Þ•ã43Lì1:8sVzgÑh9|¢(EHžŽ -R;!™Ž"t(#I#~ç$½f%,$& Q'[(mw)Öå+®¼1±k2/3 M4ýZ6.X8b‡:ê;ˆ=Å‹>øQA¦JCžñE…GÝI˜ôJ7L‹ÅNðQPTBQ¡—R»9T²õUS¨WPüWMXN^ZN­ZUüZGR[]š[Oø[kH\R´\q]fy]Và]F7^K~^VÊ^E!_Sg_j»_B&`Ti`T¾`^cÁrcŠ4dt¿ež4fZÓg?.kZnk²ÉkY|nUÖn6,qŽcrCòt€6w#·yXÛ| 4}B~Sf€ | †‚ ”ƒz „¹…šÕ…‰p†‹ú†††‡ç ˆ3õˆe)‰_‰eï‰fUŠ¼ŠÀيך‹×rŒ¸JÑŽIÕÜ“Ãü“ƒÀ”™D–bÞ—“A˜\Õ˜b2™\•™+ò™cš7‚š<ºšŽ÷š†› ››¨›%Å›:ë›*&œQœaœ/rœ:¢œ8ÝœT5k4¡xÖtOžyÄžT>Ÿ7“ŸmËŸa9 U› eñ fW¡N¾¡g ¢:u¢°¢E¢N£FW£Iž£7è£6 ¤cW¤'»¤pã¤+T¥G€¥GÈ¥u¦™†¦f §h‡§lð§j]¨hȨ81©!j©/Œ©¼©Ì©4Ü©$ª.6ªeª{ª,–ªê?ߪ0«1P«]‚«2à«K¬2_¬]’¬cð¬T­,d­‘­d¤­N ®X®¼p®_-¯]¯Eë¯-1°_°4x°!­°'Ï°$÷° ±_=±R±Oð±9@²:z²µ²‹Ó²Ã_³#¶¬>¶Bë¶A.·^p·sÏ·–C¸”Ú¸9oºe©»ƒ½p“¾YÀ^ÃzßÃŽZÄIéĨ3ÆÄÜÇh¡È€ ËÄ‹Ì¡PÍ‘òÍ„ÏÝ"ÐNÑdOÒc´Ó÷ÕÄØâÕÞé¸ßY¢àOüá>L䤋æ»0édìêÑQì£#îhÇñ~0ôø¯÷Û¨ù‚„ûíþaõÿÿWWžsçúö i fk QÒ ]$]‚dàVEnœ] qi]ÛŽ9wÈ]@Tž_óeSi¹c#‡Uc]áÁk£ø† "“·¶ Vn$sÅ$Œ9%qÆ(8)ÏI,^.éx1b4u7pŒ;!ý;'=-G>/u?#¥@'ÉA#ñB¨Dö¾D˵E”F’G‘©G;HIKIŠ•Ix Jy™JxK1ŒKÙ¾Kî˜Lî‡MëvNbOmóQ8aVþšWÑ™X£kZb\°r\\#]b€]\ã]+@^pl^LÝ^K*_¨v_*` J`6X`6`EÆ`E aRa ca5„aHºaIbhMbN¶bGc®Mc°ücš­deHe@®eˆïeuxfkîfvZgyÑg\Khs¨hPimiI„iLÎiaj^}j;Üj6k|Ok/Ìk~ük1{lP­lSþlŠRm°ÝmcŽnròneoˆåoinp;ØpqV+q ‚q q<žq:ÛqDr [r|rDšr%ßrMs7Ss?‹sdËs90tSjt9¾tøtˆzuv:vNv|avfÞv)EwÛow€Kx‰ÌxUVy4¬y$áy9z5@z/vz8¦z,ßzl {`y{]Ú{I8|J‚|$Í|”ò|í‡},u€Ô¢€SwSËj‚‡Š‚Úƒ¬8Ë) wGÓÝD^$Ö®oÌŒ—.Å•5%z;Ä:TÉÇ@È™pR¾t½Ï!¯u6C3x0W“¨`³º‰_Ã~¤+'h¢JI ©Ž²e´g§BÔ¹áˆ|Y*cØiŠ»,†yʇ¶rÕß±H}NA‹µ2Û1sq 9&Æ…ÎkS˜›¿Ò7œ×[·V¼¡â„ž-MUÙÀLà–€£(­FEÍܸK<v "fÐX>4]‘njm Ú=ã¦Þ# /{\”?°Ÿƒd PÑla¥Á«’OÂbšªQ‚Z dac_override and dac_read_search capabilities usually indicates that the root process does not have access to a file based on the permission flags. This usually mean you have some file with the wrong ownership/permissions on it. SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. SELinux denied access requested by $SOURCE. The current boolean settings do not allow this access. If you have not setup $SOURCE to require this access this may signal an intrusion attempt. If you do intend this access you need to change the booleans on this system to allow the access. SELinux has denied $SOURCE "$ACCESS" access to device $TARGET_PATH. $TARGET_PATH is mislabeled, this device has the default label of the /dev directory, which should not happen. All Character and/or Block Devices should have a label. You can attempt to change the label of the file using restorecon -v '$TARGET_PATH'. If this device remains labeled device_t, then this is a bug in SELinux policy. Please file a bug report. If you look at the other similar devices labels, ls -lZ /dev/SIMILAR, and find a type that would work for $TARGET_PATH, you can use chcon -t SIMILAR_TYPE '$TARGET_PATH', If this fixes the problem, you can make this permanent by executing semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH' If the restorecon changes the context, this indicates that the application that created the device, created it without using SELinux APIs. If you can figure out which application created the device, please file a bug report against this application. Attempt restorecon -v '$TARGET_PATH' or chcon -t SIMILAR_TYPE '$TARGET_PATH' Changing the "$BOOLEAN" boolean to true will allow this access: "setsebool -P $BOOLEAN=1" Changing the "$BOOLEAN" boolean to true will allow this access: "setsebool -P $BOOLEAN=1." Changing the "allow_ftpd_use_nfs" boolean to true will allow this access: "setsebool -P allow_ftpd_use_nfs=1." Changing the file_context to mnt_t will allow mount to mount the file system: "chcon -t mnt_t '$TARGET_PATH'." You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t mnt_t '$FIX_TARGET_PATH'" Confined domains should not require "sys_resource". This usually means that your system is running out some system resource like disk space, memory, quota etc. Please clear up the disk and this AVC message should go away. If this AVC continues after you clear up the disk space, please report this as a bug. Confined processes can be configured to run requiring different access, SELinux provides booleans to allow you to turn on/off access as needed. If httpd scripts should be allowed to write to public directories you need to turn on the $BOOLEAN boolean and change the file context of the public directory to public_content_rw_t. Read the httpd_selinux man page for further information: "setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t " You must also change the default file context labeling files on the system in order to preserve public directory labeling even on a full relabel. "semanage fcontext -a -t public_content_rw_t " If you trust $TARGET_PATH to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '$TARGET_PATH'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'" If you want $SOURCE to continue, you must turn on the $BOOLEAN boolean. Note: This boolean will affect all applications on the system. If you want httpd to send mail you need to turn on the $BOOLEAN boolean: "setsebool -P $BOOLEAN=1" If you want to allow $SOURCE to bind to port $PORT_NUMBER, you can execute # semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER where PORT_TYPE is one of the following: %s. If this system is running as an NIS Client, turning on the allow_ypbind boolean may fix the problem. setsebool -P allow_ypbind=1. If you want to allow $SOURCE to connect to $PORT_NUMBER, you can execute # sandbox -X -t sandbox_net_t $SOURCE If you want to allow $SOURCE to connect to $PORT_NUMBER, you can execute # semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER where PORT_TYPE is one of the following: %s. If you want to change the file context of $TARGET_PATH so that the automounter can execute it you can execute "chcon -t bin_t $TARGET_PATH". If you want this to survive a relabel, you need to permanently change the file context: execute "semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'". SELinux denied $SOURCE access to $TARGET_PATH. If this is a swapfile, it has to have a file context label of swapfile_t. If you did not intend to use $TARGET_PATH as a swapfile, this message could indicate either a bug or an intrusion attempt. SELinux denied RSYNC access to $TARGET_PATH. If this is an RSYNC repository, it has to have a file context label of rsync_data_t. If you did not intend to use $TARGET_PATH as an RSYNC repository, this message could indicate either a bug or an intrusion attempt. SELinux denied access requested by $SOURCE. $SOURCE_PATH may be mislabeled. $SOURCE_PATH default SELinux type is %s, but its current type is $SOURCE_TYPE. Changing this file back to the default type may fix your problem.

This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not have been labeled with this type.

If you believe this is a bug, please file a bug report against this package. SELinux denied access requested by $SOURCE. $TARGET_PATH may be mislabeled. $TARGET_PATH default SELinux type is %s, but its current type is $TARGET_TYPE. Changing this file back to the default type may fix your problem.

File contexts can be assigned to a file in the following ways.

