{"id":23,"date":"2010-04-17T17:24:29","date_gmt":"2010-04-18T02:24:29","guid":{"rendered":"\/blog\/?p=23"},"modified":"2023-09-21T09:41:25","modified_gmt":"2023-09-21T00:41:25","slug":"selinux%ec%97%90-%ea%b4%80%eb%a0%a8%eb%90%9c-%eb%ac%b8%ec%a0%9c","status":"publish","type":"post","link":"https:\/\/hasu0707.duckdns.org\/blog\/?p=23","title":{"rendered":"SELinux\uc5d0 \uad00\ub828\ub41c \ubb38\uc81c"},"content":{"rendered":"\n

SELinux <\/FONT><\/STRONG><\/SPAN><\/P>\n

 <\/P>\n

 <\/P>\n

\uac01\uc885 \ub9ac\ub205\uc2a4\uad00\ub828 \ud2b8\ub7ec\ube14\uc288\ud305\uc744 \ucc98\ub9ac\ud558\ub2e4\ubcf4\uba74 \uacf5\ubd80\ud574\uc57c\ud560\uac83\ub4e4\uc774 \ucc38 \ub9ce\ub2e4. \uc694\uc998 \uc790\uc8fc \uac70\ub860\ub418\ub294 \ubb38\uc81c\uac00 SELinux \uad00\ub828\ub41c \ubb38\uc81c\ub4e4\uc778\ub370, SELinux \ub77c\uba74 \uc544\uc9c1 \ubabb\ub4e4\uc5b4\ubcf8 \uc0ac\ub78c\uc774 \uaf64 \ub9ce\uc774 \uc788\uc744\uac83\uc774\ub2e4. <\/SPAN><\/P>\n

SELinux\uc758 \ub0b4\ubd80\uc801\uc778 \uad6c\ud604\uc6d0\ub9ac \uac19\uc740 \ubd80\ubd84\uc740 \uc774 \ubb38\uc11c\uc5d0 \ub2e4\ub8e8\uace0\uc790 \ud558\ub294 \ub0b4\uc6a9\uc774 \uc544\ub2c8\ub2e4. SELinux\uc758 \uc544\ud0a4\ud14d\ucc98\ub098 \ucf54\ub4dc\uc5d0 \ub300\ud55c \ubd80\ubd84\uc744 \ub354 \ub9ce\uc774 \uc54c\uae30\uc704\ud574\uc11c\ub294 IBM\uc758 \uae30\uc220\ubb38\uc11c(http:\/\/www-128.ibm.com\/developerworks\/kr\/library\/l-selinux\/index.html<\/A>) \uc744 \ucc38\uace0\ud558\uac70\ub098 NSA\uc758 \ud648\ud398\uc774\uc9c0(http:\/\/www.nsa.gov\/selinux\/<\/A>)\ub4f1\ub97c \ucc38\uace0\ud558\uae30 \ubc14\ub780\ub2e4. \ud544\uc790\ub294 \ub2e8\uc9c0 \uc5ec\ub7ec\ubd84\uc774 \uc2dc\uc2a4\ud15c\uc744 \uad00\ub9ac\ud558\uba74\uc11c \uc0c8\ub86d\uac8c \ub9cc\ub098\uac8c\ub418\ub294 SELinux\uc5d0 \uad00\ub828\ub41c \ubb38\uc81c\ub97c \uc774\ubb38\uc11c\ub97c \ud1b5\ud574\uc11c \ud574\uacb0\ud560\uc218 \uc788\uae30\ub97c \ubc14\ub784\ubfd0\uc774\ub2e4. <\/SPAN><\/P>\n

\uc791\uc131\uc790 : \uae40\ud615\ucc44 <\/SPAN><\/P>\n

\ucc28\ub840 <\/SPAN><\/P>\n

1. SELInux(Security-Enhanced Linux) \ub780?                              1 <\/SPAN><\/P>\n

2. SELinux \uc815\ucc45\uc774\ub780 \ubb34\uc5c7\uc778\uac00?                                              1  <\/SPAN><\/P>\n

3. SELinux \uc124\uce58\uc5ec\ubd80 \ud655\uc778                                                      2 <\/SPAN><\/P>\n

4. SELinux \uae30\ubcf8\uc124\uc815 - \/etc\/sysconfig\/selinux                         4 <\/SPAN><\/P>\n

5. SELinux \uc11c\ube44\uc2a4 \uc124\uc815 - setenforce                                       5 <\/SPAN><\/P>\n

6. SELinux \uc11c\ube44\uc2a4 \uc124\uc815 - chcon                                             5 <\/SPAN><\/P>\n

7. SELinux \uc11c\ube44\uc2a4 \uc124\uc815 - setsebool                                        5 <\/SPAN><\/P>\n

8. \uc0ac\uc6a9\uc911\uc778 \uc815\ucc45\uc744 \uad50\uccb4\ud558\ub294 \ubc29\ubc95\uc740?                                       6 <\/SPAN><\/P>\n

9. SELinux LOG                                                                   7 <\/SPAN><\/P>\n

10. Audit2allow                                                                    8 <\/SPAN><\/P>\n

11. avc: denied                                                                    8 <\/SPAN><\/P>\n

12. \ucc38\uace0\ubb38\ud5cc \ub610\ub294 URL              <\/SPAN>                                             8 <\/SPAN><\/P>\n

 <\/P>\n

1. SELInux(Security-Enhanced Linux) \ub780? <\/STRONG><\/FONT><\/SPAN><\/P>\n

SELinux \ub780 \ubbf8 \uad6d\uac00 \ubcf4\uc548\uad6d (U.S. National Security Agency)\ub9ac \uc624\ud508\uc18c\uc2a4\ucee4\ubba4\ub2c8\ud2f0\uc5d0 \ub9b4\ub9ac\uc988\ud55c Linux\uc758 \ubcf4\uc548 \uac15\ud654 \ubc84\uc804(\ucf54\ub4dc \ud3ec\ud568)\uc73c\ub85c\uc11c \ub9ac\ub205\uc2a4 \ubcf4\uc548 \ubaa8\ub4c8 \uad6c\uc870\uccb4(Linux Security Modules(LSM) framework)\ub97c \uc774\uc6a9\ud558\uc5ec \ub9ac\ub205\uc2a4 \ucee4\ub110\uc5d0 \uc758\ubb34 \uc811\uadfc \uc81c\uc5b4(Mandatory Access Control - MAC)\ub97c \uad6c\ud604\ud558\ub294 \uac83\uc774\ub2e4. Fedora Core3\ubd80\ud130 \uae30\ubcf8\uc73c\ub85c \uc801\uc6a9\ub418\uae30 \uc2dc\uc791\ud558\uc600\uace0, \ud604\uc7ac \ub300\ubd80\ubd84\uc758 \ucd5c\uc2e0 \ub9ac\ub205\uc2a4 \ubc30\ud3ec\ud310\uc5d0\uc11c \uc9c0\uc6d0\ub418\uace0\uc788\ub2e4. <\/SPAN><\/P>\n

SELinux\uc5d0 \ub300\ud55c \uc774\ud574\ub97c \ub3d5\uae30\uc704\ud574\uc11c DAC, MAC\ub97c \uc7a0\uae50 \uc774\uc57c\uae30 \ud574\ubcf4\uc790. <\/SPAN><\/P>\n

