在(SVS-V)IPC信号量上配置SELinux权限 [英] Configuring SELinux permissions on (SVS-V) IPC Semaphores
问题描述
我有一堆使用IPC信号量进行交互(程序)的程序.
I have a bunch of programs which use IPC Semaphores to interact (semget).
其中一个程序是Apache模块,该模块在(某种程度上)受限制的SELinux上下文(我不太了解)中运行.
One of the programs is an Apache module, which runs in (some sort of) restricted SELinux context (which I don't understand too well).
该模块能够正确地与任何常规文件进行交互,当然,如果文件具有适当的SELinux安全上下文设置即可.
The module is capable of interacting with any regular files correctly, if of-course the files have their SELinux security context set appropriately.
但是-当我的(模块)访问IPC信号量时,semget调用失败,并显示EPERM.关闭SELinux后,我没有收到此错误.
However - when my (Module) goes to access the IPC Semaphore, the semget call fails with a EPERM. When SELinux is turned off, I don't get this error.
所以-显然,我需要做一些事情来设置某种SELinux安全上下文,或者在信号量上进行某些设置以使其正常工作.如果它是常规文件,则可以在其上调用"chcon".由于它是System-V IPC信号量,因此我无法做到这一点.
So - there is obviously something I need to do to set some sort of SELinux security context or something on the Semaphore for this to work. If it was a regular file, I could just call "chcon" on it. Since it's a System-V IPC Semaphore, I can't do that.
我该怎么做才能使这项工作呢?
What can I do to make this work??
推荐答案
获取 SELinux 进行所需的更改是
- 启用允许模式
- 拒绝抓捕
- 添加新的策略模块或修改现有的策略模块
- 启用强制模式和测试
- Enable permissive mode
- Capture denials
- Add a new policy module or modify an existing policy module
- Enable enforcing mode and test
这些步骤的确切执行方式取决于您使用的Linux发行版;具体取决于您所使用的Linux发行版.这里是 CentOS , Gentoo , Ubuntu .您还可以从 NSA .我发现的最好的文档来自Gentoo:步骤2 ,步骤4 .
Exactly how to do these steps depends on what Linux distribution you are using; here are references for CentOS, Debian, Gentoo, RedHat and Ubuntu. You can also find SELinux information from NSA. The best documentation I found is from Gentoo: step 1, step 2, step 3, step 4.
如 @smassey所述,您很可能需要修改一些IPC许可相关的许可.
As @smassey noted, you most probably need to modify some IPC permission.
这篇关于在(SVS-V)IPC信号量上配置SELinux权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!