This file could have been mislabeled either by user error, or if an normally confined application was run under the wrong domain.

However, this might also indicate a bug in SELinux because the file should not have been labeled with this type.

If you believe this is a bug, please file a bug report against this package. SELinux denied access requested by $SOURCE. $TARGET_PATH may be mislabeled. openvpn is allowed to read content in home directory if it is labeled correctly. SELinux denied access requested by $SOURCE. $TARGET_PATH may be mislabeled. sshd is allowed to read content in /root/.ssh directory if it is labeled correctly. SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. mozplugger and spice-xpi run applications within mozilla-plugins that require access to the desktop, that the mozilla_plugin lockdown will not allow, so either you need to turn off the mozilla_plugin lockdown or not use these packages. SELinux denied access requested by $SOURCE. It is not expected that this access is required by $SOURCE and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. spice-xpi run applications within mozilla-plugins that require access to the desktop, that the mozilla_plugin lockdown will not allow, so either you need to turn off the mozilla_plugin lockdown or not use these packages. SELinux denied access requested by the $SOURCE command. It looks like this is either a leaked descriptor or $SOURCE output was redirected to a file it is not allowed to access. Leaks usually can be ignored since SELinux is just closing the leak and reporting the error. The application does not use the descriptor, so it will run properly. If this is a redirection, you will not get output in the $TARGET_PATH. You should generate a bugzilla on selinux-policy, and it will get routed to the appropriate package. You can safely ignore this avc. SELinux denied access to $TARGET_PATH requested by $SOURCE. $TARGET_PATH has a context used for sharing by a different program. If you would like to share $TARGET_PATH from $SOURCE also, you need to change its file context to public_content_t. If you did not intend to allow this access, this could signal an intrusion attempt. SELinux denied cvs access to $TARGET_PATH. If this is a CVS repository it needs to have a file context label of cvs_data_t. If you did not intend to use $TARGET_PATH as a CVS repository it could indicate either a bug or it could signal an intrusion attempt. SELinux denied samba access to $TARGET_PATH. If you want to share this directory with samba it has to have a file context label of samba_share_t. If you did not intend to use $TARGET_PATH as a samba repository, this message could indicate either a bug or an intrusion attempt. Please refer to 'man samba_selinux' for more information on setting up Samba and SELinux. SELinux denied svirt access to $TARGET_PATH. If this is a virtualization image, it has to have a file context label of virt_image_t. The system is setup to label image files in directory./var/lib/libvirt/images correctly. We recommend that you copy your image file to /var/lib/libvirt/images. If you really want to have your image files in the current directory, you can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization image it could indicate either a bug or an intrusion attempt. SELinux denied svirt access to the block device $TARGET_PATH. If this is a virtualization image, it needs to be labeled with a virtualization file context (virt_image_t). You can relabel $TARGET_PATH to be virt_image_t using chcon. You also need to execute semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' to add this new path to the system defaults. If you did not intend to use $TARGET_PATH as a virtualization image it could indicate either a bug or an intrusion attempt. SELinux denied xen access to $TARGET_PATH. If this is a XEN image, it has to have a file context label of xen_image_t. The system is setup to label image files in directory /var/lib/xen/images correctly. We recommend that you copy your image file to /var/lib/xen/images. If you really want to have your xen image files in the current directory, you can relabel $TARGET_PATH to be xen_image_t using chcon. You also need to execute semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH' to add this new path to the system defaults. If you did not intend to use $TARGET_PATH as a xen image it could indicate either a bug or an intrusion attempt. SELinux has denied $SOURCE from connecting to a network port $PORT_NUMBER which does not have an SELinux type associated with it. If $SOURCE should be allowed to connect on $PORT_NUMBER, use the semanage command to assign $PORT_NUMBER to a port type that $SOURCE_TYPE can connect to (%s). If $SOURCE is not supposed to connect to $PORT_NUMBER, this could signal an intrusion attempt. SELinux has denied $SOURCE from connecting to a network port $PORT_NUMBER within a sandbox. If $SOURCE should be allowed to connect on $PORT_NUMBER, you need to use a different sandbox type like sandbox_web_t or sandbox_net_t. # sandbox -X -t sandbox_net_t $SOURCE If $SOURCE is not supposed to connect to $PORT_NUMBER, this could signal an intrusion attempt. SELinux has denied the $SOURCE access to potentially mislabeled files $TARGET_PATH. This means that SELinux will not allow httpd to use these files. If httpd should be allowed this access to these files you should change the file context to one of the following types, %s. Many third party apps install html files in directories that SELinux policy cannot predict. These directories have to be labeled with a file context which httpd can access. SELinux has denied the $SOURCE from binding to a network port $PORT_NUMBER which does not have an SELinux type associated with it. If $SOURCE should be allowed to listen on $PORT_NUMBER, use the semanage command to assign $PORT_NUMBER to a port type that $SOURCE_TYPE can bind to (%s). If $SOURCE is not supposed to bind to $PORT_NUMBER, this could signal an intrusion attempt. SELinux has denied the $SOURCE the ability to mmap low area of the kernel address space. The ability to mmap a low area of the address space is configured