\ud45c\uc900 \ub9ac\ub205\uc2a4 \ubcf4\uc548\uc740 Discretionary Access Control - DAC \ubaa8\ub378\uc744 \ub530\ub978\ub2e4. DAC \ubaa8\ub378\uc5d0\uc11c, \ud30c\uc77c\uacfc \uc790\uc6d0\uc5d0 \ub300\ud55c \uacb0\uc815\uad8c\uc740 \uc624\uc9c1 \ud574\ub2f9 \uac1d\uccb4(objects)\uc758 \uc0ac\uc6a9\uc790(user id)\uc5d0\uac8c \uc788\uace0 \uc18c\uc720\uad8c(ownership)\uc5d0 \ub530\ub77c \uc774\ub904\uc9c4\ub2e4. \uac01 \uc0ac\uc6a9\uc790\uc640 \uadf8 \uc0ac\uc6a9\uc790\uc5d0 \uc758\ud574 \uc2e4\ud589\ub41c \ud504\ub85c\uadf8\ub7a8\uc740 \uc790\uae30\uc5d0\uac8c \ud560\ub2f9\ub41c \uac1d\uccb4\uc5d0 \ub300\ud574 \uc804\uc801\uc73c\ub85c \uc790\uc720\uc7ac\ub7c9\uad8c\uc744 \uac16\ub294\ub2e4. \uc774\ub7ec\ud55c \uc0c1\ud669\uc5d0\uc11c\ub294, \uc545\uc758 \uc788\ub294 \uc77c\ubc18 \ud639\uc740 \ub8e8\ud2b8 \uc0ac\uc6a9\uc790(\uc608\ub85c, setuid\uc640 setgid)\uac00 \uc2e4\ud589\uc2dc\ud0a8 \uacb0\ud568\uc774 \uc788\ub294 \uc18c\ud504\ud2b8\uc6e8\uc5b4\ub97c \ud1b5\ud574 \uc8fc\uc5b4\uc9c4 \uac1d\uccb4\ub85c \uc6d0\ud558\ub294 \uc5b4\ub5a0\ud55c \uc77c\uc744 \ud574\ub3c4 \ub9c9\uc544\ub0bc \ubc29\ubc95\uc774 \uc5c6\uc73c\uba70 \ubcf4\uc548 \uc815\ucc45\uc744 \uc2dc\uc2a4\ud15c \uc804\uccb4\uc5d0 \uac78\uccd0 \uc2dc\ud589\ub418\ub3c4\ub85d \ud560 \ubc29\ubc95\uc774 \uc5c6\ub2e4. <\/SPAN><\/P>\n

\ubc18\uba74\uc5d0 SELinux\ud558\uc5d0\uc11c MAC\ub294 \ubaa8\ub4e0 \uc8fc\uccb4(subjects - \uc0ac\uc6a9\uc790, \ud504\ub85c\uadf8\ub7a8, \ud504\ub85c\uc138\uc2a4)\uc640 \uac1d\uccb4(\ud30c\uc77c, \ub514\ubc14\uc774\uc2a4)\uc5d0 \ub300\ud574\uc11c \uad6d\ubd80\uc801\uc73c\ub85c \ud5c8\uac00(granular permissions)\ud574 \uc904 \uc218 \uc788\ub2e4. \uc751\uc6a9\ud504\ub85c\uadf8\ub7a8\uc5d0\uc11c \ubd88\ud544\uc694\ud55c \ubd80\ubd84\uc740 \uc81c\uc678\ud558\uace0 \uc624\uc9c1 \ud544\uc694\ud55c \uae30\ub2a5\uc5d0 \ub300\ud574\uc11c\ub9cc \uc0ac\uc6a9 \uad8c\ud55c\uc744 \uc548\uc804\ud558\uac8c \ubd80\uc5ec\ud558\ub294\uac83\uc774 \uac00\ub2a5\ud558\ub2e4. <\/SPAN><\/P>\n

SELinux\ub294 \ubaa8\ub4e0 \uc8fc\uccb4 (\uc0ac\uc6a9\uc790, \ud504\ub85c\uadf8\ub7a8, \ud504\ub85c\uc138\uc2a4) \ubc0f \uac1d\uccb4 (\ud30c\uc77c\uacfc \uc7a5\uce58)\uc5d0 \uac01\uac01 \ub2e4\ub978 \uad8c\ud55c\uc744 \ubd80\uc5ec\ud560 \uc218 \uc788\uac8c \ud574\uc90d\ub2c8\ub2e4. \ub530\ub77c\uc11c \uc0ac\uc6a9\uc790\ub294 \ud55c \uc751\uc6a9 \ud504\ub85c\uadf8\ub7a8\uc5d0\uac8c \uadf8 \ud504\ub85c\uadf8\ub7a8\uc774 \uc81c\ub300\ub85c \uc791\ub3d9\ud558\ub294\ub370 \ud544\uc694\ud55c \uad8c\ud55c\ub9cc \uc548\uc804\ud558\uac8c \ubd80\uc5ec\ud560 \uc218 \uc788\ub2e4. <\/SPAN><\/P>\n


2 . SELinux \uc815\ucc45\uc774\ub780 \ubb34\uc5c7\uc778\uac00? <\/STRONG><\/FONT><\/SPAN><\/P>\n

SELinux \uc815\ucc45\uc740 \uc0ac\uc6a9\uc790, \ud504\ub85c\uadf8\ub7a8, \ud504\ub85c\uc138\uc2a4 \uadf8\ub9ac\uace0 \uc774\ub4e4\uc758 \ub3d9\uc791 \ub300\uc0c1\uc778 \ud30c\uc77c\uacfc \ub514\ubc14\uc774\uc2a4\ub97c \ud3ec\ud568\ud55c \uc2dc\uc2a4\ud15c \uc804\uccb4, \uc989, \ubaa8\ub4e0 \uc8fc\uccb4\uc640 \uac1d\uccb4\uc5d0 \ub300\ud55c \uc811\uadfc \ud5c8\uac00(access permissions)\ub97c \ud3ec\ud568\ud55c \ud328\ud0a4\uc9c0\ub97c \uc774\uc57c\uae30\ud55c\ub2e4. \ud398\ub3c4\ub77c\uc5d0\uc11c \uc0ac\uc6a9\uac00\ub2a5\ud55c \uc815\ucc45 \ud328\ud0a4\uc9c0\ub294 strict , targeted \ub450\uac00\uc9c0\uac00 \uc788\ub2e4. <\/SPAN><\/P>\n

\ud398\ub3c4\ub77c\ucf54\uc5b4\uc5d0\uc11c SELinux \uc815\ucc45\uc73c\ub85c strict policy \ub97c \uc801\uc6a9\ud568\uc73c\ub85c \uc778\ud574\uc11c \ub2e4\uc591\ud55c \uc0ac\uc6a9\uc790\ub4e4\uc774 \ub9ce\uc740 \ubb38\uc81c\uc810\uc744 \uc77c\uc73c\ud0b4\uc73c\ub85c \uc778\ud574\uc11c(\uc77c\ubc18\uc0ac\uc6a9\uc790\ub4e4\uc774 SELinux\ub97c \uc0ac\uc6a9\ud558\uae30 \uc704\ud574\uc11c\ub294 \uc218\uc900\ub192\uc740 \uc804\ubb38\uae30\uc220\uc774 \ud544\uc694\ud558\ub2e4) \ud604\uc7ac RHEL4 \uc5d0\uc11c\ub294 \ubcf4\ub2e4 \uc644\ud654\ub41c \uc815\ucc45\ud328\ud0a4\uc9c0 targeted poicy \uac00 \uc124\uce58\uc2dc \uae30\ubcf8\uc73c\ub85c \uc81c\uacf5\ub41c\ub2e4. <\/SPAN><\/P>\n

targeted policy\ub294 \uc790\uc8fc \ubb38\uc81c\uc2dc\ub418\ub294 \ubd80\ubd84\ub4e4\ub9cc \uc6b0\uc120\uc801\uc73c\ub85c \uc801\uc6a9\uc2dc\ud0a4\uace0, \ub098\uba38\uc9c0\ub294 \ud45c\uc900 \ub9ac\ub205\uc2a4 \ubcf4\uc548\uacfc \ub3d9\uc77c\ud558\uac8c \uc6b4\uc601\ub418\ub3c4\ub85d \uc801\uc6a9\ud55c \uc815\ucc45\uc774\ub2e4. <\/SPAN><\/P>\n

