原文链接: http://www.dbaleet.org/how_to_enable_selinux_on_exadata_cell/
SELinux(Security-Enhanced Linux) 是美国国家安全局(NSA)为Linux设计的,对于强制访问控制的一个安全子系统。大多数Linux的发行版都在各自的内核级别启用 SELinux 的,同时提供一个可定制的安全策略。SELinux实际上是强制访问控制的一种实现,主要目的是为了控制进程可以访问的资源,能够减少或者防止0-day漏洞的探测和攻击。
在Exadata上,DB节点默认其SELInux的策略是禁止的,主要是考虑到ASM可能造成的问题:参见我之前的文章 iptables和SELinux是不是必须禁用? http://www.dbaleet.org/is_disable_iptables_and_selinux_to_be_mandatory/ 。
SELinux有三种状态:
- Enforcing: 这个缺省模式会在系统上启用并实施 SELinux 的安全性政策,拒绝访问及记录行动
- Permissive: 在 Permissive 模式下,SELinux 会被启用但不会实施安全性政策,而只会发出警告及记录行动。Permissive 模式在排除 SELinux 的问题时很有用。
- Disabled: SELinux 已被禁用。
在Cell端,SELInux默认以Permissive的方式开启,也就意味着系统只默认将违背访问控制的的内容写入到日志文件,并不真正的实行安全性策略。
[root@dm01cel01 audit]# imageinfo Kernel version: 2.6.32-400.6.2.el5uek #1 SMP Sun Nov 18 17:02:09 PST 2012 x86_64 Cell version: OSS_11.2.3.2.1_LINUX.X64_121203 Cell rpm version: cell-11.2.3.2.1_LINUX.X64_121203-1 Active image version: 11.2.3.2.1.121203 Active image activated: 2012-12-05 18:22:16 -0700 Active image status: success Active system partition on device: /dev/md5 Active software partition on device: /dev/md7 In partition rollback: Impossible Cell boot usb partition: /dev/sda1 Cell boot usb version: 11.2.3.2.1.121203 Inactive image version: undefined Rollback to the inactive partitions: Impossible [root@dm01db01 audit]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: permissive Mode from config file: permissive Policy version: 24 Policy from config file: targeted
在Linux下,SELinux是通过auditd守护进程将其违反的AVC策略写入到/var/log/audit/audit.log中的,这个文件默认日志会在25MB大小的时候进行rotation ,生成后缀为.1或者.2之类的归档文件。
Exadata较新的版本中,在/opt/oracle.SupportTools目录下会有一个名为SELinuxPermit.log的文件,这个文件实际上是取自/var/log/audit/audit.log文件中的avc denial message,;例如:
type=AVC msg=audit(1330990260.465:60): avc: denied { execute } for pid=8232 comm="ntpdate" path="/lib64/libcap.so.1.10" dev=md5 ino=688359 scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file
这些就是违背SELinux的规则,如果将 SELinuxPermit.log添加为例外的规则,那么就是将SELinux设置为enforcing的模式了。
1. 根据SELinuxPermit.log的违反规则,生成对应的te(type enforcement)文件:
[root@dm01cel01 audit]# sed -e '/^#/d' /opt/oracle.SupportTools/SELinuxPermit.log |audit2allow -m Exadata > Exadata.te
2. 编译成对应的模块:
[root@dm01cel01 audit]# checkmodule -M -m Exadata.te -o Exadata.mod
3. 将模块生成对应的package:
[root@dm01cel01 audit]# semodule_package -m Exadata.mod -o Exadata.pp
4. 在内核中移除以前的Exadata模块:
[root@dm01cel01 audit]# semodule -r Exadata
5. 将新生成的package载入内核:
[root@dm01cel01 audit]# semodule -i Exadata.pp
6. 将/etc/selinux/config文件中的 “selinux=修改为enforcing”。
7. 重启主机生效。
注意,当前SELinux enforcing模式没有经过严格的测试,并不被官方支持。如果对Linux的SELinux不是太熟悉,请不要进行设置。
参见MOS文档:How to enable ‘enforcing’ mode for SELinux on Exadata (Doc ID 1481829.1)
Please note that SELinux enforcing mode is not tested by Exadata Development and
that creating/changing an SELinux policy is beyond the scope of Oracle Support.
Setting SELinux policy must be done carefully, to avoid ‘breaking’ applications,
so be sure to check /var/log/audit/audit.log if something should ‘go wrong’.