by /proc/sys/kernel/mmap_min_addr. Preventing such mappings helps protect against exploiting null deref bugs in the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries to modify the kernel, this AVC would be generated. This is a serious issue. Your system may very well be compromised. SELinux has denied the $SOURCE_PATH from executing potentially mislabeled files $TARGET_PATH. Automounter can be setup to execute configuration files. If $TARGET_PATH is an automount executable configuration file it needs to have a file label of bin_t. If automounter is trying to execute something that it is not supposed to, this could indicate an intrusion attempt. SELinux has denied the http daemon from sending mail. An httpd script is trying to connect to a mail port or execute the sendmail command. If you did not setup httpd to sendmail, this could signal an intrusion attempt. SELinux has prevented $SOURCE from loading a kernel module. All confined programs that need to load kernel modules should have already had policy written for them. If a compromised application tries to modify the kernel this AVC will be generated. This is a serious issue. Your system may very well be compromised. SELinux has prevented $SOURCE from modifying $TARGET. This denial indicates $SOURCE was trying to modify the selinux policy configuration. All applications that need this access should have already had policy written for them. If a compromised application tries to modify the SELinux policy this AVC will be generated. This is a serious issue. Your system may very well be compromised. SELinux has prevented $SOURCE from modifying $TARGET. This denial indicates $SOURCE was trying to modify the way the kernel runs or to actually insert code into the kernel. All applications that need this access should have already had policy written for them. If a compromised application tries to modify the kernel this AVC will be generated. This is a serious issue. Your system may very well be compromised. SELinux has prevented $SOURCE from writing to a file under /sys/fs/selinux. Files under /sys/fs/selinux control the way SELinux is configured. All programs that need to write to files under /sys/fs/selinux should have already had policy written for them. If a compromised application tries to turn off SELinux this AVC will be generated. This is a serious issue. Your system may very well be compromised. SELinux has prevented vbetool from performing an unsafe memory operation. SELinux has prevented wine from performing an unsafe memory operation. SELinux is preventing $SOURCE from creating a file with a context of $SOURCE_TYPE on a filesystem. Usually this happens when you ask the cp command to maintain the context of a file when copying between file systems, "cp -a" for example. Not all file contexts should be maintained between the file systems. For example, a read-only file type like iso9660_t should not be placed on a r/w system. "cp -p" might be a better solution, as this will adopt the default file context for the destination. SELinux is preventing $SOURCE_PATH "$ACCESS" access on $TARGET_PATH. SELinux is preventing $SOURCE_PATH "$ACCESS" access to $TARGET_PATH. SELinux is preventing $SOURCE_PATH "$ACCESS" access to device $TARGET_PATH. SELinux is preventing $SOURCE_PATH "$ACCESS" to $TARGET_PATH. SELinux is preventing $SOURCE_PATH access to a leaked $TARGET_PATH file descriptor. SELinux is preventing $SOURCE_PATH from binding to port $PORT_NUMBER. SELinux is preventing $SOURCE_PATH from changing the access protection of memory on the heap. SELinux is preventing $SOURCE_PATH from connecting to port $PORT_NUMBER. SELinux is preventing $SOURCE_PATH from creating a file with a context of $SOURCE_TYPE on a filesystem. SELinux is preventing $SOURCE_PATH from loading $TARGET_PATH which requires text relocation. SELinux is preventing $SOURCE_PATH from making the program stack executable. SELinux is preventing $SOURCE_PATH the "$ACCESS" capability. SELinux is preventing $SOURCE_PATH the "sys_resource" capability. SELinux is preventing Samba ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH. SELinux is preventing access to a file labeled unlabeled_t. SELinux is preventing cvs ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH SELinux is preventing the $SOURCE_PATH from executing potentially mislabeled files $TARGET_PATH. SELinux is preventing the http daemon from sending mail. SELinux is preventing xen ($SOURCE_PATH) "$ACCESS" access to $TARGET_PATH. SELinux permission checks on files labeled unlabeled_t are being denied. unlabeled_t is a context the SELinux kernel gives to files that do not have a label. This indicates a serious labeling problem. No files on an SELinux box should ever be labeled unlabeled_t. If you have just added a disk drive to the system, you can relabel it using the restorecon command. For example if you saved the home directory from a previous installation that did not use SELinux, 'restorecon -R -v /home' will fix the labels. Otherwise you should relabel the entire file system. SELinux policy is preventing an httpd script from writing to a public directory. SELinux policy is preventing an httpd script from writing to a public directory. If httpd is not setup to write to public directories, this could signal an intrusion attempt. SELinux prevented $SOURCE from mounting a filesystem on the file or directory "$TARGET_PATH" of type "$TARGET_TYPE". By default SELinux limits the mounting of filesystems to only some files or directories (those with types that have the mountpoint attribute). The type "$TARGET_TYPE" does not have this attribute. You can change the label of the file or directory. SELinux prevented $SOURCE from mounting on the file or directory "$TARGET_PATH" (type "$TARGET_TYPE"). SELinux prevented httpd $ACCESS access to $TARGET_PATH. httpd scripts are not allowed to write to content without explicit labeling of all files. If $TARGET_PATH is writable content. it needs to be labeled httpd_sys_rw_content_t or if all you need is append you can label it httpd_sys_ra_content_t. Please refer to 'man httpd_selinux' for more information on setting up httpd and