\ud604\uc7ac, targeted policy \uc5d0\uc11c\ub294 dhcpd, httpd(apache.te), named, nscd, ntpd, portmap, snmpd, squid \uadf8\ub9ac\uace0 syslogd \ub370\ubaac\uc5d0 \ub300\ud574\uc11c \uad00\ub9ac\ud55c\ub2e4. \uc774 \ub370\ubaac\ub4e4\uc5d0 \ub300\ud55c \uc815\ucc45 \ud30c\uc77c\uc740 \/etc\/selinux\/targeted\/src\/policy\/domains\/program\uc5d0\uc11c \ucc3e\uc744 \uc218 \uc788\ub2e4. <\/SPAN><\/P>\n

 <\/P>\n

3 . SELinux \uc124\uce58\uc5ec\ubd80 \ud655\uc778 <\/STRONG><\/FONT><\/SPAN><\/P>\n

SELinux \ub97c \uc0ac\uc6a9\ud558\uace0 \uc788\ub294\uc9c0\ub97c \ud655\uc778\ud558\ub294 \ubc29\ubc95\uc740 \ubcf4\uc548\ubb38\ub9e5\uc744 \ud655\uc778\ud558\ub294 \ubc29\ubc95\uc73c\ub85c \uc54c \uc218 \uc788\ub2e4. <\/SPAN><\/P>\n

\ud30c\uc77c, \uc0ac\uc6a9\uc790, \ud504\ub85c\uc138\uc2a4\ub4f1\uc758 \ubb38\ub9e5\uc744 \ud655\uc778\ud560 \ub54c\ub294 -Z \ub77c\ub294 \uc0c8 \uc635\uc158\uc744 \uc774\uc6a9\ud574\uc11c \ud655\uc778\ud560 \uc218 \uc788\ub2e4. <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

ls -lZ \/etc\/selinux <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

-rw-r--r--  root    root   system_u:object_r:selinux_config_t config <\/SPAN><\/P>\n

drwxr-xr-x  root    root   system_u:object_r:selinux_config_t targeted <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

-Z\uc635\uc158\uc744 \uc774\uc6a9\ud574\uc11c \ubcf4\uc548\ubb38\ub9e5\uc744 \ubcf4\uc5ec\uc8fc\ub294\ub370 \uc774 \uacb0\uacfc\ub97c \ud1b5\ud574\uc11c \"system_u\" \uc0ac\uc6a9\uc790, \"object_r\" \uc5ed\ud560,  \"selinux_config_t\" \ud0c0\uc785\uc744 \ud655\uc778\ud560\uc218 \uc788\ub2e4. \uc774\ub7f0 \ubb38\ub9e5\uc73c\ub85c SELinux\uc758 \uc815\ucc45\uc5d0 \ube44\uad50\ud574\uc11c \ud5c8\uc6a9\ud558\uac70\ub098 \uac70\ubd80\ud558\uac8c \ub418\ubbc0\ub85c \ubb38\ub9e5\uc774 \ud655\uc778\uac00\ub2a5\ud558\ub2e4\uba74 SELinux \ub97c \uc0ac\uc6a9\uc911\uc778 \uac83\uc774\ub2e4.. <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

\ud30c\uc77c \uc774\uc678\uc5d0 \ud504\ub85c\uc138\uc2a4\uc640 \uc0ac\uc6a9\uc790\uc5d0\ub3c4 \uac01\uac01 \uc544\ub798\ucc98\ub7fc \ubcf4\uc548\ubb38\ub9e5\uc744 \ud655\uc778\ud560\uc218 \uc788\ub2e4 <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

root@example# ps axZ | grep squid <\/SPAN><\/P>\n

user_u:system_r:squid_t          3912 ?        Ss     0:00 squid -D <\/SPAN><\/P>\n

user_u:system_r:squid_t          3915 ?        S      9:10 (squid) -D <\/SPAN><\/P>\n

user_u:system_r:squid_t          3916 ?        Ss     0:01 (unlinkd) <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

root@example# id <\/SPAN><\/P>\n

uid=0(root) <\/SPAN><\/P>\n

gid=0(root)groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) <\/SPAN><\/P>\n

context=root:system_r:unconfined_t <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

RedHat \uc758 SELinux \ud328\ud0a4\uc9c0 \uacbd\uc6b0\uc5d0\ub294 sestatus -v \ub77c\ub294 \uba85\ub839\uc744 \uc774\uc6a9\ud574\uc11c \ud604\uc7ac SELinux\uc758 \uc0ac\uc6a9\uc0c1\ud0dc\ub97c \uc544\ub798\uc640 \uac19\uc774 \ud655\uc778\ud560\uc218 \uc788\ub2e4. <\/SPAN><\/P>\n

[root@ns selinux]# sestatus -v <\/SPAN><\/P>\n

SELinux status:         enabled <\/SPAN><\/P>\n

SELinuxfs mount:        \/selinux <\/SPAN><\/P>\n

Current mode:           enforcing <\/SPAN><\/P>\n

Mode from config file:  enforcing <\/SPAN><\/P>\n

Policy version:         18 <\/SPAN><\/P>\n

Policy from config file:targeted <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

Policy booleans: <\/SPAN><\/P>\n

allow_ypbind            active <\/SPAN><\/P>\n

dhcpd_disable_trans     inactive <\/SPAN><\/P>\n

httpd_disable_trans     active <\/SPAN><\/P>\n

httpd_enable_cgi        active <\/SPAN><\/P>\n

httpd_enable_homedirs   active <\/SPAN><\/P>\n

httpd_ssi_exec          active <\/SPAN><\/P>\n

httpd_tty_comm          inactive <\/SPAN><\/P>\n

httpd_unified           active <\/SPAN><\/P>\n

mysqld_disable_trans    inactive <\/SPAN><\/P>\n

named_disable_trans     active <\/SPAN><\/P>\n

named_write_master_zonesactive <\/SPAN><\/P>\n

nscd_disable_trans      active <\/SPAN><\/P>\n

ntpd_disable_trans      inactive <\/SPAN><\/P>\n

portmap_disable_trans   inactive <\/SPAN><\/P>\n

postgresql_disable_transinactive <\/SPAN><\/P>\n

snmpd_disable_trans     inactive <\/SPAN><\/P>\n

squid_disable_trans     inactive <\/SPAN><\/P>\n

syslogd_disable_trans   inactive <\/SPAN><\/P>\n

winbind_disable_trans   inactive <\/SPAN><\/P>\n

ypbind_disable_trans    inactive <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

Process contexts: <\/SPAN><\/P>\n

Current context:        root:system_r:unconfined_t <\/SPAN><\/P>\n

Init context:           user_u:system_r:unconfined_t <\/SPAN><\/P>\n

\/sbin\/mingetty          user_u:system_r:unconfined_t <\/SPAN><\/P>\n

\/usr\/sbin\/sshd          user_u:system_r:unconfined_t <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

File contexts: <\/SPAN><\/P>\n

Controlling term:       root:object_r:devpts_t <\/SPAN><\/P>\n

\/etc\/passwd             root:object_r:etc_t <\/SPAN><\/P>\n

\/etc\/shadow             system_u:object_r:shadow_t <\/SPAN><\/P>\n

\/bin\/bash               system_u:object_r:shell_exec_t <\/SPAN><\/P>\n

\/bin\/login              system_u:object_r:bin_t <\/SPAN><\/P>\n

\/bin\/sh                 system_u:object_r:bin_t -> system_u:object_r:shell_exec_t <\/SPAN><\/P>\n

