解决selinux拦截

HaiLiang_Blog  573 阅读

在配置一些服务的时候,总是会出现被selinux拦截的情况,解决方法往往都是把selinux关闭。这样做会降低了linux的安全性。本次内容就是解决被selinux拦截的分析方法。

在linux下面提供了一个软件用于分析selinux日志信息

安装setroubleshoot

#yum install setroubleshoot

这个软件会把错误信息写入到/var/log/messages

#cat /var/log/messages |grep setroubleshoot

例如:

[root@localhost ~]# cat /var/log/messages |grep setroubleshoot
Nov 5 11:47:09 localhost yum[8860]: Installed: setroubleshoot-plugins-3.0.40-2.el6.noarch
Nov 5 11:47:11 localhost yum[8860]: Installed: setroubleshoot-server-3.0.47-6.el6.i686
Nov 5 11:47:17 localhost yum[8860]: Installed: setroubleshoot-3.0.47-6.el6.i686
Nov 5 11:55:09 localhost setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file /root/.ssh/authorized_keys. For complete SELinux messages. run sealert -l 090d0ada-850d-4a47-9395-1ceb7efe524d
Nov 5 11:55:09 localhost setroubleshoot: SELinux is preventing /usr/sbin/sshd from read access on the file /root/.ssh/authorized_keys. For complete SELinux messages. run sealert -l 090d0ada-850d-4a47-9395-1ceb7efe524d
Nov 5 11:55:09 localhost setroubleshoot: SELinux is preventing /usr/sbin/sshd from getattr access on the file /root/.ssh/authorized_keys. For complete SELinux messages. run sealert -l 936dc62f-3f2c-4d16-9ec5-7043ccf0562b

#sealert -l 090d0ada-850d-4a47-9395-1ceb7efe524d

例如:

[root@localhost ~]# sealert -l 090d0ada-850d-4a47-9395-1ceb7efe524d
SELinux is preventing /usr/sbin/sshd from read access on the file /root/.ssh/authorized_keys.

***** Plugin restorecon (90.5 confidence) suggests *************************

If you want to fix the label.
/root/.ssh/authorized_keys default label should be ssh_home_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /root/.ssh/authorized_keys

***** Plugin sshd_root (9.50 confidence) suggests **************************

If you want to allow sshd to have read access on the authorized_keys file
Then you must fix the labels.
Do
/sbin/restorecon -Rv /root/.ssh

***** Plugin catchall (1.40 confidence) suggests ***************************

If you believe that sshd should be allowed read access on the authorized_keys file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

看到上面的解决方法了。

#restroecon -Rv /root/.ssh

发表评论

邮箱地址不会被公开。 必填项已用*标注