selinux. SELinux prevented httpd $ACCESS access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the $BOOLEAN turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read only content, it needs to be labeled httpd_TYPE_content_t. If it is writable content, it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these context. Please refer to the man page "man httpd_selinux" or FAQ "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types. SELinux prevented httpd $ACCESS access to http files. SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem. SELinux prevented the ftp daemon from $ACCESS files stored on a CIFS filesystem. CIFS (Comment Internet File System) is a network filesystem similar to SMB (http://www.microsoft.com/mind/1196/cifs.asp) The ftp daemon attempted to read one or more files or directories from a mounted filesystem of this type. As CIFS filesystems do not support fine-grained SELinux labeling, all files and directories in the filesystem will have the same security context. If you have not configured the ftp daemon to read files from a CIFS filesystem this access attempt could signal an intrusion attempt. SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem. SELinux prevented the ftp daemon from $ACCESS files stored on a NFS filesystem. NFS (Network Filesystem) is a network filesystem commonly used on Unix / Linux systems. The ftp daemon attempted to read one or more files or directories from a mounted filesystem of this type. As NFS filesystems do not support fine-grained SELinux labeling, all files and directories in the filesystem will have the same security context. If you have not configured the ftp daemon to read files from a NFS filesystem this access attempt could signal an intrusion attempt. Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. The $SOURCE application attempted to change the access protection of memory on the heap (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If $SOURCE does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. The $SOURCE application attempted to load $TARGET_PATH which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow $TARGET_PATH to use relocation as a workaround, until the library is fixed. Please file a bug report. The $SOURCE application attempted to load $TARGET_PATH which requires text relocation. This is a potential security problem. Most libraries should not need this permission. The SELinux Memory Protection Tests web page explains this check. This tool examined the library and it looks like it was built correctly. So setroubleshoot can not determine if this application is compromised or not. This could be a serious issue. Your system may very well be compromised. Contact your security administrator and report this issue. The $SOURCE application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If $SOURCE does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report. Use a command like "cp -p" to preserve all permissions except SELinux context. You can alter the file context by executing chcon -R -t cvs_data_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -R -t rsync_data_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t rsync_data_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -R -t samba_share_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -t public_content_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t public_content_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -t swapfile_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t swapfile_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -t virt_image_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'" You can alter the file context by executing chcon -t xen_image_t '$TARGET_PATH' You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'" You can execute the following command as root to relabel your computer system: "touch /.autorelabel; reboot" You can generate a local policy module to allow this access - see FAQ Please file a bug report. You can generate a local policy module to allow this access - see FAQ You can restore the default system context to this file by executing the restorecon command. # restorecon -R /root/.ssh You can restore the default system context to this file by executing the restorecon command. # restorecon -R /root/.ssh You can restore the default system context to this file by executing the restorecon command. restorecon '$SOURCE_PATH'. You can restore the default system context to this file by executing the restorecon command. restorecon '$TARGET_PATH', if this file is a directory, you can recursively restore using restorecon -R '$TARGET_PATH'. Your system may be seriously compromised! Your system may be seriously compromised! $SOURCE_PATH attempted to mmap low kernel memory. Your system may be seriously compromised! $SOURCE_PATH tried to load a kernel module. Your system may be seriously compromised! $SOURCE_PATH tried to modify SELinux enforcement. Your system may be seriously compromised! $SOURCE_PATH tried to modify kernel configuration. Disable IPV6 properly. Either remove the mozplluger package by executing 'yum remove mozplugger' Or turn off enforcement of SELinux over the Firefox plugins. setsebool -P unconfined_mozilla_plugin_transition 0 Either remove the mozplugger or spice-xpi package by executing 'yum remove mozplugger spice-xpi' or turn off enforcement of SELinux over the Firefox plugins. setsebool -P unconfined_mozilla_plugin_transition 0 Either remove the mozplugger or spice-xpi package by executing 'yum remove mozplugger spice-xpi', or turn off enforcement of SELinux over the Chrome plugins. setsebool -P unconfined_chrome_sandbox_transition 0 If you decide to continue to run the program in question you will need to allow this operation. This can be done on the command line by executing: # setsebool -P mmap_low_allowed 1 SELinux denied an operation requested by $SOURCE, a program used to alter video hardware state. This program is known to use an unsafe operation on system memory but so are a number of malware/exploit programs which masquerade as vbetool. This tool is used to reset video state when a machine