\/sbin\/agetty            system_u:object_r:sbin_t <\/SPAN><\/P>\n

\/sbin\/init              system_u:object_r:init_exec_t <\/SPAN><\/P>\n

\/sbin\/mingetty          system_u:object_r:sbin_t <\/SPAN><\/P>\n

\/usr\/sbin\/sshd          system_u:object_r:sbin_t <\/SPAN><\/P>\n

\/lib\/libc.so.6          system_u:object_r:lib_t -> system_u:object_r:shlib_t <\/SPAN><\/P>\n

\/lib\/ld-linux.so.2      system_u:object_r:lib_t -> system_u:object_r:ld_so_t <\/SPAN><\/P>\n

[root@ns selinux]# <\/SPAN><\/P>\n

 <\/P>\n

4 . SELinux \uae30\ubcf8\uc124\uc815 - \/etc\/sysconfig\/selinux<\/STRONG> <\/FONT><\/FONT><\/SPAN><\/P>\n

\ubc30\ud3ec\ud310\ub9c8\ub2e4 \uc11c\ube44\uc2a4 \uc124\uc815\ubc29\ubc95\uc740 \ucc28\uc774\uac00 \uc788\ub2e4. \ud544\uc790\uac00 \ud14c\uc2a4\ud2b8\ud55c \ub808\ub4dc\ud587\uacfc \ud398\ub3c4\ub77c \ubc30\ud3ec\ud310\uc5d0\uc11c\ub294 \/etc\/sysconfig\/selinux \ud30c\uc77c\uc5d0\uc11c SELinux \uc758 \uc0ac\uc6a9\uac00\ub2a5\ud55c \ubaa8\ub4dc\ub97c \uc124\uc815\ud55c\ub2e4. <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

\/etc\/sysconfig\/selinux \ud30c\uc77c\uc758 \ub0b4\uc6a9 <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

# This file controls the state of SELinux on the system. <\/SPAN><\/P>\n

# SELINUX= can take one of these three values: <\/SPAN><\/P>\n

#       enforcing - SELinux security policy is enforced. <\/SPAN><\/P>\n

#       permissive - SELinux prints warnings instead of enforcing. <\/SPAN><\/P>\n

#       disabled - SELinux is fully disabled. <\/SPAN><\/P>\n

SELINUX=enforcing <\/SPAN><\/P>\n

# SELINUXTYPE= type of policy in use. Possible values are: <\/SPAN><\/P>\n

#       targeted - Only targeted network daemons are protected. <\/SPAN><\/P>\n

#       strict - Full SELinux protection. <\/SPAN><\/P>\n

SELINUXTYPE=targeted <\/SPAN><\/P>\n

\uc774 \ud30c\uc77c\uc5d0\ub294 \ub450\ubd80\ubd84\uc758 \uc124\uc815\uc774 \uc788\ub294\ub370 SELINUX \uc758 \uc0c1\ud0dc(enforcing, permissive, disabled)\ub97c \uc124\uc815\ud558\ub294 \ubd80\ubd84\uacfc \ud65c\uc131\ud654\uc2dc\ud0ac \ubcf4\uc548\uc815\ucc45(strict \ub610\ub294 targeted \uc911 \ud558\ub098)\uc744 \uacb0\uc815\ud558\ub294 SELINUXTYPE \uc774\ub77c\ub294 \ubd80\ubd84\uc774 \uc788\ub2e4. <\/SPAN><\/P>\n

disabled ? SELinux \ubcf4\uc548 \uc81c\uc5b4\ub97c \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uc73c\ub824\uba74 disalbed \uc635\uc158\uc744 \uc120\ud0dd\ud55c\ub2e4. disalbed \uc124\uc815\uc740 \ubcf4\uc548 \uc81c\uc5b4 \uae30\ub2a5\uc744 \ub044\uace0 \uc2dc\uc2a4\ud15c\uc774 \ubcf4\uc548 \uc815\ucc45\uc744 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\ub3c4\ub85d \uc124\uc815\ud55c\ub2e4. <\/SPAN><\/P>\n

permissive ? \uc774\uac83\uc744 \uc120\ud0dd\ud558\uba74 \uc11c\ube44\uc2a4 \uac70\ubd80 \uba54\uc2dc\uc9c0\ub97c \ud1b5\ubcf4\ubc1b\uc744 \uc218 \uc788\ub2e4. permissive \uc0c1\ud0dc\ub85c \uc124\uc815\ud558\uba74 \uc790\ub8cc\uc640 \ud504\ub85c\uadf8\ub7a8\uc5d0 \uc774\ub984\uc744 \ud560\ub2f9\ud55c \ud6c4 \ub85c\uadf8\ub97c \uae30\ub85d\ud558\uc9c0\ub9cc \ubcf4\uc548 \uc815\ucc45\uc744 \uc0ac\uc6a9\ud558\uc9c0\ub294 \uc54a\ub294\ub2e4. permissive \uc0c1\ud0dc\ub294 SELinux\ub97c \ucc98\uc74c \uc811\ud558\ub294 \uacbd\uc6b0 \ucc98\uc74c\ubd80\ud130 \uc774 \uae30\ub2a5\uc744 \uc644\uc804\ud788 \ud65c\uc131\ud654\ud558\uc9c0 \uc54a\uace0 \uc6b0\uc120 \uc774 \uc815\ucc45\uc744 \uc0ac\uc6a9\ud574\uc11c \uc77c\ubc18 \uc2dc\uc2a4\ud15c \uc791\uc5c5\uc2dc \uc5b4\ub5a0\ud55c \uc601\ud5a5\uc744 \ubbf8\uce58\ub294\uc9c0 \uc54c\uc544\ubcf4\ub824\ub294 \uacbd\uc6b0 \uc88b\uc740 \uc2dc\uc791\uc810\uc774 \ub420 \uc218 \uc788\ub2e4. \uadf8\ub7ec\ub098 \uacbd\uace0 \uc635\uc158\uc744 \uc120\ud0dd\uc2dc \uac00\ub054\uc529 \ubcf4\uc548\uacbd\uace0 \ub300\uc0c1\uc774 \uc544\ub2cc \uac83\uc744 \uacbd\uace0 \ub300\uc0c1\uc73c\ub85c \ud0d0\uc9c0\ud558\ub294 \uc624\ub958(false positive)\ub098 \uacbd\uace0 \ub300\uc0c1\uc778 \uac83\uc744 \ud0d0\uc9c0\ud558\uc9c0 \uc54a\ub294 \uc624\ub958(false negative)\uac00 \ubc1c\uc0dd\ud560 \uac00\ub2a5\uc131\ub3c4 \uc788\uc73c\ub2c8 \uc8fc\uc758\uac00 \ud544\uc694\ud558\ub2e4. <\/SPAN><\/P>\n

enforcing ? SELinux\ub97c \uc644\uc804\ud788 \ud65c\uc131\ud654\ud558\uc2dc\ub824\uba74 enforcing \uc635\uc158\uc744 \uc120\ud0dd\ud558\uc790. enforcing \uc635\uc158\uc744 \uc120\ud0dd\ud558\uba74 \ucd94\uac00 \uc2dc\uc2a4\ud15c \ubcf4\uc548\uc744 \uc704\ud574 \ubaa8\ub4e0 \ubcf4\uc548 \uc815\ucc45 (\uc608, \ud5c8\uac00\uac00 \uc5c6\ub294 \uc0ac\uc6a9\uc790\uac00 \ud2b9\uc815\ud55c \ud30c\uc77c\uc774\ub098 \ud504\ub85c\uadf8\ub7a8\uc5d0 \uc811\uadfc\ud558\ub294 \uac83\uc744 \uac70\ubd80\ud558\uae30)\uc744 \uc0ac\uc6a9\ud55c\ub2e4. SELinux\uac00 \uc644\uc804\ud788 \uc2e4\ud589\ub418\uc5b4\ub3c4 \uc544\ubb34\ub7f0 \uc9c0\uc7a5\uc744 \ubc1b\uc9c0\uc54a\uace0 \uc77c\ubc18\uc801\uc778 \uc2dc\uc2a4\ud15c \uc791\uc5c5\uc744 \uc218\ud589\ud560 \uc218 \uc788\ub2e4\uace0 \uc790\uc2e0\ud558\uc2dc\uacbd\uc6b0 \uc774 \uc635\uc158\uc744 \uc120\ud0dd\ud55c\ub2e4. <\/SPAN><\/P>\n

