环境:Azure上的CentOS 6.9
我们每30秒在/ var / log / messages中收到以下消息4次,这很烦人,而且它可以解决许多不必要的工作。
SELinux is preventing /bin/hostname from read access on the directory inotify. For complete SELinux messages. run sealert -l 82ab3273-059b-4ed8-8390-aed7506036de
文件/ proc / sys / fs / inotify没有上下文
# ls -ldZ /proc/sys/fs/inotify
dr-xr-xr-x root root ? /proc/sys/fs/inotify
sealert命令输出
Raw Audit Messages
type=AVC msg=audit(1531418094.610:464559): avc: denied { read } for pid=36704 comm="hostname" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=AVC msg=audit(1531418094.610:464559): avc: denied { read } for pid=36704 comm="hostname" path="inotify" dev=inotifyfs ino=1 scontext=system_u:system_r:hostname_t:s0 tcontext=system_u:object_r:inotifyfs_t:s0 tclass=dir
type=SYSCALL msg=audit(1531418094.610:464559): arch=x86_64 syscall=execve success=yes exit=0 a0=7ffed8227908 a1=7ffed8227b00 a2=7ffed8227b10 a3=a items=0 ppid=806 pid=36704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm=hostname exe=/bin/hostname subj=system_u:system_r:hostname_t:s0 key=(null)
Hash: hostname,hostname_t,inotifyfs_t,dir,read
audit2allow
#============= hostname_t ==============
allow hostname_t inotifyfs_t:dir read;
audit2allow -R
#============= hostname_t ==============
allow hostname_t inotifyfs_t:dir read;
但是只要inotify没有上下文,新政策就无济于事。
将上下文inotifyfs_t分配给/ proc / sys / fs / inotify是否安全?
还有其他建议吗?