resumes from a suspend. If your machine is not resuming properly your only choice is to allow this operation and reduce your system security against such malware. SELinux denied an operation requested by wine-preloader, a program used to run Windows applications under Linux. This program is known to use an unsafe operation on system memory but so are a number of malware/exploit programs which masquerade as wine. If you were attempting to run a Windows program your only choices are to allow this operation and reduce your system security against such malware or to refrain from running Windows applications under Linux. If you were not attempting to run a Windows application this indicates you are likely being attacked by some for of malware or program trying to exploit your system for nefarious purposes. Please refer to http://wiki.winehq.org/PreloaderPageZeroProblem Which outlines the other problems wine encounters due to its unsafe use of memory and solutions to those problems. Turn on full auditing # auditctl -w /etc/shadow -p w Try to recreate AVC. Then execute # ausearch -m avc -ts recent If you see PATH record check ownership/permissions on file, and fix it, otherwise report as a bugzilla. You tried to place a type on a %s that is not a file type. This is not allowed, you must assigne a file type. You can list all file types using the seinfo command. seinfo -afile_type -x Changing the "$BOOLEAN" and "$WRITE_BOOLEAN" booleans to true will allow this access: "setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1". warning: setting the "$WRITE_BOOLEAN" boolean to true will allow the ftp daemon to write to all public content (files and directories with type public_content_t) in addition to writing to files and directories on CIFS filesystems. Changing the "allow_ftpd_use_nfs" and "ftpd_anon_write" booleans to true will allow this access: "setsebool -P allow_ftpd_use_nfs=1 ftpd_anon_write=1". warning: setting the "ftpd_anon_write" boolean to true will allow the ftp daemon to write to all public content (files and directories with type public_content_t) in addition to writing to files and directories on NFS filesystems. # ausearch -x $SOURCE_PATH --raw | audit2allow -D -M my-$SOURCE # semodule -X 300 -i my-$SOURCE.pp# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' where FILE_TYPE is one of the following: %s. Then execute: restorecon -v '$FIX_TARGET_PATH' # semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH'# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH%s' # restorecon %s -v '$FIX_TARGET_PATH'# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH'# semanage port -a -t %s -p %s $PORT_NUMBER# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER where PORT_TYPE is one of the following: %s.A process might be attempting to hack into your system.Add net.ipv6.conf.all.disable_ipv6 = 1 to /etc/sysctl.conf Allow this access for now by executing: # ausearch -c '$SOURCE' --raw | audit2allow -M my-$MODULE_NAME # semodule -X 300 -i my-$MODULE_NAME.ppChange file context.Change labelChange label on the library.Change the file label to xen_image_t.Contact your security administrator and report this issue.Disable SELinux controls on Chrome pluginsEnable booleansEnable booleans.If $TARGET_BASE_PATH is a virtualization targetIf $TARGET_BASE_PATH should be shared via the RSYNC daemonIf $TARGET_BASE_PATH should be shared via the cvs daemonIf you believe $SOURCE_BASE_PATH should be allowed to create $TARGET_BASE_PATH filesIf you believe $SOURCE_PATH tried to disable SELinux.If you believe that %s should not require execstackIf you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on $TARGET_CLASS labeled $TARGET_TYPE by default.If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on processes labeled $TARGET_TYPE by default.If you believe that $SOURCE_BASE_PATH should be allowed $ACCESS access on the $TARGET_BASE_PATH $TARGET_CLASS by default.If you believe that $SOURCE_BASE_PATH should have the $ACCESS capability by default.If you did not directly cause this AVC through testing.If you do not believe that $SOURCE_PATH should be attempting to modify the kernel by loading a kernel module.If you do not believe your $SOURCE_PATH should be modifying the kernel, by loading kernel modulesIf you do not think $SOURCE_BASE_PATH should try $ACCESS access on $TARGET_BASE_PATH.If you do not think $SOURCE_PATH should need to map heap memory that is both writable and executable.If you do not think $SOURCE_PATH should need to map stack memory that is both writable and executable.If you do not think $SOURCE_PATH should need to mmap low memory in the kernel.If you do not want processes to require capabilities to use up all the system resources on your system;If you think this is caused by a badly mislabeled machine.If you want to %sIf you want to allow $SOURCE_BASE_PATH to mount on $TARGET_BASE_PATH.If you want to allow $SOURCE_PATH to be able to write to shared public contentIf you want to allow $SOURCE_PATH to bind to network port $PORT_NUMBERIf you want to allow $SOURCE_PATH to connect to network port $PORT_NUMBERIf you want to allow ftpd to write to cifs file systemsIf you want to allow ftpd to write to nfs file systemsIf you want to allow httpd to execute cgi scripts and to unify HTTPD handling of all content files.If you want to allow httpd to send mailIf you want to change the label of $TARGET_PATH to %s, you are not allowed to since it is not a valid file type.If you want to disable IPV6 on this machineIf you want to fix the label. $SOURCE_PATH default label should be %s.If you want to fix the label. $TARGET_PATH default label should be %s.If you want to help identify if domain needs this access or you have a file with the wrong permissions on your systemIf you want to ignore $SOURCE_BASE_PATH trying to $ACCESS access the $TARGET_BASE_PATH $TARGET_CLASS, because you believe it should not need this access.If you want to ignore this AVC because it is dangerous and your machine seems to be working correctly.If you want to ignore this AVC because it is dangerous and your wine applications are working correctly.If you want to modify the label on $TARGET_BASE_PATH so that $SOURCE_BASE_PATH can have $ACCESS access on itIf you want to mv $TARGET_BASE_PATH to standard location so that $SOURCE_BASE_PATH can have $ACCESS accessIf you want to to continue using SELinux Firefox plugin containment rather then using mozplugger packageIf you want to treat $TARGET_BASE_PATH as public contentIf you want to use the %s packageRelabel the whole file system. Includes reboot!Restore ContextRestore ContextSELinux is preventing $SOURCE_PATH "$ACCESS" access.Set the image label to virt_image_t.This is caused by a newly created file system.Try to fix the label.Turn off memory protectionYou can read '%s' man page for more details.You might have been hacked.You must tell SELinux about this by enabling the '%s' boolean. You need to change the label on $FIX_TARGET_PATHYou need to change the label on $TARGET_BASE_PATHYou need to change the label on $TARGET_BASE_PATH to public_content_t or public_content_rw_t.You need to change the label on $TARGET_BASE_PATH'You need to change the label on $TARGET_PATH to a type of a similar device.You need to change the label on '$FIX_TARGET_PATH'You should report this as a bug. You can generate a local policy module to allow this access.You should report this as a bug. You can generate a local policy module to dontaudit this access.execstack -c %sif you think that you might have been hackedsetsebool -P %s %sturn on full auditing to get path information about the offending file and generate the error again.use a command like "cp -p" to preserve all permissions except SELinux context.you can run restorecon.you can run restorecon. The access attempt may have been stopped due to insufficient permissions to access a parent directory in which case try to change the following command accordingly.you may be under attack by a hacker, since confined applications should never need this access.you may be under attack by a hacker, since confined applications should not need this access.you may be under attack by a hacker, this is a very dangerous access.you must change the labeling on $TARGET_PATH.you must fix the labels.you must move the cert file to the ~/.cert directoryyou must pick a valid file label.you must remove the mozplugger package.you must setup SELinux to allow thisyou must tell SELinux about thisyou must tell SELinux about this by enabling the 'httpd_unified' and 'http_enable_cgi' booleansyou must tell SELinux about this by enabling the vbetool_mmap_zero_ignore boolean.you must tell SELinux about this by enabling the wine_mmap_zero_ignore boolean.you must turn off SELinux controls on the Chrome plugins.you must turn off SELinux controls on the Firefox plugins.you need to add labels to it.you need to change the label on $TARGET_PATH to public_content_rw_t, and potentially turn on the allow_httpd_sys_script_anon_write boolean.you need to diagnose why your system is running out of system resources and fix the problem. According to /usr/include/linux/capability.h, sys_resource is required to: /* Override resource limits. Set resource limits. */ /* Override quota limits. */ /* Override reserved space on ext2 filesystem */ /* Modify data journaling mode on ext3 filesystem (uses journaling resources) */ /* NOTE: ext2 honors fsuid when checking for resource overrides, so you can override using fsuid too */ /* Override size restrictions on IPC message queues */ /* Allow more than 64hz interrupts from the real-time clock */ /* Override max number of consoles on console allocation */ /* Override max number of keymaps */ you need to fully relabel.you need to modify the sandbox type. sandbox_web_t or sandbox_net_t. For example: sandbox -X -t sandbox_net_t $SOURCE_PATH Please read 'sandbox' man page for more details. you need to report a bug. This is a potentially dangerous access.you need to report a bug. This is a potentially dangerous access.you need to set /proc/sys/net/ipv6/conf/all/disable_ipv6 to 1 and do not blacklist the module'you need to use a different command. You are not allowed to preserve the SELinux context on the target file system.you should clear the execstack flag and see if $SOURCE_PATH works correctly. Report this as a bug on %s. You can clear the exestack flag by executing:Project-Id-Version: PACKAGE VERSION Report-Msgid-Bugs-To: PO-Revision-Date: 2021-03-25 04:02+0000 Last-Translator: simmon Language-Team: Korean Language: ko MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Plural-Forms: nplurals=1; plural=0; X-Generator: Weblate 4.5.1 \tdac_override ë° dac_read_search ê¸°ëŠ¥ì€ ì¼ë°˜ì ìœ¼ë¡œ root 프로세스가 권한 플래그를 기반으로 하는 파ì¼ì— 액세스할 수 없는 ê²ƒì„ í‘œì‹œí•©ë‹ˆë‹¤. ì´ëŠ” ì¼ë°˜ì ìœ¼ë¡œ 사용ìžê°€ ì¼ë¶€ 파ì¼ì— 대해 ìž˜ëª»ëœ ì†Œìœ ê¶Œ/ê¶Œí•œì„ ê°€ì§€ê³  있ìŒì„ ì˜ë¯¸í•©ë‹ˆë‹¤. SELinux는 $SOURCEì— ì˜í•´ ìš”ì²­ëœ ì ‘ê·¼ì„ ê±°ë¶€í•©ë‹ˆë‹¤. $SOURCEì— ì˜í•´ ìš”ì²­ëœ ì ‘ê·¼ë¥¼ 예ìƒí•˜ì§€ 못했으며 ì´ëŸ¬í•œ ì ‘ê·¼ì€ ì¹¨ìž…ì„ ì‹œë„했다는 신호를 나타낼 수 있습니다. ì´ëŠ” ì‘ìš©í”„ë¡œê·¸ëž¨ì˜ íŠ¹ì • 버전 ë˜ëŠ” ì„¤ì •ì´ ì¶”ê°€ì  ì ‘ê·¼ì„ í•„ìš”ë¡œ 하기 ë•Œë¬¸ì¼ ìˆ˜ ë„ ìžˆìŠµë‹ˆë‹¤. SELinux는 $SOURCEì— ì˜í•´ ìš”ì²­ëœ ì•¡ì„¸ìŠ¤ë¥¼ 거부합니다. 현재 boolean ì„¤ì •ì€ ì´ëŸ¬í•œ 접근를 허용하지 않습니다. ì´ëŸ¬í•œ 접근를 허용하기 위해 $SOURCE를 설정하지 ì•Šì€ ê²½ìš° ì¹¨ìž…ì‹œë„ ì‹ í˜¸ê°€ 나타날 수 있습니다. ì´ ì ‘ê·¼ì„ í—ˆìš©í•˜ê³ ìž í•  경우 ì‹œìŠ¤í…œì˜ ë¶€ìš¸ì„ ë³€ê²½í•˜ì—¬ ì ‘ê·¼ì„ í—ˆìš©í•©ë‹ˆë‹¤. SELinuxê°€ 거부ë˜ì—ˆìŠµë‹ˆë‹¤. $SOURCE "$ACCESS"ìž¥ì¹˜ì— ëŒ€í•œ ì ‘ê·¼ $TARGET_통로. $TARGET_PATHì˜ ë ˆì´ë¸”ì´ ìž˜ëª» 지정ë˜ë©´ì´ 장치는 / dev ë””ë ‰í† ë¦¬ì˜ ê¸°ë³¸ ì´ë¦„í‘œì„ ê°–ìŠµë‹ˆë‹¤. 모든 ë¬¸ìž ë° / ë˜ëŠ” ë¸”ë¡ ìž¥ì¹˜ì—는 ë ˆì´ë¸”ì´ ìžˆì–´ì•¼í•©ë‹ˆë‹¤. restorecon -v '$TARGET_PATH'. $TARGET_통로'. ì´ ìž¥ì¹˜ì— device_të¼ëŠ” ì´ë¦„표가 지정ë˜ì–´ 있으면 SELinux ì •ì±…ì˜ ê²°ì ìž…니다. ê²°ì  ë³´ê³ ì„œë¥¼ 제출하십시오. 