 <\/P>\n

5 . SELinux \uc11c\ube44\uc2a4 \uc124\uc815 - setenforce <\/STRONG><\/FONT><\/SPAN><\/P>\n

SELinux\uc758 \uc11c\ube44\uc2a4 \uc0c1\ud0dc\ub97c \ubcc0\uacbd\ud574\uc57c \ud558\ub294 \ud544\uc694\uac00 \uc788\uc744\ub54c\ub294 \uc9c1\uc811 \/etc\/sysconfig\/selinux \ud30c\uc77c\uc5d0\uc11c SELINUX=enforcing , \ub610\ub294 SELINUX=permissive \ucc98\ub7fc \uc218\uc815\ud574\uc11c \ubcc0\uacbd\ud558\ub294 \ubc29\ubc95\ub3c4 \uc788\uc9c0\ub9cc setenforce \ub77c\ub294 \uba85\ub839\uc5b4\ub97c \uc774\uc6a9\ud560\uc218 \uc788\ub2e4.<\/SPAN> <\/P>\n

\"setenforce 0\" \uc774\ub77c\uace0 \uba85\ub839\uc744 \ub0b4\ub9ac\ub294\uac83\uc740  SELINUX=permissive \uc640 \ub3d9\uc77c\ud55c \uacb0\uacfc\uc774\uba70, \"setenforce 1\" \uc740 enforcing \ubaa8\ub4dc\ub97c \uc758\ubbf8\ud55c\ub2e4. \uc2dc\uc2a4\ud15c\uc5d0\uc11c SELinux \ub97c \uc644\uc804\ud788 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uc73c\ub824\uba74 \/etc\/sysconfig\/selinux \ud30c\uc77c\uc5d0\uc11c SELINUX=disabled \ucc98\ub7fc \uc124\uc815\ud558\uac70\ub098 \uc2dc\uc2a4\ud15c \ubd80\ud305\uc2dc\uc5d0 \ubd80\ud2b8\ub85c\ub354\uc758 \ud30c\ub77c\ubbf8\ud130\ub85c selinux=0 \uc774\ub77c\uace0 \uc8fc\uace0 \ubd80\ud305\ud558\uba74 \ub41c\ub2e4. (grub \uc744 \uc0ac\uc6a9\ud558\ub294 \uacbd\uc6b0\ub77c\uba74 grub \ud654\uba74\uc5d0\uc11c e \ub97c \ub204\ub974\uace0 \ud3b8\uc9d1\ubaa8\ub4dc\ub85c \ub4e4\uc5b4\uac04\ub4a4\uc5d0 kernel \uc904\uc758 \ub9e8 \ub4a4\uc5d0 selinux=0 \uc744 \uc801\uc5b4\uc8fc\uace0 ESC, \uadf8\ub9ac\uace0 b \ub97c \ub20c\ub7ec\uc11c \ubd80\ud305\ud558\uba74 \ub41c\ub2e4..) <\/SPAN><\/P>\n


sentenforce \uba85\ub839\uc740 sysadm_r \uad8c\ud55c\uc744 \uac16\uace0 \uc218\ud589\ud574\uc57c \ud55c\ub2e4; \uadf8\ub7ec\uae30 \uc704\ud574, newrole \uba85\ub839\uc744 \uc0ac\uc6a9\ud558\uac70\ub098, \uc544\ub2c8\uba74, su -\ub97c \uc0ac\uc6a9\ud558\uc5ec root \ub85c \uc0ac\uc6a9\uc790 \uc804\ud658\uc744 \ud558\uba74, \uc790\ub3d9\uc73c\ub85c sysadm_r \uad8c\ud55c\uc744 \uc5bb\uc744 \uc218 \uc788\ub2e4. <\/P>\n

 <\/P>\n

6 . SELinux \uc11c\ube44\uc2a4 \uc124\uc815 - chcon <\/STRONG><\/FONT><\/P>\n

SELinux \uc758 \ubcf4\uc548\ubb38\ub9e5\uc744 \ubcc0\uacbd\ud574\uc57c \ud558\ub294 \uacbd\uc6b0\uc5d0\ub294 chcon \uc774\ub77c\ub294 \uba85\ub839\uc744 \uc0ac\uc6a9\ud560\uc218 \uc788\ub2e4. <\/SPAN><\/P>\n

\uc544\ud30c\uce58\ub97c \uc0ac\uc6a9\uc911\uc5d0 \ubd84\uba85\ud788 \ub514\ub809\ud1a0\ub9ac\ub97c \uc0dd\uc131\ud588\ub294\ub370\ub3c4 \uc5d0\ub7ec\uac00 \ub09c\ub2e4\uba74 \uc544\ub798\ucc98\ub7fc http_user_content_t \ub97c \ud574\ub2f9 DocumentRoot \uc5d0 \uc801\uc6a9\ud574\uc90c\uc73c\ub85c \ud574\uacb0\ud574 \uc904\uc218\uc788\ub2e4. <\/SPAN><\/P>\n

chcon -R -t httpd_user_content_t \/home\/\uc0ac\uc6a9\uc790\uacc4\uc815\/public_html <\/SPAN><\/P>\n

 <\/P>\n

7 . SELinux \uc11c\ube44\uc2a4 \uc124\uc815 - setsebool<\/STRONG> <\/FONT><\/FONT><\/SPAN><\/P>\n

