{"id":16561,"date":"2014-10-29T21:00:32","date_gmt":"2014-10-29T12:00:32","guid":{"rendered":"http:\/\/www.sssg.org\/blogs\/hiro345\/?p=16561"},"modified":"2014-10-29T20:16:15","modified_gmt":"2014-10-29T11:16:15","slug":"centos6%e3%81%abselinux%e3%81%a7%e4%be%bf%e5%88%a9%e3%81%aa%e3%82%b3%e3%83%9e%e3%83%b3%e3%83%89%e3%82%92%e3%82%a4%e3%83%b3%e3%82%b9%e3%83%88%e3%83%bc%e3%83%ab","status":"publish","type":"post","link":"https:\/\/www.hiro345.net\/blogs\/hiro345\/archives\/16561.html","title":{"rendered":"CentOS6\u306bSELinux\u3067\u4fbf\u5229\u306a\u30b3\u30de\u30f3\u30c9\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb"},"content":{"rendered":"<p>CentOS6\u3067\u306fSELinux\u3092\u6709\u52b9\u306b\u3057\u3066\u4f7f\u3044\u305f\u3044\u306e\u3067\u3059\u304c\u3001\u7ba1\u7406\u3059\u308b\u306b\u306f\u305d\u3053\u305d\u3053\u5927\u5909\u306a\u306e\u3067\u3001\u4fbf\u5229\u306a\u30b3\u30de\u30f3\u30c9\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u304a\u304d\u305f\u3044\u3068\u3053\u308d\u3067\u3059\u3002policycoreutils-python \u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308c\u3070\u3001audit2allow\u3001audit2why\u3001chcat\u3001semanage \u3068\u3044\u3063\u305f\u30b3\u30de\u30f3\u30c9\u304c\u4f7f\u3048\u308b\u3088\u3046\u306b\u306a\u308a\u307e\u3059\u3002<br \/>\n<!--more--><br \/>\n\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u306f\u6b21\u306e\u901a\u308a\u3002<\/p>\n<pre class=\"brush: bash; gutter: true\">\r\n$ sudo yum install policycoreutils-python\r\n<\/pre>\n<p>SELinux\u3092Permissive\u30e2\u30fc\u30c9\u306b\u3057\u3066\u304b\u3089\u52d5\u4f5c\u3055\u305b\u3066\u3044\u308b\u3068\u304d\u306b\u30ed\u30b0\u3078\u51fa\u529b\u3055\u308c\u308b\u30a8\u30e9\u30fc\u304b\u3089\u3001audit2allow\u3092\u4f7f\u3063\u3066\u5fc5\u8981\u306a\u30dd\u30ea\u30b7\u30fc\u306e\u60c5\u5831\u304c\u5165\u624b\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"brush: bash; gutter: true\">\r\n$ sudo audit2allow -a -l -r\r\n\r\nrequire {\r\n\ttype var_t;\r\n\ttype httpd_sys_script_t;\r\n\ttype boot_t;\r\n\ttype postfix_postdrop_t;\r\n\ttype httpd_t;\r\n\ttype user_home_t;\r\n\tclass dir getattr;\r\n\tclass file { read getattr };\r\n\tclass fifo_file getattr;\r\n}\r\n\r\n#============= httpd_sys_script_t ==============\r\nallow httpd_sys_script_t var_t:file { read getattr };\r\n\r\n#============= httpd_t ==============\r\nallow httpd_t boot_t:dir getattr;\r\nallow httpd_t user_home_t:file { read getattr };\r\n\r\n#============= postfix_postdrop_t ==============\r\nallow postfix_postdrop_t httpd_t:fifo_file getattr;\r\n<\/pre>\n<p>\u3053\u308c\u3092\u9069\u7528\u3059\u308b\u306b\u306f\u3001\u6b21\u306e\u3088\u3046\u306b\u3057\u307e\u3059\u3002audit2allow\u3067package001.te\u3068package001.pp\u304c\u751f\u6210\u3055\u308c\u307e\u3059\u3002<\/p>\n<pre class=\"brush: bash; gutter: true\">\r\n$ sudo audit2allow -i \/var\/log\/audit.log -M package001\r\n$ sudo semodule -i package001.pp\r\n<\/pre>\n<p>\u300csudo audit2allow -a -l -r\u300d\u306e\u8868\u793a\u5185\u5bb9\u3092local.te\u306b\u8ffd\u52a0\u3057\u3066\u304b\u3089\u9069\u7528\u3092\u3059\u308b\u3053\u3068\u3082\u3067\u304d\u307e\u3059\u3002<\/p>\n<pre class=\"brush: bash; gutter: true\">\r\n$ sudo checkmodule -M -m -o local.mod local.te\r\n$ sudo semodule_package -o local.pp -m