SElinux很重要唷！保護工作進程的最後防線！

SElinux很重要唷！他是保護工作進程的最後防線！

以下是 SElinux 的一個現象！


這是某程序，想經過「 PPPd」寫入 ./resolv.conf 的背景！
但遭到SElinux 阻擋，而沒有成功！

這之前，我曾經故意用 Xen 虛擬一個沒有 SElinux 的 Linux 環境，來觀察駭客入侵現象！

發現這真的是一個「駭客入侵」，那個駭客！居然進來下指令破壞磁碟資料。


獲得這一點點的知覺！就是「PPPd」服務並不安全？

但若不用「PPPd」轉用其他專線？也同樣不安全！


沒 PPPd 人家就直接改你的 Route host 設置，連警告都沒有，就被置換 Route 數據，除非你有另外安裝「Quagga」～～～「zebra」～～之類的軟體？同樣被攻擊、入侵後！是啞巴？沒SElinux 警告回應？除非你設定警告回覆訊息！但那不會比 SElinux 來得省事。

有 PPPd + SElinux 還會發生警告！

以下一些重點的參數，被我換成 XXXXXXXX 但不影響大家理解問題。



Summary
SELinux is preventing pppd (pppd_t) "write" to ./resolv.conf (pppd_etc_t).
Detailed Description
SELinux denied access requested by pppd. It is notexpected that this access is required by pppd and this accessmay signal an intrusion attempt. It is also possible that the specificversion or configuration of the application is causing it to requireadditional access.
Allowing Access
Sometimes labeling problems can cause SELinux denials. You could try torestore the default system file context for ./resolv.conf,

restorecon -v './resolv.conf'

If this does not work, there is currently no automatic way to allow thisaccess. Instead, you can generate a local policy module to allow thisaccess - see FAQOr you can disable SELinux protection altogether. DisablingSELinux protection is not recommended.Please file a bug reportagainst this package.
Additional Information

Source Context:  system_u:system_r:pppd_t
Target Context:  root:object_r:pppd_etc_t
Target Objects:  ./resolv.conf [ file ]
Source:  pppd
Source Path:  /usr/sbin/pppd
Port:  <Unknown>
Host:  ishr.twbbs.org
Source RPM Packages:  ppp-2.4.4-2.el5
Target RPM Packages:
Policy RPM:  selinux-policy-2.4.6-279.el5
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  catchall_file
Host Name:  ishr.twbbs.org
Platform:  Linux ishr.twbbs.org 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686
Alert Count:  1
First Seen:  Wed May 11 03:54:53 2011
Last Seen:  Wed May 11 03:54:53 2011
Local ID:  XXXXXXXXXXXXXXXXXXX
Line Numbers: XXXXXXXXXXXXXXXXXXX

Raw Audit Messages:

host=ishr.twbbs.org type=AVC

msg=audit(XXXXXXXXXXXXX): avc: denied { write } for pid=XXXX comm="pppd"

name="resolv.conf" dev=dm-0 ino=XXXXXXXXX

scontext=system_u:system_r:pppd_t:s0 tcontext=root:object_r:pppd_etc_t:s0
tclass=file host=ishr.twbbs.org type=XXXXXXXX

msg=audit(XXXXXXXXXXXX): arch=XXXXXXXX
syscall=5
success=no
exit=-13
a0=1eb7c6 a1=XXXXXXXXXXXXXXXX
a2=1b6 a3=XXXXXXXXXXXXXXXX
items=0 ppid=2131
pid=XXXX
auid=XXXXXXXX
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=XXXXXXXXX
comm="pppd" exe="/usr/sbin/pppd" subj=system_u:system_r:pppd_t:s0 key=(null)