[root@ns ~]# cat \/etc\/selinux\/targeted\/booleans<\/SPAN> <\/P>\n

allow_ypbind=1 <\/SPAN><\/P>\n

dhcpd_disable_trans=0 <\/SPAN><\/P>\n

httpd_disable_trans=1 <\/SPAN><\/P>\n

httpd_enable_cgi=1 <\/SPAN><\/P>\n

httpd_enable_homedirs=1 <\/SPAN><\/P>\n

httpd_ssi_exec=1 <\/SPAN><\/P>\n

httpd_tty_comm=0 <\/SPAN><\/P>\n

httpd_unified=1 <\/SPAN><\/P>\n

mysqld_disable_trans=0 <\/SPAN><\/P>\n

named_disable_trans=1 <\/SPAN><\/P>\n

named_write_master_zones=1 <\/SPAN><\/P>\n

nscd_disable_trans=1 <\/SPAN><\/P>\n

ntpd_disable_trans=0 <\/SPAN><\/P>\n

portmap_disable_trans=0 <\/SPAN><\/P>\n

postgresql_disable_trans=0 <\/SPAN><\/P>\n

snmpd_disable_trans=0 <\/SPAN><\/P>\n

squid_disable_trans=0 <\/SPAN><\/P>\n

syslogd_disable_trans=0 <\/SPAN><\/P>\n

winbind_disable_trans=0 <\/SPAN><\/P>\n

ypbind_disable_trans=0 <\/SPAN><\/P>\n

  <\/SPAN><\/P>\n

RHEL4\uc758 \uacbd\uc6b0 \uc804\ud658\uac00\ub2a5\ud55c \uc2dc\uc2a4\ud15c\uc758 SELinux \uc124\uc815\uac12\ub4e4\uc744 \ub098\ud0c0\ub0b4\ub294 \ud30c\uc77c\uc740 \/etc\/selinux\/targeted\/booleans  \ud30c\uc77c\uc774\ub2e4. \ud30c\uc77c\uc548\uc758 \uac01 \ud56d\ubaa9\uc740 system-config-securitylevel \uc774\ub77c\ub294 \uc5b4\ud50c\ub9ac\ucf00\uc774\uc158\uc774\ub098 setsebool \uc774\ub77c\ub294 \uba85\ub839\uc744 \uc774\uc6a9\ud574\uc11c \ubcc0\uacbd\uc2dc\ud0ac\uc218 \uc788\uc73c\uba70 setsebools \uc744 \uc774\uc6a9\ud558\ub294 \uacbd\uc6b0 -P \uc635\uc158\uc744 \uc0ac\uc6a9\ud558\uc9c0 \uc54a\uc73c\uba74 \uc124\uc815\ud30c\uc77c\uc740 \ubcc0\uacbd\ub418\uc9c0 \uc54a\uace0 \ud604\uc7ac\uc758 \uc124\uc815\ub9cc \ubc14\ub00c\uc9c0\ub9cc -P \uc635\uc158\uc744 \uac19\uc774 \uc0ac\uc6a9\ud558\uba74 \/etc\/selinux\/targeted\/booleans \ud30c\uc77c\uc758 \ub0b4\uc6a9\uae4c\uc9c0 \uac19\uc774 \ubcc0\uacbd\ub418\uc5b4 \uc2dc\uc2a4\ud15c \ub9ac\ubd80\ud305\ud6c4\uc5d0\ub3c4 \uc801\uc6a9\ub41c\ub2e4<\/SPAN><\/P>\n

 <\/P>\n

8 . \uc0ac\uc6a9\uc911\uc778 \uc815\ucc45\uc744 \uad50\uccb4\ud558\ub294 \ubc29\ubc95\uc740? <\/STRONG><\/FONT><\/SPAN><\/P>\n

\uc815\ucc45 \uad50\uccb4\ub294 \uac00\ubccd\uac8c \ucde8\ud560 \uc0ac\uc548\uc774 \uc544\ub2c8\ub2e4. <\/SPAN><\/P>\n

\uc5f0\uad6c \ubaa9\uc801\uc73c\ub85c \uc2dc\ud5d8 \uc7a5\ube44(test machine)\uc5d0\uc11c \uc0c8 \uc815\ucc45\uc744 \uc2dc\ub3c4\ud558\ub294 \uc774\uc678, \uc0dd\uc0b0 \uc2dc\uc2a4\ud15c(production system)\uc5d0\uc11c\ub294 \ub2e4\ub978 \uc815\ucc45\uc73c\ub85c \uad50\uccb4\ud558\uae30 \uc804\uc5d0 \ud604\ud669\uc744 \uc2ec\uac01\ud558\uac8c \uace0\ub824\ud574\uc57c \ud55c\ub2e4. <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

\uad50\uccb4 \uc791\uc5c5\uc740 \uac04\ub2e8\ud558\ub2e4. \uc774\ub294 \ub9e4\uc6b0 \uc548\uc804\ud55c \ubc29\ubc95\uc774\uc9c0\ub9cc, \uc6b0\uc120 \uc2dc\ud5d8 \uc2dc\uc2a4\ud15c\uc5d0\uc11c \uc77c\ucc28 \uc2dc\ub3c4\ud574 \ubcf4\ub294 \uac83\uc774 \ubc14\ub78c\uc9c1\ud558\ub2e4. <\/SPAN><\/P>\n

\ud55c \uac00\uc9c0 \ubc29\ubc95\uc740 system-config-securitylevel\uc744 \uc0ac\uc6a9\ud558\uc5ec \uc815\ucc45\uc744 \ubc14\uafb8\uace0 \uc7ac\uba85\uba85(relabel)\ud558\ub3c4\ub85d \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc744 \uc124\uc815\ud558\ub294 \uac83\uc774\ub2e4. <\/SPAN><\/P>\n

\uc218\uc791\uc5c5 \uc808\ucc28\ub294 \ub2e4\uc74c\uacfc \uac19\ub2e4: <\/SPAN><\/P>\n

1. \/etc\/selinux\/config\uc744 \ud3b8\uc9d1\ud558\uace0 SELINUXTYPE=policyname\uc73c\ub85c \uc815\ucc45 \uc720\ud615\uc744 \ubc14\uafbc\ub2e4. <\/SPAN><\/P>\n

2. \uc7ac\ubd80\ud305\ud558\uc5ec \ub3cc\uc544\uc62c \uc218 \uc788\ub294 \uc9c0 \ud655\uc778\ud558\uae30\uc704\ud574, SELINUX=permissive\ubaa8\ub4dc\ub85c \uc124\uc815\ud55c\ub2e4. \uc774\ub807\uac8c \ud558\uba74, SELinux\ub294 \uc815\ud655\ud55c \uc815\ucc45\ud558\uc5d0\uc11c \uac00\ub3d9\ub420 \uac83\uc774\uc9c0\ub9cc, \ub9cc\uc77c \ubd80\uc815\ud655\ud55c \ud30c\uc77c \ubb38\ub9e5 \uba85\uba85(labeling)\uacfc \uac19\uc740 \ubb38\uc81c\uac00 \uc788\uc73c\uba74 \ub85c\uadf8\uc778\ud558\ub3c4\ub85d \ud560 \uac83\uc774\ub2e4. <\/SPAN><\/P>\n

3. sysadm_r \uc5ed\ud560\uc744 \uac16\ucd98 root\ub85c \ud30c\uc77c \uc2dc\uc2a4\ud15c\uc744 \uc7ac\uba85\uba85\ud55c\ub2e4(relabel): <\/SPAN><\/P>\n

id -Z <\/SPAN><\/P>\n

root:sysadm_r:sysadm_t <\/SPAN><\/P>\n

fixfiles relabel <\/SPAN><\/P>\n

\uc635\uc158 -l \/path\/to\/logfile\uc744 \uc0ac\uc6a9\ud558\uc5ec \ud45c\uc900 \ucd9c\ub825\uc73c\ub85c \ub85c\uadf8\ub97c \ubcfc \uc218 \uc788\uace0, \uc635\uc158 -o \/path\/to\/file\uc744 \uc0ac\uc6a9\ud558\uc5ec \uac80\ud1a0(checked)\ub418\uac70\ub098 \uc7ac\uba85\uba85(relabel ed)\ub41c \ubaa8\ub4e0 \ud30c\uc77c \ub9ac\uc2a4\ud2b8\ub97c \uc800\uc7a5\ud560 \uc218 \uc788\ub2e4. <\/SPAN><\/P>\n

4. \uc2dc\uc2a4\ud15c\uc744 \uc7ac\ubd80\ud305\ud55c\ub2e4. \uc0c8 \uc815\ucc45\ud558\uc5d0\uc11c\uc758 \uc7ac\uc2dc\uc791\uc740 \ubaa8\ub4e0 \uc2dc\uc2a4\ud15c \ud504\ub85c\uc138\uc2a4\uac00 \uc801\uc808\ud55c \ubb38\ub9e5\uc5d0\uc11c \uc2dc\uc791\ub418\uace0 \uc815\ucc45 \ubcc0\uacbd\uc73c\ub85c \uc778\ud55c \ubaa8\ub4e0 \ubb38\uc81c\uac00 \ub4dc\ub7ec\ub098\uac8c \ud55c\ub2e4. <\/SPAN><\/P>\n

5. sestatus -v \uba85\ub839\uc73c\ub85c \ubc1c\ud6a8\ub41c \ubcc0\uacbd\uc0ac\ud56d\uc744 \ud655\uc778\ud55c\ub2e4. Permissive \ubaa8\ub4dc\ub85c \uac00\ub3d9\ub41c \uc0c8 \uc2dc\uc2a4\ud15c\uc5d0\uc11c, avc: denied \uba54\uc2dc\uc9c0\ub97c \/var\/log\/messages\uc5d0\uc11c \ud655\uc778\ud55c\ub2e4. \uc774\ub4e4\uc740 \uc0c8 \uc815\ucc45\ud558\uc5d0 \ubb38\uc81c\uc5c6\uc774 \uc2dc\uc2a4\ud15c\uc774 \uac00\ub3d9\ub418\ub3c4\ub85d \ud574\uacb0\ud574\uc57c \ud560 \ubb38\uc81c\ub4e4\uc744 \ud45c\uc2dc\ud574 \uc900\ub2e4. <\/SPAN><\/P>\n