local.mod\r\n<\/pre>\n<p>\u65b0\u898f\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308b\u3068\u304d\u306f\u3001\u4e0b\u8a18<\/p>\n<pre class=\"brush: bash; gutter: true\">\r\n$ sudo semodule -i local.pp\r\n<\/pre>\n<p>\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3059\u308b\u3068\u304d\u306f\u3001\u4e0b\u8a18<\/p>\n<pre class=\"brush: bash; gutter: true\">\r\n$ semodule -u local.pp\r\n<\/pre>\n<p>\u7d44\u307f\u8fbc\u307f\u3092\u78ba\u8a8d\u3059\u308b\u306b\u306f\u3001\u4e0b\u8a18<\/p>\n<pre class=\"brush: bash; gutter: true\">\r\n$ semodule -l | grep local.pp\r\n<\/pre>\n<p>\u30dd\u30ea\u30b7\u30fc\u30fb\u30e2\u30b8\u30e5\u30fc\u30eb\u3092\u524a\u9664\u3059\u308b\u306e\u306f\u6b21\u306e\u901a\u308a\u3002<\/p>\n<pre class=\"brush: bash; gutter: true\">\r\n$ semodule -r local\r\n<\/pre>\n<p>\u30dd\u30ea\u30b7\u30fc\u3092\u8ffd\u52a0\u3057\u305f\u3089\u3001SELinux\u3092Enforcing\u30e2\u30fc\u30c9\u306b\u623b\u3057\u307e\u3059\u3002\u52d5\u4f5c\u3057\u306a\u3044\u5834\u5408\u306f\u3001\u52d5\u304f\u307e\u3067\u8a2d\u5b9a\u306e\u8ffd\u52a0\u3092\u7e70\u308a\u8fd4\u3057\u307e\u3059\u3002<\/p>\n<p>Linux\u306b\u3064\u3044\u3066\u306f\u4e0b\u8a18\u304c\u53c2\u8003\u306b\u306a\u308b\u304b\u3082\u3057\u308c\u307e\u305b\u3093\u3002<\/p>\n<ul>\n<li><a type=\"amzn\" asin=\"4774145017\">\u30d7\u30ed\u306e\u305f\u3081\u306e Linux\u30b7\u30b9\u30c6\u30e0\u69cb\u7bc9\u30fb\u904b\u7528\u6280\u8853 (Software Design plus)<\/a><\/li>\n<\/ul>\n<div>\n<iframe loading=\"lazy\" style=\"width: 120px; height: 240px;\" src=\"\/\/rcm-jp.amazon.co.jp\/e\/cm?t=hiro345-22&amp;o=9&amp;p=8&amp;l=as1&amp;asins=4774145017&amp;ref=tf_til&amp;fc1=000000&amp;IS2=1&amp;lt1=_blank&amp;m=amazon&amp;lc1=0000FF&amp;bc1=000000&amp;bg1=FFFFFF&amp;f=ifr\" height=\"240\" width=\"320\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>CentOS6\u3067\u306fSELinux\u3092\u6709\u52b9\u306b\u3057\u3066\u4f7f\u3044\u305f\u3044\u306e\u3067\u3059\u304c\u3001\u7ba1\u7406\u3059\u308b\u306b\u306f\u305d\u3053\u305d\u3053\u5927\u5909\u306a\u306e\u3067\u3001\u4fbf\u5229\u306a\u30b3\u30de\u30f3\u30c9\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3057\u3066\u304a\u304d\u305f\u3044\u3068\u3053\u308d\u3067\u3059\u3002policycoreutils-python \u30d1\u30c3\u30b1\u30fc\u30b8\u3092\u30a4\u30f3\u30b9\u30c8\u30fc\u30eb\u3059\u308c &hellip; <a href=\"https:\/\/www.hiro345.net\/blogs\/hiro345\/archives\/16561.html\">\u7d9a\u304d\u3092\u8aad\u3080 <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[26,1209,128],"class_list":["post-16561","post","type-post","status-publish","format-standard","hentry","category-linux","tag-centos","tag-linux","tag-selinux"],"_links":{"self":[{"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/posts\/16561","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/comments?post=16561"}],"version-history":[{"count":1,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/posts\/16561\/revisions"}],"predecessor-version":[{"id":16562,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/posts\/16561\/revisions\/16562"}],"wp:attachment":[{"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/media?parent=16561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/categories?post=16561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hiro345.net\/blogs\/hiro345\/wp-json\/wp\/v2\/tags?post=16561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}