httpd、avc:拒否{ unix_read unix_write }

httpd、avc:拒否{ unix_read unix_write }

私は初めてselinuxの概念に触れましたが、ここでhttpdに{unix_read unix_write}を実行させる方法を考えています。以下は監査ログメッセージです。

type=IPC msg=audit(1624375715.312:4225): ouid=0 ogid=0 mode=0666 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
type=PROCTITLE msg=audit(1624375715.312:4225): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
type=AVC msg=audit(1624375724.580:4226): avc:  denied  { unix_read unix_write } for  pid=25626 comm="httpd" key=1392707921  scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0
type=SYSCALL msg=audit(1624375724.580:4226): arch=c000003e syscall=29 success=no exit=-13 a0=53030951 a1=4338 a2=1b6 a3=6b items=0 ppid=25612 pid=25626 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)


[root@localhost build]# audit2allow  -w -a
type=AVC msg=audit(1624375724.580:4226): avc:  denied  { unix_read unix_write } for  pid=25626 comm="httpd" key=1392707921  scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=shm permissive=0
        Was caused by:
                Missing type enforcement (TE) allow rule.

                You can use audit2allow to generate a loadable module to allow this access.

[root@localhost build]# audit2allow   -a


#============= httpd_t ==============
allow httpd_t unconfined_t:shm { unix_read unix_write };
[root@localhost build]# allow httpd_t unconfined_t:shm { unix_read unix_write };
bash: allow: command not found
[root@localhost build]#

解決策は、httpd_tがunconfined_tでshmを実行できるようにするようですが、これは正しくありません。 key = 1392707921のshmにunconfined_tがどのように必要かわかりません。

関連情報