在(SVS-V)IPC信号量上配置SELinux权限 [英] Configuring SELinux permissions on (SVS-V) IPC Semaphores

问题描述

我有一堆使用IPC信号量进行交互(程序)的程序.

I have a bunch of programs which use IPC Semaphores to interact (semget).

其中一个程序是Apache模块，该模块在(某种程度上)受限制的SELinux上下文(我不太了解)中运行.

One of the programs is an Apache module, which runs in (some sort of) restricted SELinux context (which I don't understand too well).

该模块能够正确地与任何常规文件进行交互，当然，如果文件具有适当的SELinux安全上下文设置即可.

The module is capable of interacting with any regular files correctly, if of-course the files have their SELinux security context set appropriately.

但是-当我的(模块)访问IPC信号量时，semget调用失败，并显示EPERM.关闭SELinux后，我没有收到此错误.

However - when my (Module) goes to access the IPC Semaphore, the semget call fails with a EPERM. When SELinux is turned off, I don't get this error.

所以-显然，我需要做一些事情来设置某种SELinux安全上下文，或者在信号量上进行某些设置以使其正常工作.如果它是常规文件，则可以在其上调用"chcon".由于它是System-V IPC信号量，因此我无法做到这一点.

So - there is obviously something I need to do to set some sort of SELinux security context or something on the Semaphore for this to work. If it was a regular file, I could just call "chcon" on it. Since it's a System-V IPC Semaphore, I can't do that.

我该怎么做才能使这项工作呢?

What can I do to make this work??

推荐答案

获取 SELinux 进行所需的更改是

1. 启用允许模式
2. 拒绝抓捕
3. 添加新的策略模块或修改现有的策略模块
4. 启用强制模式和测试

1. Enable permissive mode
2. Capture denials
3. Add a new policy module or modify an existing policy module
4. Enable enforcing mode and test

这些步骤的确切执行方式取决于您使用的Linux发行版；具体取决于您所使用的Linux发行版.这里是 CentOS ， NSA .我发现的最好的文档来自Gentoo:

Exactly how to do these steps depends on what Linux distribution you are using; here are references for CentOS, Debian, Gentoo, RedHat and Ubuntu. You can also find SELinux information from NSA. The best documentation I found is from Gentoo: step 1, step 2, step 3, step 4.

如 @smassey所述，您很可能需要修改一些IPC许可相关的许可.

As @smassey noted, you most probably need to modify some IPC permission.

这篇关于在(SVS-V)IPC信号量上配置SELinux权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！