다른 비슷한 장치 ë ˆì´ë¸” ì¸ ls -lZ / dev / similì„ë³´ê³  다ìŒê³¼ ê°™ì€ ìœ í˜•ì˜ ìž¥ì¹˜ë¥¼ 찾으십시오. $TARGET_PATH를 사용하면 chcon -t SIMILAR_TYPE '$TARGET_PATH ',ì´ ë¬¸ì œê°€ í•´ê²°ë˜ë©´ semanage fcontext -a -t SIMILAR_TYPE'ì„ ì‹¤í–‰í•˜ì—¬ì´ ë¬¸ì œë¥¼ í•´ê²°í•  수 있습니다. $FIX_TARGET_PATH 'restoreconì´ ì»¨í…스트를 변경하면 장치를 작성한 ì‘ìš© í”„ë¡œê·¸ëž¨ì´ SELinux API를 사용하지 ì•Šê³  작성ë˜ì—ˆìŒì„ 나타냅니다. ì–´ë–¤ ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ìž¥ì¹˜ë¥¼ 만들 었는지 ì•Œ 수 ìžˆë‹¤ë©´ì´ ì‘ìš© í”„ë¡œê·¸ëž¨ì— ëŒ€í•œ ê²°ì  ë³´ê³ ì„œë¥¼ 제출하십시오. restorecon -v '$TARGET_PATH' ë˜ëŠ” chcon -t SIMILAR_TYPE '$TARGET_PATH' ì‹œë„ "$BOOLEAN" ë¶€ìš¸ì„ trueë¡œ 변경하는 ê²ƒì€ ì´ëŸ¬í•œ 액세스를 허용합니다: "setsebool -P $BOOLEAN=1" "$BOOLEAN" ë¶€ìš¸ì„ trueë¡œ 변경하여 ì´ëŸ¬í•œ 액세스를 허용합니다: "setsebool -P $BOOLEAN=1." "allow_ftpd_use_nfs" ë¶€ìš¸ì„ trueë¡œ 변경하여 ì´ëŸ¬í•œ 액세스를 허용합니다: "setsebool -P allow_ftpd_use_nfs=1." íŒŒì¼ ë¬¸ë§¥ì„ mnt_të¡œ 변경하면 íŒŒì¼ ì‹œìŠ¤í…œì„ ì ìž¬í•˜ë„ë¡ ë§ˆìš´íŠ¸ 허용하게 ë©ë‹ˆë‹¤ "chcon -t mnt_t '$TARGET_PATH'." ì „ì²´ ì´ë¦„í‘œ 변경 ì‹œ ì´ë¥¼ 보존하기 위해 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ê°’ íŒŒì¼ ë¬¸ë§¥ 파ì¼ì„ 변경해야 합니다. "semanage fcontext -a -t mnt_t '$FIX_TARGET_PATH'" í•œì •ëœ ë„ë©”ì¸ì—는 "sys_resource"를 필요로 하지 않습니다. ì´ëŠ” ì¼ë°˜ì ìœ¼ë¡œ ë””ìŠ¤í¬ ê³µê°„, 메모리, 쿼터 등과 ê°™ì€ ì‹œìŠ¤í…œ 리소스가 부족하다는 ê²ƒì„ ì˜ë¯¸í•©ë‹ˆë‹¤. ë””ìŠ¤í¬ ê³µê°„ì„ í™•ë³´í•˜ë©´ AVC 메세지가 표시ë˜ì§€ ì•Šì„ ê²ƒìž…ë‹ˆë‹¤. ë””ìŠ¤í¬ ê³µê°„ì„ í™•ë³´í•˜ê³ ë„ AVC 메세지가 계ì†í•˜ì—¬ 표시ë˜ëŠ” 경우 버그로 보고하십시오. ì œí•œëœ í”„ë¡œì„¸ìŠ¤ëŠ” 다른 필요한 액세스를 실행하기 위해 설정할 수 있습니다. SELinux는 필요한 액세스 on/off를 허용하는 ë¶€ìš¸ì„ ì œê³µí•©ë‹ˆë‹¤. httpd 스í¬ë¦½íŠ¸ê°€ 공용 ë””ë ‰í† ë¦¬ì— ì“°ê¸°í•  수 있ë„ë¡ í—ˆìš©í•˜ëŠ” 경우 $BOOLEAN ë¶€ìš¸ì„ í™œì„±í™”í•˜ê³  공용 ë””ë ‰í† ë¦¬ì˜ íŒŒì¼ ë¬¸ë§¥ì„ public_content_rw_të¡œ 변경해야 합니다. 보다 ìžì„¸í•œ ë‚´ìš©ì€ httpd_selinux man 페ì´ì§€ë¥¼ 참조하십시오: "setsebool -P $BOOLEAN=1; chcon -t public_content_rw_t " ë˜í•œ ì‹œìŠ¤í…œì˜ ë””í´íŠ¸ íŒŒì¼ ë¬¸ë§¥ ë ˆì´ë¸” 설정 파ì¼ì„ 변경하여 ì „ì²´ ë ˆì´ë¸” 설정ì—ì„œ 공용 디렉토리 ë ˆì´ë¸” ì„¤ì •ì„ ìœ ì§€í•˜ë„ë¡ í•´ì•¼ 합니다. "semanage fcontext -a -t public_content_rw_t " $TARGET_PATHê°€ 올바르게 ìž‘ë™í•œë‹¤ê³  확신하신다면, íŒŒì¼ ë¬¸ë§¥ì„ textrel_shlib_të¡œ 변경하실 수 있습니다. "chcon -t textrel_shlib_t '$TARGET_PATH'" ì „ì²´ ë ˆì´ë¸” 변경 ì‹œì—ë¼ë„ ì´ë¥¼ 보존하기 위해 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ê°’ íŒŒì¼ ë¬¸ë§¥ 파ì¼ì„ 변경해야 합니다. "semanage fcontext -a -t textrel_shlib_t '$FIX_TARGET_PATH'" $SOURCE를 ê³„ì† ì§„í–‰í•˜ì‹œë ¤ë©´, $BOOLEAN ë¶€ìš¸ì„ ì¼œì•¼ë§Œ 합니다. 알림: ì´ëŸ¬í•œ ë¶€ìš¸ì€ ì‹œìŠ¤í…œ ìƒì˜ 모든 ì‘ìš© í”„ë¡œê·¸ëž¨ì— ì˜í–¥ì„ 미치게 ë©ë‹ˆë‹¤. ì „ìžìš°íŽ¸ì„ 전송하기 위해 httpd를 ì‚¬ìš©í•˜ì‹œê³ ìž í•  경우 $BOOLEAN ë¶€ìš¸ì„ ìž‘ë™ì‹œí‚¤ì…”야 합니다: "setsebool -P $BOOLEAN=1" $SOURCE ê°€ í¬íŠ¸ $PORT_NUMBERì— ë°”ì¸ë”©í•˜ê²Œ 하려면 ë‹¤ìŒ ëª…ë ¹ì„ ì‹¤í–‰í•©ë‹ˆë‹¤. # semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER 여기서 PORT_TYPEì€ ë‹¤ìŒì¤‘ 하나입니다: %s. ì‹œìŠ¤í…œì´ NIS í´ë¼ì´ì–¸íŠ¸ë¡œ 실행ë˜ê³  ìžˆì„ ê²½ìš°, allow_ypbind booleanì„ í™œì„±í™”í•˜ë©´ 문제를 í•´ê²°í•  수 ë„ ìžˆìŠµë‹ˆë‹¤. setsebool -P allow_ypbind=1. ë‹¹ì‹ ì´ $SOURCEê°€ $PORT_NUMBERì— ì—°ê²°í•˜ëŠ” ê²ƒì„ í—ˆìš©í•˜ê³ ìž í•˜ë©´, 다ìŒì„ 실행합니다 # sandbox -X -t sandbox_net_t $SOURCE $SOURCEê°€ $PORT_NUMBERì— ì—°ê²°í•˜ëŠ” ê²ƒì„ í—ˆìš©í•˜ë ¤ë©´ 다ìŒì„ 실행합니다 # semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER 여기서 PORT_TYPEì€ ë‹¤ìŒ ì¤‘ 하나가 ë©ë‹ˆë‹¤: %s. $TARGET_PATHì˜ íŒŒì¼ ë¬¸ë§¥ì„ ë³€ê²½í•˜ì—¬ ìžë™ 마운트가 ì´ë¥¼ 실행하게 하려면 "chcon -t bin_t $TARGET_PATH"를 실행합니다. ì´ë¥¼ ë ˆì´ë¸” 후ì—ë„ ë‚¨ì•„ìžˆê²Œ 하려면 íŒŒì¼ ë¬¸ë§¥ì„ ì˜êµ¬ì ìœ¼ë¡œ 변경해야 합니다: "semanage fcontext -a -t bin_t '$FIX_TARGET_PATH'"를 실행합니다. SELinuxê°€ $SOURCE 액세스 $TARGET_PATHì— ëŒ€í•œ ì ‘ê·¼ $SOURCEê°€ 거부ë˜ì—ˆìŠµë‹ˆë‹¤. ì´ íŒŒì¼ì´ 스왑 파ì¼ì´ë©´ swapfile_të¼ëŠ” íŒŒì¼ ë‚´ìš© ì´ë¦„표가 있어야합니다. ë‹¹ì‹ ì´ ì‚¬ìš©í•˜ë ¤ê³ í•˜ì§€ 않았다면 $TARGET_ 스왑 파ì¼ë¡œ _PATH,ì´ ë©”ì‹œì§€ëŠ” ê²°ì  ë˜ëŠ” 침입 ì‹œë„를 나타낼 수 있습니다. SELinuxê°€ RSYNCì— $TARGET_í†µë¡œì— ëŒ€í•œ ì ‘ê·¼ì„ ê±°ë¶€í–ˆìŠµë‹ˆë‹¤. RSYNC 저장소 ì¸ ê²½ìš° rsync_data_të¼ëŠ” íŒŒì¼ ë‚´ìš© ì´ë¦„표가 있어야합니다. ë‹¹ì‹ ì´ ì‚¬ìš©í•˜ë ¤ê³ í•˜ì§€ 않았다면 $TARGET_PATH를 RSYNC 저장소로 사용하는 경우 ì´ ë©”ì‹œì§€ëŠ” ê²°ì  ë˜ëŠ” 침입시ë„를 나타낼 수 있습니다. SELinuxê°€ 요청한 액세스를 거부했습니다. $SOURCE. $SOURCE_PATHê°€ 잘못 표시 ë  ìˆ˜ 있습니다. $SOURCE_PATH 기본 SELinux 유형 %s, 그러나 ì´ê²ƒì´ 현재 유형입니다 $SOURCE_유형. ì´ íŒŒì¼ì„ 기본 유형으로 다시 변경하면 문제가 í•´ê²° ë  ìˆ˜ 있습니다.

ì´ íŒŒì¼ì€ ì‚¬ìš©ìž ì˜¤ë¥˜ ë˜ëŠ” ì¼ë°˜ì ìœ¼ë¡œ ì œí•œëœ ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ìž˜ëª»ëœ ë„ë©”ì¸ì—ì„œ 실행 ëœ ê²½ìš° 잘못 표시 ë  ìˆ˜ 있습니다.

그러나 ì´ê²ƒì€ 파ì¼ì´ì´ 유형으로 분류ë˜ì–´ì„œëŠ” 안ë˜ê¸° ë•Œë¬¸ì— SELinuxì˜ ê²°ì ë¥¼ 나타낼 ìˆ˜ë„ ìžˆìŠµë‹ˆë‹¤.

ì´ê²ƒì´ ê²°ì ì´ë¼ê³  ìƒê°ë˜ë©´ì´ ê¾¸ëŸ¬ë¯¸ì— ëŒ€í•œ ê²°ì  ë³´ê³ ì„œë¥¼ 제출하십시오. SELinuxê°€ 요청한 ì ‘ê·¼ì„ ê±°ë¶€í–ˆìŠµë‹ˆë‹¤. $SOURCE. $TARGET_PATHì— ìž˜ëª»ëœ ë ˆì´ë¸”ì´ í‘œì‹œë  ìˆ˜ 있습니다. $TARGET_PATHì˜ ê¸°ë³¸ SELinux 유형 %s, 하지만 í˜„ìž¬ì˜ ìœ í˜•ì€$TARGET_TYPE입니다. ì´ íŒŒì¼ì„ 기본 유형으로 다시 변경하면 문제가 í•´ê²°ë  ìˆ˜ 있습니다.

íŒŒì¼ ë‚´ìš©ëŠ” 다ìŒê³¼ ê°™ì€ ë°©ë²•ìœ¼ë¡œ 파ì¼ì— 할당 í•  수 있습니다.

ì´ íŒŒì¼ì€ ì‚¬ìš©ìž ì˜¤ë¥˜ ë˜ëŠ” ì¼ë°˜ì ìœ¼ë¡œ ì œí•œëœ ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ìž˜ëª»ëœ ë„ë©”ì¸ì—ì„œ 실행 ëœ ê²½ìš° 잘못 표시 ë  ìˆ˜ 있습니다.

그러나 ì´ê²ƒì€ 파ì¼ì´ì´ 유형으로 분류ë˜ì–´ì„œëŠ” 안ë˜ê¸° ë•Œë¬¸ì— SELinuxì˜ ê²°ì ì¼ ìˆ˜ë„ ìžˆìŠµë‹ˆë‹¤.

ì´ê²ƒì´ ê²°ì ë¼ê³  ìƒê°ë˜ë©´ ì´ ê¾¸ëŸ¬ë¯¸(package)ì— ëŒ€í•œ ê²°ì  ë¦¬í¬íŠ¸ë¥¼ 제출하십시오. SELinuxê°€ 요청한 ì ‘ê·¼ì„ ê±°ë¶€í–ˆìŠµë‹ˆë‹¤. $SOURCE. $TARGET_PATHê°€ 잘못 표시 ë  ìˆ˜ 있습니다. openvpnì€ ì˜¬ë°”ë¥´ê²Œ ì´ë¦„표로 ëœ ê²½ìš° 홈 ë””ë ‰í† ë¦¬ì˜ ë‚´ìš©ì„ ì½ì„ 수 있습니다. SELinuxê°€ 요청한 액세스를 거부했습니다. $SOURCE. $TARGET_PATHê°€ 잘못 표시 ë  ìˆ˜ 있습니다. sshd는 올바르게 ì´ë¦„표가 ëœ ê²½ìš° /root/.ssh ë””ë ‰í† ë¦¬ì˜ ë‚´ìš©ì„ ì½ì„ 수 있습니다. SELinux는 $SOURCEì— ì˜í•´ ìš”ì²­ëœ ì•¡ì„¸ìŠ¤ë¥¼ 거부했습니다. ì´ ì ‘ê·¼ì€ $SOURCEì—ì„œ 필요한 ì ‘ê·¼ì´ ì•„ë‹ˆê¸° ë•Œë¬¸ì— ì¹¨ìž…ì„ ì‹œë„했다는 신호가 í‘œì‹œë  ìˆ˜ 있습니다. 애플리케ì´ì…˜ì˜ 특정 버전 ë˜ëŠ” ì„¤ì •ì´ ì¶”ê°€ ì ‘ê·¼ì„ í•„ìš”ë¡œ 하는 ì›ì¸ì´ ë  ê°€ëŠ¥ì„±ì´ ìžˆìŠµë‹ˆë‹¤. SELinux는 $SOURCEì— ì˜í•´ ìš”ì²­ëœ ì ‘ê·¼ë¥¼ 거부했습니다. ì´ ì•¡ì„¸ìŠ¤ëŠ” $SOURCEì—ì„œ 필요하지 않으므로 침입 ì‹œë„ ì‹ í˜¸ê°€ 나타날 수 있습니다. ë˜í•œ ì‘ìš©í”„ë¡œê·¸ëž¨ì˜ íŠ¹ì • 버전ì´ë‚˜ 설정ì—ì„œ 추가 ì ‘ê·¼ì„ í•„ìš”ë¡œ í•  수 있습니다. mozplugger ë° spice-xpi는 ë°ìŠ¤í¬í†±ìœ¼ë¡œì˜ ì ‘ê·¼ì´ í•„ìš”í•œ mozilla-pluginsì—ì„œ ì‘ìš©í”„ë¡œê·¸ëž¨ì„ ì‹¤í–‰í•˜ì§€ë§Œ mozilla_plugin 잠금ì—서는 ì´ë¥¼ 허용하지 않기 ë•Œë¬¸ì— mozilla_plugin ìž ê¸ˆì„ í•´ì œí•˜ê±°ë‚˜ 꾸러미 ìžì²´ë¥¼ 사용하지 ì•Šë„ë¡ í•©ë‹ˆë‹¤. SELinux는 $SOURCEì— ì˜í•´ ìš”ì²­ëœ ì ‘ê·¼ë¥¼ 거부했습니다. ì´ ì•¡ì„¸ìŠ¤ëŠ” $SOURCEì—ì„œ 필요하지 않으므로 침입 ì‹œë„ ì‹ í˜¸ê°€ 나타날 수 있습니다. ë˜í•œ ì‘ìš©í”„ë¡œê·¸ëž¨ì˜ íŠ¹ì • 버전ì´ë‚˜ ì„¤ì •ì´ ì¶”ê°€ 접근를 필요로 í•  수 있습니다. spice-xpi는 ë°ìŠ¤í¬í†±ìœ¼ë¡œì˜ ì ‘ê·¼ì´ í•„ìš”í•œ mozilla-pluginsì—ì„œ ì‘ìš©í”„ë¡œê·¸ëž¨ì„ ì‹¤í–‰í•˜ì§€ë§Œ mozilla_plugin 잠금ì—서는 ì´ë¥¼ 허용하지 않기 ë•Œë¬¸ì— mozilla_plugin ìž ê¸ˆì„ í•´ì œí•˜ê±°ë‚˜ 꾸러미 ìžì²´ë¥¼ 사용하지 ì•Šë„ë¡ í•©ë‹ˆë‹¤. SELinux는 $SOURCE