecord_read_content --> off
clamd_use_jit --> off
cobbler_anon_write --> off
cobbler_can_network_connect --> off
cobbler_use_cifs --> off
cobbler_use_nfs --> off
condor_domain_can_network_connect --> off
cron_can_relabel --> off
dhcpc_exec_iptables --> off
domain_kernel_load_modules --> off
exim_can_connect_db --> off
exim_manage_user_files --> off
exim_read_user_files --> off
fcron_crond --> off
fenced_can_network_connect --> off
fenced_can_ssh --> off
ftp_home_dir --> off
ftpd_connect_db --> off
ftpd_use_passive_mode --> off
git_cgit_read_gitosis_content --> off
git_session_bind_all_unreserved_ports --> off
git_system_enable_homedirs --> off
git_system_use_cifs --> off
git_system_use_nfs --> off
global_ssp --> off
gpg_agent_env_file --> off
gpg_web_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> on
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_manage_ipa --> off
httpd_read_user_content --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_tmp_exec --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
icecast_connect_any --> off
init_upstart --> on
irssi_use_full_network --> off
logging_syslogd_can_sendmail --> off
mmap_low_allowed --> off
mozilla_read_content --> off
mysql_connect_any --> off
named_write_master_zones --> off
ncftool_read_user_content --> off
nscd_use_shm --> on
nsplugin_can_network --> on
openvpn_enable_homedirs --> on
piranha_lvs_can_network_connect --> off
pppd_can_insmod --> off
pppd_for_user --> off
privoxy_connect_any --> on
puppet_manage_all_files --> off
puppetmaster_use_db --> off
qemu_full_network --> on
qemu_use_cifs --> on
qemu_use_comm --> off
qemu_use_nfs --> on
qemu_use_usb --> on
racoon_read_shadow --> off
rgmanager_can_network_connect --> off
rsync_client --> off
rsync_export_all_ro --> off
rsync_use_cifs --> off
rsync_use_nfs --> off
samba_create_home_dirs --> off
samba_domain_controller --> off
samba_enable_home_dirs --> off
samba_export_all_ro --> off
samba_export_all_rw --> off
samba_run_unconfined --> off
samba_share_fusefs --> off
samba_share_nfs --> off
sanlock_use_nfs --> off
sanlock_use_samba --> off
secure_mode --> off
secure_mode_insmod --> off
secure_mode_policyload --> off
sepgsql_enable_users_ddl --> on
sepgsql_unconfined_dbadm --> on
sge_domain_can_network_connect --> off
sge_use_nfs --> off
smartmon_3ware --> off
spamassassin_can_network --> off
spamd_enable_home_dirs --> on
squid_connect_any --> on
squid_use_tproxy --> off
ssh_chroot_rw_homedirs --> off
ssh_sysadm_login --> off
telepathy_tcp_connect_generic_network_ports --> off
tftp_anon_write --> off
tor_bind_all_unreserved_ports --> off
unconfined_login --> on
unconfined_mmap_zero_ignore --> off
unconfined_mozilla_plugin_transition --> off
use_fusefs_home_dirs --> off
use_lpd_server --> off
use_nfs_home_dirs --> on
use_samba_home_dirs --> off
user_direct_dri --> on
user_direct_mouse --> off
user_ping --> on
user_rw_noexattrfile --> on
user_setrlimit --> on
user_tcp_server --> off
user_ttyfile_stat --> off
varnishd_connect_any --> off
vbetool_mmap_zero_ignore --> off
virt_use_comm --> off
virt_use_fusefs --> off
virt_use_nfs --> off
virt_use_samba --> off
virt_use_sanlock --> off
virt_use_sysfs --> on
virt_use_usb --> on
virt_use_xserver --> off
webadm_manage_user_files --> off
webadm_read_user_files --> off
wine_mmap_zero_ignore --> off
xdm_exec_bootloader --> off
xdm_sysadm_login --> off
xen_use_nfs --> off
xguest_connect_network --> on
xguest_mount_media --> on
xguest_use_bluetooth --> on
xserver_object_manager --> off

Pour changer la valeur de 0 à 1 ou inversement à un paramètre "httpd_can_sendmail" de la stratégie appliquée à cet instant il suffit de taper la commande :

# setsebool httpd_can_sendmail 1
 
ou
 
# setsebool httpd_can_sendmail=1
 
ou
 
# setsebool httpd_can_sendmail=on
 
ou
 
# setsebool httpd_can_sendmail on

Pour que cela soit appliqué après un redémarrage l'option -P est obligatoire !

setsebool -P httpd_can_sendmail on

Conclusion

Voilà vous en savez autant que moi.....

A lire

http://wiki.deimos.fr/S%C3%A9curiser_son_architecture_avec_SELinux

http://www.unixgarden.com/index.php/gnu-linux-magazine-hs/selinux-lagence-de-securite-du-noyau

http://www.centos.org/docs/4/html/rhel-selg-en-4/rhlcommon-section-0105.html

http://centosmanpages.com/manpages/6/man8/seaudit.8.html

http://doc.opensuse.org/products/draft/SLES/SLE-audit-quick_sd_draft/

http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html#sec.audit.auditd

http://wiki.centos.org/HowTos/SELinux#head-faa96b3fdd922004cdb988c1989e56191c257c01

Print Friendly, PDF & Email

Posted in CentOS, Debian, Important, Linux, Technique, Toutes. Tagged with , , , , .

0 Responses

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Some HTML is OK

(required)

(required, but never shared)

or, reply to this post via trackback.

Time limit is exhausted. Please reload CAPTCHA.


/* */
Creative Commons License
Cette création par Laurent Besson est mise à disposition selon les termes de la licence Creative Commons Paternité-Partage des Conditions Initiales à l'Identique 2.0 France.