附我当前测试环境下Exadata其对应的TE文件的内容:
module Exadata 1.0;
require {
type audisp_t;
type mount_t;
type file_t;
type restorecon_t;
type load_policy_t;
type procmail_t;
type mdadm_t;
type wtmp_t;
type snmpd_t;
type tmp_t;
type root_t;
type auditctl_t;
type fsdaemon_t;
type auditd_t;
type faillog_t;
type fsadm_t;
type iptables_t;
type hwclock_t;
type mqueue_spool_t;
type pam_console_t;
type system_mail_t;
type semanage_t;
type usr_t;
type ping_t;
type syslogd_t;
type sysfs_t;
type var_spool_t;
type irqbalance_t;
type var_log_t;
type sendmail_log_t;
type setfiles_t;
type lastlog_t;
type etc_mail_t;
type shadow_t;
type ifconfig_t;
type ntpd_t;
type locale_t;
type etc_runtime_t;
type klogd_t;
type device_t;
type initrc_var_run_t;
type var_t;
type netutils_t;
class process { setsched getsched };
class capability sys_resource;
class file { rename execute setattr read getattr write ioctl unlink append };
class netlink_route_socket { write bind create read nlmsg_read };
class lnk_file read;
class dir { rename search read write getattr rmdir remove_name };
}
#============= audisp_t ==============
allow audisp_t file_t:file { execute getattr };
allow audisp_t self:capability sys_resource;
#============= auditctl_t ==============
allow auditctl_t etc_runtime_t:file getattr;
allow auditctl_t faillog_t:file getattr;
allow auditctl_t file_t:file read;
allow auditctl_t initrc_var_run_t:file getattr;
allow auditctl_t lastlog_t:file getattr;
allow auditctl_t locale_t:file getattr;
allow auditctl_t shadow_t:file getattr;
allow auditctl_t tmp_t:file read;
allow auditctl_t wtmp_t:file getattr;
#============= auditd_t ==============
allow auditd_t file_t:file { rename getattr setattr read unlink append };
#============= fsadm_t ==============
allow fsadm_t root_t:file unlink;
allow fsadm_t var_log_t:file append;
#============= fsdaemon_t ==============
allow fsdaemon_t file_t:file { read getattr };
allow fsdaemon_t self:capability sys_resource;
allow fsdaemon_t usr_t:file { read getattr };
#============= hwclock_t ==============
allow hwclock_t self:capability sys_resource;
#============= ifconfig_t ==============
allow ifconfig_t file_t:dir { search getattr };
allow ifconfig_t file_t:file append;
allow ifconfig_t file_t:lnk_file read;
allow ifconfig_t usr_t:lnk_file read;
allow ifconfig_t var_log_t:file write;
#============= iptables_t ==============
allow iptables_t file_t:dir { search getattr };
allow iptables_t file_t:file append;
allow iptables_t file_t:lnk_file read;
#============= irqbalance_t ==============
allow irqbalance_t file_t:file { read getattr execute };
#============= klogd_t ==============
allow klogd_t file_t:file { read getattr execute };
#============= load_policy_t ==============
allow load_policy_t file_t:file { read getattr execute };
#============= mdadm_t ==============
allow mdadm_t var_log_t:file append;
#============= mount_t ==============
allow mount_t var_log_t:file append;
#============= netutils_t ==============
allow netutils_t sysfs_t:dir search;
allow netutils_t sysfs_t:file read;
#============= ntpd_t ==============
allow ntpd_t file_t:file { read getattr unlink execute };
#============= pam_console_t ==============
allow pam_console_t file_t:file { read ioctl getattr };
#============= ping_t ==============
allow ping_t file_t:file { read getattr execute };
#============= procmail_t ==============
allow procmail_t file_t:file { read getattr };
allow procmail_t self:capability sys_resource;
#============= restorecon_t ==============
allow restorecon_t file_t:file execute;
#============= semanage_t ==============
allow semanage_t file_t:dir { rename write getattr rmdir read remove_name };
allow semanage_t file_t:file { execute unlink };
allow semanage_t file_t:lnk_file read;
#============= setfiles_t ==============
allow setfiles_t device_t:file append;
allow setfiles_t file_t:file execute;
#============= snmpd_t ==============
allow snmpd_t etc_mail_t:dir search;
allow snmpd_t etc_mail_t:file { read getattr };
allow snmpd_t file_t:file { read rename getattr unlink execute };
allow snmpd_t mqueue_spool_t:dir search;
allow snmpd_t self:capability sys_resource;
allow snmpd_t self:netlink_route_socket { write bind create read nlmsg_read };
allow snmpd_t self:process { setsched getsched };
allow snmpd_t sendmail_log_t:dir search;
allow snmpd_t sendmail_log_t:file read;
allow snmpd_t tmp_t:dir { read getattr };
allow snmpd_t usr_t:file append;
allow snmpd_t var_spool_t:dir search;
allow snmpd_t var_t:lnk_file read;
#============= syslogd_t ==============
allow syslogd_t file_t:file { read getattr execute };
#============= system_mail_t ==============
allow system_mail_t file_t:file { read getattr execute };
Comment