我正在最小使用CentOS7。我已经安装acpid
并且守护程序正在运行。
当我按下电源按钮时,我得到以下信息 /var/log/messages
May 2 18:52:53 localhost systemd-logind: Power key pressed.
May 2 18:52:53 localhost systemd: SELinux policy denies access.
并在/var/log/audit/audit.log
:
type=USER_AVC msg=audit(1430589539.562:468): pid=815 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.systemd1 spid=4177 tpid=1 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1430589539.571:469): pid=815 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.systemd1 spid=4182 tpid=1 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1430589539.586:470): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
通过管道传递audit2why
以下输出:
type=USER_AVC msg=audit(1430589539.562:468): pid=815 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.systemd1 spid=4177 tpid=1 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=USER_AVC msg=audit(1430589539.571:469): pid=815 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus.Properties member=Get dest=org.freedesktop.systemd1 spid=4182 tpid=1 scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
type=USER_AVC msg=audit(1430589539.586:470): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=-1 uid=0 gid=0 path="/usr/lib/systemd/system/poweroff.target" scontext=system_u:system_r:apmd_t:s0 tcontext=system_u:object_r:power_unit_file_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access.
最后,将日志传递audit2allow -lar
给我:
require {
type power_unit_file_t;
type init_t;
type apmd_t;
class dbus send_msg;
class service start;
}
#============= apmd_t ==============
allow apmd_t init_t:dbus send_msg;
allow apmd_t power_unit_file_t:service start;
我不确定下一步该怎么做。如何从上面的输出中获取有效的SELinux策略?
audit2allow
-M <name>
使用option时可以直接生成策略模块。
然后可以使用加载该模块semodule -i <name>.pp
。
该模块也可以手动编译。当您修改自动生成的模块时,这很有用。手册页上有一个示例,列出了步骤:
# Compile the module
$ checkmodule -M -m -o local.mod local.te
# Create the package
$ semodule_package -o local.pp -m local.mod
# Load the module into the kernel
$ semodule -i local.pp
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句