6. \uc0c8 \uc815\ucc45\ud558\uc5d0\uc11c \uc2dc\uc2a4\ud15c\uc774 \ub9cc\uc871\uc2a4\ub7fd\uac8c \ub3cc\uc544\uac08 \ub54c, SELINUX=enforcing \uc73c\ub85c \ubc14\uafd4 \uc2e4\ud589 \uad8c\ud55c\uc744 \ubd80\uc5ec\ud55c\ub2e4. \uc2e4\uc2dc\uac04\uc5d0 enforcing\uc744 \ud65c\uc131\ud654 \uc2dc\ud0a4\uae30 \uc704\ud574 \uc7ac\ubd80\ud305\ud558\uac70\ub098 setenforce 1 \uc744 \uc2e4\ud589\ud55c\ub2e4. <\/SPAN><\/P>\n

 <\/P>\n

9 <\/!-->. SELinux LOG<\/FONT><\/STRONG> <\/SPAN><\/SPAN><\/P>\n

SELinux \uc758 \ub85c\uadf8\ub294 \/var\/log\/messages \ud30c\uc77c\uc5d0 \uc544\ub798\ucc98\ub7fc \ub098\ud0c0\ub09c\ub2e4 <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

kernel: audit(1114070701.193:0): avc:  denied  { read } for  pid=24216 <\/SPAN><\/P>\n

exe=\/usr\/libexec\/mysqld name=mysql dev=cciss\/c0d0p6 ino=16408 <\/SPAN><\/P>\n

scontext=user_u:system_r:mysqld_t tcontext=root:object_r:var_lib_t <\/SPAN><\/P>\n

tclass=dir <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

\uc774 \ub85c\uadf8\ub294 \uc544\ub798\uc640 \uac19\uc774 \ud574\uc11d\ud560\uc218 \uc788\ub2e4. <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

- \uc77d\uae30 \uc694\uccad\uc774 \uac70\ubd80\ub418\uc5c8\ub2e4. <\/SPAN><\/P>\n

- PID 24216\uc744 \uac00\uc9c4 \ud504\ub85c\uc138\uc2a4\uac00 read\ub97c \uc2dc\ub3c4\ud55c\ub2e4 <\/SPAN><\/P>\n

- \ud574\ub2f9\ud504\ub85c\uc138\uc2a4\ub294 \/usr\/libexec\/mysqld \uc774\ub2e4 <\/SPAN><\/P>\n

- \/dev\/cciss\/c0d0p6 \uc5d0\uc11c \uc791\ub3d9\ub418\uace0 \uc788\ub2e4 <\/SPAN><\/P>\n

- inode \ub294 16408\uc774\ub2e4. <\/SPAN><\/P>\n

- \ud504\ub85c\uc138\uc2a4\uc758 SELinux \ubb38\ub9e5\uc740 user_u:system_r:mysqld_t \uc774\ub2e4. <\/SPAN><\/P>\n

- tcontext=root:object_r:var_lib_t : \uc774\ud30c\uc77c\uc774 \uc77d\uae30\ub97c \uc2dc\ub3c4\ud558\ub294 \ud30c\uc77c\uc740 var_lib_t \ud0c0\uc785\uc758 root \uc18c\uc720\ud30c\uc77c\uc774\ub2e4 <\/SPAN><\/P>\n


<\/SPAN><\/P>\n

SELinux LOG \uac01 \ud56d\ubaa9\uc758 \uc758\ubbf8 <\/SPAN><\/P>\n

audit(timestamp) -- This field states that it's an audit message from SELinux and that it was logged at timestamp time (in seconds since Jan. 1st, 1970). <\/SPAN><\/P>\n

avc -- This message was from the SELinux access vector cache. Pretty much every message you are likely to see is from this cache. <\/SPAN><\/P>\n

denied | accepted -- This field indicates whether the action was denied or accepted. You may see logs of accepted messages in some cases (like reloading the policy). <\/SPAN><\/P>\n

{ read | write | unlink | ... } -- This field shows the type of action that was attempted, such as reading a file, writing, unlinking, loading policy, etc. <\/SPAN><\/P>\n

for pid= -- This is the process ID that attempted the action. <\/SPAN><\/P>\n


exe= -- This is the path to the executable that started the process. <\/SPAN><\/P>\n

name= -- This is the name of the target on which the action was attempted. <\/SPAN><\/P>\n

dev= -- This is the device on which the target file is located. <\/SPAN><\/P>\n

ino= -- This is the inode of the target of the action. <\/SPAN><\/P>\n

scontext= -- This is the process's security context. This contains user, role, and type. <\/SPAN><\/P>\n

tcontext= -- This is the security context of the target of this action, for example, the file, directory, etc. <\/SPAN><\/P>\n

tclass= -- This is the class of the target object, such as directory, file, device node, or something else. <\/SPAN><\/P>\n

 <\/P>\n

10 . Audit2allow<\/STRONG> <\/FONT><\/SPAN><\/P>\n

\uc815\ucc45 \uc791\uc131\uc790\uc5d0\uac8c \uc720\uc6a9\ud55c \ub3c4\uad6c\ub294 \/usr\/bin\/audit2allow \uc778\ub370 \uc774\uac83\uc740 \/var\/log\/messages\uc758  avc \uba54\uc2dc\uc9c0\ub97c SELinux\uc5d0 \uc758\ud574 \uc0ac\uc6a9\ub420 \uc218 \uc788\ub294 \uaddc\uce59\uc73c\ub85c \ubc88\uc5ed\ud574\uc900\ub2e4. \uc0ac\uc6a9\uc774 \ubd88\uac00\ub2a5\ud558\ub2e4\uba74 policycoreutils \ud328\ud0a4\uc9c0\uc5d0 \uc18d\ud574\uc788\uc73c\ubbc0\ub85c yum install policycoreutils \ucc98\ub7fc \uc124\uce58 \uac00\ub2a5\ud558\ub2e4. <\/SPAN><\/P>\n

audit2allow\uba85\ub839\uc740 \uc138\uac00\uc9c0 \ubc29\ubc95\uc73c\ub85c \uc785\ub825\uc744 \ubc1b\uc744 \uc218 \uc788\ub2e4. \uae30\ubcf8\uc740 \ud45c\uc900\uc785\ub825 (stdin)\uc774\ub2e4. -i \uc635\uc158\uc744 \uc0ac\uc6a9\ud558\uba74 \/var\/log\/messages \ub85c\ubd80\ud130 \uc785\ub825\uc744 \uc77d\uc744 \uc218 \uc788\uace0 -d\uc635\uc158\uc744 \uc0ac\uc6a9\ud558\uba74 dmesg \ucd9c\ub825\uc73c\ub85c\ubd80\ud130 \uc785\ub825\uc744 \uc77d\uc744 \uc218 \uc788\ub2e4.<\/SPAN><\/P>\n

 <\/P>\n

11 . avc: denied <\/STRONG><\/FONT><\/SPAN><\/P>\n

\uc774 \uba54\uc2dc\uc9c0\ub294 \ud604\uc7ac \uc2e4\ud589\ub41c SELinux \uc815\ucc45\uc774 \uadf8 \uc751\uc6a9\ud504\ub85c\uadf8\ub7a8\uc758 \ub3d9\uc791\uc744 \ud5c8\ub77d\ud558\uc9c0 \uc54a\uae30 \ub54c\ubb38\uc774\ub2e4. \uc774\ub7ec\ud55c \uc77c\uc5d0\ub294 \uc5ec\ub7ec \uac00\uc9c0 \uc0ac\uc720\uac00 \uc874\uc7ac\ud55c\ub2e4. <\/SPAN><\/P>\n

\uccab\uc9f8, \uc751\uc6a9\ud504\ub85c\uadf8\ub7a8\uc774 \uc811\uadfc\ud558\ub824\ub294 \ud30c\uc77c\uc911 \ud558\ub098\uac00 \uc798\ubabb \uba85\uba85\ub418\uc5b4\uc788\uc744 \uc218 \uc788\ub2e4. \ub9cc\uc77c AVC \uba54\uc2dc\uc9c0\uac00 \ud2b9\uc815 \ud30c\uc77c\uc744 \ucc38\uc870\ud55c\ub2e4\uba74, ls -alZ \/path\/to\/file \uc744 \uc218\ud589\ud558\uc5ec \ud604\uc7ac \ucc38\uc870\ud558\ub294 \ud30c\uc77c\uba85(current label)\uc744 \uc870\uc0ac\ud574 \ubcf4\ub77c. \ub9cc\uc77c \uadf8\uac83\uc774 \uc798\ubabb\ub418\uc5b4 \ubcf4\uc774\uba74, restorecon -v \/path\/to\/file \uc744 \uc2dc\ub3c4\ud574\ubcf4\ub77c. \ub9cc\uc77c \ud30c\uc77c\uacfc \uad00\ub828\ub41c \ub9e4\uc6b0 \ub9ce \uc740 \uac70\ubd80(denials) \uc0c1\ud669\uc774 \uc874\uc7ac\ud558\uba74, fixfiles relabel \uc744 \uc218\ud589\ud558\uac70\ub098, \ubc18\ubcf5\uc801\uc73c\ub85c \ub514\ub809\ud1a0\ub9ac \uacbd\ub85c\ub97c \uc7ac\uba85\uba85\ud558\uae30 \uc704\ud574\uc11c -R\uc635\uc158\uacfc \ud568\uaed8 restorecon \uc744 \uc218\ud589\ud558\uace0 \uc2f6\uc744 \uc218 \uc788\ub2e4. <\/SPAN><\/P>\n

\ub2e4\ub978 \ub54c\uc5d0\ub294, \uac70\ubd80(denials) \ud604\uc0c1\uc740 \uc815\ucc45\uc5d0 \uc758\ud574 \uac70\ubd80\ub418\ub3c4\ub85d \ud504\ub85c\uadf8\ub7a8\uc5d0 \uc124\uc815\uc744 \ubc14\uafd4\uc11c \ubc1c\uc0dd\ub420 \uc218 \uc788\ub2e4. \uc608\ub97c \ub4e4\uba74, \ub9cc\uc77c Apache\ub97c 8800\ud3ec\ud2b8\ub85c \ubc14\uafb8\uba74, \ubcf4\uc548 \uc815\ucc45, apache.te,\ub3c4 \uad00\ub828\ud558\uc5ec \ubc14\uafd4\uc57c \ud560 \ud544\uc694\uac00 \uc0dd\uae34\ub2e4. \uc815\ucc45 \uc791\uc131\uc5d0 \uad00\ud55c \uc0c1\uc138\ud55c \uc815\ubcf4\uac00 \ud544\uc694\ud558\uba74, \uc678\ubd80\uc5f0\uacb0 \ub9ac\uc2a4\ud2b8(External Link List)\ub97c \ubcf4\ub77c. <\/SPAN><\/P>\n

 <\/P>\n

12 . \ucc38\uace0\ubb38\ud5cc \ub610\ub294 URL<\/STRONG> <\/FONT><\/SPAN><\/P>\n

Home of the SELinux project -- http:\/\/www.nsa.gov\/selinux\/<\/A> <\/SPAN><\/P>\n

The Un-Official SELinux FAQ -- http:\/\/www.crypt.gen.nz\/selinux\/faq.html<\/A> <\/SPAN><\/P>\n

SELinux link zoo -- http:\/\/www.crypt.gen.nz\/selinux\/links.html<\/A> <\/SPAN><\/P>\n

Ubuntu Linux SELinux pages -- https:\/\/www.ubuntulinux.org\/wiki\/SELinux<\/A> <\/SPAN><\/P>\n

2005.8 Sys Admin Magazine -- http:\/\/www.samag.com\/documents\/s=9820\/sam0508a\/0508a.htm<\/A> <\/SPAN><\/P>\n

NSA SELinux FAQ ? http:\/\/www.nsa.gov\/selinux\/info\/faq.cfm<\/A> <\/SPAN><\/P>\n

SELinux community page ? http:\/\/selinux.sourceforge.net<\/A> <\/SPAN><\/P>\n

UnOfficial FAQ ? http:\/\/www.crypt.gen.nz\/selinux\/faq.html<\/A> <\/SPAN><\/P>\n

Writing SE Linux policy HOWTO ?https:\/\/sourceforge.net\/docman\/display_doc.php?docid=21959&group_id=21266 <\/SPAN><\/P>\n

Getting Started with SE Linux HOWTO: the new SE Linux (Debian) ?https:\/\/sourceforge.net\/docman\/display_doc.php?docid=20372&group_id=21266 \n<\/SPAN>\n<\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/SPAN><\/FONT><\/SPAN>\n","protected":false},"excerpt":{"rendered":"

SELinux     \uac01\uc885 \ub9ac\ub205\uc2a4\uad00\ub828 \ud2b8\ub7ec\ube14\uc288\ud305\uc744 \ucc98\ub9ac\ud558\ub2e4\ubcf4\uba74 \uacf5\ubd80\ud574\uc57c\ud560\uac83\ub4e4\uc774 \ucc38 \ub9ce\ub2e4. \uc694\uc998 \uc790\uc8fc \uac70\ub860\ub418\ub294 \ubb38\uc81c\uac00 SELinux \uad00\ub828\ub41c \ubb38\uc81c\ub4e4\uc778\ub370, SELinux \ub77c\uba74 \uc544\uc9c1 \ubabb\ub4e4\uc5b4\ubcf8 \uc0ac\ub78c\uc774 \uaf64 \ub9ce\uc774 \uc788\uc744\uac83\uc774\ub2e4. SELinux\uc758 \ub0b4\ubd80\uc801\uc778 \uad6c\ud604\uc6d0\ub9ac \uac19\uc740 \ubd80\ubd84\uc740 \uc774 \ubb38\uc11c\uc5d0 \ub2e4\ub8e8\uace0\uc790 \ud558\ub294 \ub0b4\uc6a9\uc774 \uc544\ub2c8\ub2e4. SELinux\uc758 \uc544\ud0a4\ud14d\ucc98\ub098 \ucf54\ub4dc\uc5d0 \ub300\ud55c \ubd80\ubd84\uc744 \ub354 \ub9ce\uc774 \uc54c\uae30\uc704\ud574\uc11c\ub294 IBM\uc758 \uae30\uc220\ubb38\uc11c(http:\/\/www-128.ibm.com\/developerworks\/kr\/library\/l-selinux\/index.html) \uc744 \ucc38\uace0\ud558\uac70\ub098 NSA\uc758 \ud648\ud398\uc774\uc9c0(http:\/\/www.nsa.gov\/selinux\/)\ub4f1\ub97c \ucc38\uace0\ud558\uae30 \ubc14\ub780\ub2e4. \ud544\uc790\ub294 \ub2e8\uc9c0 \uc5ec\ub7ec\ubd84\uc774 […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_import_markdown_pro_load_document_selector":0,"_import_markdown_pro_submit_text_textarea":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[39],"tags":[],"class_list":["post-23","post","type-post","status-publish","format-standard","hentry","category-os_linux_unix_macos"],"_links":{"self":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/23","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=23"}],"version-history":[{"count":0,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=\/wp\/v2\/posts\/23\/revisions"}],"wp:attachment":[{"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=23"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=23"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/hasu0707.duckdns.org\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=23"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}