ëª…ë ¹ì— ì˜í•´ ìš”ì²­ëœ ì ‘ê·¼ë¥¼ 거부합니다. ì´ëŠ” ëˆ„ì¶œëœ ì„œìˆ ìž ë˜ëŠ” $SOURCE 출력 결과가 접근를 허용하지 않는 파ì¼ë¡œ ë°©í–¥ ì „í™˜ëœ ê²ƒì²˜ëŸ¼ 보입니다. ëˆ„ì¶œëœ ì„œìˆ ìžëŠ” SELinuxê°€ ì´ë¥¼ 종료하고 오류를 보고하므로 무시할 수 있습니다. ì‘ìš©í”„ë¡œê·¸ëž¨ì€ ì„œìˆ ìžë¥¼ 사용하지 않으므로 올바르게 실행ë©ë‹ˆë‹¤. ì´ê²ƒì´ ë°©í–¥ ì „í™˜ì´ ëœ ê²½ìš°, $TARGET_PATHì—ì„œ 출력 결과를 갖지 않게 ë©ë‹ˆë‹¤. selinux-ì •ì±…ì— ëŒ€í•˜ 버그질ë¼ë¥¼ ìƒì„±í•˜ì—¬ 올바른 꾸러미로 ë¼ìš°íŠ¸ë˜ê²Œ 합니다. ì´ëŸ¬í•œ avc는 ë¬´ì‹œí•´ë„ ìƒê´€ 없습니다. SELinux는 $SOURCEê°€ 요청한 $TARGET_PATHë¡œì˜ ì ‘ê·¼ì„ ê±°ë¶€í•©ë‹ˆë‹¤. $TARGET_PATH는 다른 프로그램ì˜í•´ ê³µìœ í•˜ëŠ”ë° ì‚¬ìš©ë˜ëŠ” ë¬¸ë§¥ì„ ê°€ì§€ê³  있습니다. $SOURCEì—ì„œ $TARGET_PATH를 ê³µìœ í•˜ì‹œê³ ìž í•  경우, íŒŒì¼ ë¬¸ë§¥ì„ public_content_të¡œ 변경하셔야 합니다. ì´ëŸ¬í•œ ì ‘ê·¼ í—ˆìš©ì„ ì˜ë„하지 않으신 경우, ì¹¨ìž…ì„ ì‹œë„했다는 신호가 나타날 수 있습니다. SELinux는 $TARGET_PATHë¡œ cvs 접근하는 ê²ƒì„ ê±°ë¶€í•©ë‹ˆë‹¤. ì´ê²ƒì´ CVS ì €ìž¥ì†Œì¼ ê²½ìš° cvs_data_tì˜ íŒŒì¼ ë¬¸ë§¥ ë ˆì´ë¸”ì„ ê°€ì§€ê³  있어야 합니다. CVS 저장소로 $TARGET_PATH를 ì‚¬ìš©í•˜ê³ ìž í•˜ì§€ 않으실 경우 ê²°ì •ì´ ë‚˜íƒ€ë‚˜ê±°ë‚˜ ë˜ëŠ” ì¹¨ìž…ì„ ì‹œë„했다는 신호가 나타날 수 있습니다. SELinuxê°€ Sambaì— ëŒ€í•œ $TARGET_PATH ì ‘ê·¼ì„ ê±°ë¶€í–ˆìŠµë‹ˆë‹¤. ì´ ë””ë ‰í† ë¦¬ë¥¼ 삼바와 공유하려면 íŒŒì¼ ë‚´ìš© ì´ë¦„í‘œ samba_share_tê°€ 있어야합니다. ë‹¹ì‹ ì´ ì‚¬ìš©í•˜ë ¤ê³ í•˜ì§€ 않았다면 $TARGET_PATH를 samba 저장소로 사용하는 경우 ì´ ë©”ì‹œì§€ëŠ” ê²°ì  ë˜ëŠ” 침입 ì‹œë„를 나타낼 수 있습니다. 삼바 ë° SELinux ì„¤ì •ì— ëŒ€í•œ ìžì„¸í•œ ë‚´ìš©ì€ 'man samba_selinux'를 참조하십시오. SELinux는 $TARGET_PATHë¡œì˜ svirt 액세스를 거부했습니다. ì´ê²ƒì´ ê°€ìƒí™” ì´ë¯¸ì§€ì¸ 경우virt_image_të¡œ ë ˆì´ë¸”ëœ íŒŒì¼ ë¬¸ë§¥ì„ ê°€ì§€ê³  있어야 합니다. ì´ ì‹œìŠ¤í…œì€ ë””ë ‰í† ë¦¬ /var/lib/libvirt/imagesì— ìžˆëŠ” ì´ë¯¸ì§€ 파ì¼ì„ 올바르게 ë ˆì´ë¸”í•  수 있ë„ë¡ ì„¤ì •ë˜ì–´ 있습니다. ì´ë¯¸ì§€ 파ì¼ì„ /var/lib/libvirt/imagesì— ë³µì‚¬í•˜ì‹¤ ê²ƒì„ ê¶Œìž¥í•©ë‹ˆë‹¤. 현재 ë””ë ‰í† ë¦¬ì— ì´ë¯¸ì§€ 파ì¼ì„ 보관하ë„ë¡ í•˜ë ¤ë©´, chconì„ ì‚¬ìš©í•˜ì—¬ $TARGET_PATH를 virt_image_të¡œ 다시 ë ˆì´ë¸”í•  수 있습니다. ë˜í•œ 새 경로를 시스템 기본값으로 추가하기 위해 semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'를 실행해야 합니다. ê°€ìƒí™” ì´ë¯¸ì§€ë¡œì„œ $TARGET_PATH를 사용하려고 í•œ 경우가 아니ë¼ë©´, ì´ê²ƒì€ 버그나 침입 ì‹œë„를 나타내는 ì‹ í˜¸ì¼ ìˆ˜ 있습니다. SELinux는 ë¸”ë¡ ìž¥ì¹˜ $TARGET_PATHì— ëŒ€í•œ Svirt ì ‘ê·¼ì´ ê±°ë¶€ë˜ì—ˆìŠµë‹ˆë‹¤. ì´ ì´ë¯¸ì§€ê°€ ê°€ìƒí™” ì´ë¯¸ì§€ ì¸ê²½ìš° ê°€ìƒí™” íŒŒì¼ ë‚´ìš© (virt_image_t)ë¡œ ì´ë¦„표가 지정ë˜ì–´ì•¼í•©ë‹ˆë‹¤. chconì„ ì‚¬ìš©í•˜ì—¬ $TARGET_PATHì´ virt_image_tê°€ ë˜ë„ë¡ ì´ë¦„표를 다시 지정할 수 있습니다. ë˜í•œ semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH를 실행하여 새로운 경로를 시스템 ê¸°ë³¸ê°’ì— ì¶”ê°€í•´ì•¼ 합니다. $TARGET_PATH를 ê°€ìƒí™” ì´ë¯¸ì§€ë¡œ 사용하지 않으려는 경우 ê²°ì  ë˜ëŠ” 침입 ì‹œë„를 나타낼 수 있습니다. SELinux는 $TARGET_PATHë¡œì˜ xen 액세스를 거부했습니다. ì´ê²ƒì´ XEN ì´ë¯¸ì§€ì¸ 경우 xen_image_të¡œ ë ˆì´ë¸”ëœ íŒŒì¼ ë¬¸ë§¥ì„ ê°€ì§€ê³  있어야 합니다. ì´ ì‹œìŠ¤í…œì€ ë””ë ‰í† ë¦¬ /var/lib/xen/imagesì— ìžˆëŠ” ì´ë¯¸ì§€ 파ì¼ì„ 올바르게 ë ˆì´ë¸”í•  수 있ë„ë¡ ì„¤ì •ë˜ì–´ 있습니다. ì´ë¯¸ì§€ 파ì¼ì„ /var/lib/xen/imagesì— ë³µì‚¬í•˜ì‹¤ ê²ƒì„ ê¶Œìž¥í•©ë‹ˆë‹¤. 현재 ë””ë ‰í† ë¦¬ì— xen ì´ë¯¸ì§€ 파ì¼ì„ 보관하ë„ë¡ í•˜ë ¤ë©´, chconì„ ì‚¬ìš©í•˜ì—¬ $TARGET_PATH를 xen_image_të¡œ 다시 ë ˆì´ë¸”í•  수 있습니다. ë˜í•œ 새 경로를 시스템 기본값으로 추가하기 위해 semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'를 실행해야 합니다. xen ì´ë¯¸ì§€ë¡œì„œ $TARGET_PATH를 사용하려고 í•œ 경우가 아니ë¼ë©´, ì´ê²ƒì€ ê²°ì ì´ë‚˜ 침입 ì‹œë„를 나타내는 ì‹ í˜¸ì¼ ìˆ˜ 있습니다. SELinuxê°€ 거부ë˜ì—ˆìŠµë‹ˆë‹¤. $SOURCE ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ì— 연결하는 중 $PORT_NUMBERì—는 SELinux ìœ í˜•ì´ ì—°ê²°ë˜ì–´ 있지 않습니다. 만약 $SOURCEì€ $PORT_NUMBERì— ì—°ê²°ì„ í—ˆìš©í•´ì•¼í•˜ë©° , $SOURCE_TYPEì€ (%s)ì— ì—°ê²° í•  수 있는 í¬íŠ¸ìœ í˜•ì— $PORT_NUMBER를 지정할 수 있는 명령semanageì„ ì‚¬ìš©í•©ë‹ˆë‹¤. 만약 $SOURCE는 $PORT_NUMBERì— ì—°ê²°í•˜ëŠ” ê²ƒì„ ì¶”ì¸¡ í•  수 없다면 ì´ëŠ” 침입 ì‹œë„ì˜ ì‹ í˜¸ì¼ ìˆ˜ 있습니다. SELinuxê°€ sandboxë‚´ì— ì—°ê²°ì—서부터 ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ $PORT_NUMBER까지 $SOURCEê°€ 거부ë˜ì—ˆìŠµë‹ˆë‹¤. 만약 $SOURCEê°€ $PORT_NUMBERì—ì„œ ì—°ê²°ì„ í—ˆìš©í•´ì•¼ 한다면, ë‹¹ì‹ ì€ andbox_web_t or sandbox_net_tê°™ì´ ë‹¤ë¥¸ sandbox를 사용해야 합니다. # sandbox -X -t sandbox_net_t $SOURCE 만약 $SOURCEê°€ $PORT_NUMBERì— ì—°ê²°ë˜ì§€ ì•Šì€ ê²ƒìœ¼ë¡œ 추축ë˜ë©´ ì´ê²ƒì€ 침입 ì‹œë„를 알려주는 ì‹ í˜¸ì¼ ìˆ˜ 있습니다. SELinux는 잠재ì ìœ¼ë¡œ 잘못 ë ˆì´ë¸”ëœ íŒŒì¼ $TARGET_PATHë¡œ $SOURCE 액세스하는 ê²ƒì„ ê±°ë¶€í•©ë‹ˆë‹¤. ì´ëŠ” SELinuxê°€ ì´ëŸ¬í•œ 파ì¼ì„ 사용하기 위해 httpd를 허용하지 않는다는 ê²ƒì„ ì˜ë¯¸í•©ë‹ˆë‹¤. httpdê°€ ì´ëŸ¬í•œ 파ì¼ì— ì´ ì•¡ì„¸ìŠ¤ë¥¼ 허용해야 í•  경우 ë‹¤ìŒ ìœ í˜• 중 하나로 íŒŒì¼ ë¬¸ë§¥ì„ ë³€ê²½í•˜ì…”ì•¼ 합니다, %s. ë§Žì€ ì œì‚¼ìž ì‘ìš© í”„ë¡œê·¸ëž¨ì€ SELinux ì •ì±…ì„ ì˜ˆì¸¡í•  수 없는 ë””ë ‰í† ë¦¬ì— html 파ì¼ì„ 설치합니다. ì´ëŸ¬í•œ 디렉토리는 httpdê°€ 액세스할 수 있는 íŒŒì¼ ë¬¸ë§¥ì„ ì‚¬ìš©í•˜ì—¬ ë ˆì´ë¸”ë˜ì–´ì•¼ 합니다. SELinux는 í¬íŠ¸ì— ì—°ê²°ëœ SELinux ìœ í˜•ì´ ì—†ëŠ” ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ $PORT_NUMBERì— ë°”ì¸ë”©í•˜ëŠ” 것ì—ì„œ $SOURCE를 거부합니다. $SOURCEê°€ $PORT_NUMBERì—ì„œ 수신 허용ë˜ì–´ì•¼ 하는 경우 semanage ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬ $SOURCE_TYPEì´ (%s)ì— ë°”ì¸ë”©ë  수 있는 í¬íŠ¸ ìœ í˜•ì— $PORT_NUMBER를 할당합니다. $SOURCEê°€ $PORT_NUMBERì— ë°”ì¸ë”©í•˜ë ¤ 하지 ì•Šì„ ê²½ìš°, ì´ëŠ” 침입 ì‹œë„를 표시할 수 있습니다. SELinux는 $SOURCE ì»¤ë„ ì£¼ì†Œ ê³µê°„ì˜ ë‚®ì€ ì˜ì—­ì„ mmap í•  수있는 능력. 주소 ê³µê°„ì˜ ë‚®ì€ ì˜ì—­ì„ mmap í•  수있는 ëŠ¥ë ¥ì€ / proc / sys / kernel / mmap_min_addrì— ì˜í•´ 설정ë©ë‹ˆë‹¤. ì´ëŸ¬í•œ ë§¤í•‘ì„ ë°©ì§€í•˜ë©´ 커ë„ì—ì„œ null deref ê²°ì ì„ 악용하지 ì•Šì•„ë„ë©ë‹ˆë‹¤. ì´ ì ‘ê·¼ì€ í•„ìš”í•œ 모든 ì‘ìš© 프로그램ì—는 ì •ì±…ì´ ì´ë¯¸ 작성ë˜ì–´ 있어야합니다. ì†ìƒëœ ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ì»¤ë„ì„ ìˆ˜ì •í•˜ë ¤ê³ í•˜ë©´ì´ AVCê°€ ìƒì„±ë©ë‹ˆë‹¤. ì´ê²ƒì€ 심ê°í•œ 문제입니다. ì‹œìŠ¤í…œì´ ì†ìƒ ë  ìˆ˜ 있습니다. SELinux는 $SOURCE_PATHê°€ 잠재ì ìœ¼ë¡œ 잘못 ë ˆì´ë¸”ëœ íŒŒì¼ $TARGET_PATH 를 실행하지 못하게 합니다. ìžë™ 마운트 ë„구를 설정하여 설정 파ì¼ì„ 실행할 수 있으며, $TARGET_PATHê°€ ìžë™ 마운트ë˜ì–´ 설정파ì¼ì„ 실행할 수 ìžˆì„ ê²½ìš° ì´ëŠ” bin_të¡œ ë ˆì´ë¸”ëœ íŒŒì¼ì„ 가지고 있어야 합니다. ìžë™ 마운트 ë„구가 실행해서는 안ë˜ëŠ” 파ì¼ì„ 실행하려할 경우, ì¹¨ìž…ì„ ì‹œë„했다고 나타날 수 있습니다. SELinuxê°€ http ë°ëª¬ì´ ì „ìžìš°íŽ¸ì„ 보내는 ê²ƒì„ ê±°ë¶€í–ˆìŠµë‹ˆë‹¤. httpd 스í¬ë¦½íŠ¸ê°€ ì „ìžìš°íŽ¸ í¬íŠ¸ì— 연결하거나 sendmail ëª…ë ¹ì„ ì‹¤í–‰í•˜ë ¤ê³ í•©ë‹ˆë‹¤. sendmailì— httpd를 설정하지 않으면 침입 ì‹œë„를 알릴 수 있습니다. SELinux는 $SOURCEê°€ ì»¤ë„ ëª¨ë“ˆì„ ë¶ˆëŸ¬ì˜¤ì§€ 못하게 합니다. ì»¤ë„ ëª¨ë“ˆì„ ë¶ˆëŸ¬ì˜¤ê¸° 위해 필요한 ì§€ì •ëœ ëª¨ë“  파ì¼ì—는 해당하는 ì •ì±…ì´ ìžˆì–´ì•¼ 합니다. ì˜í–¥ì„ ë°›ì„ ìˆ˜ 있는 ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ì»¤ë„ì„ ìˆ˜ì •í•˜ë ¤ í•  경우 AVCê°€ ìƒì„±ë˜ì–´ 심ê°í•œ 문제를 ì¼ìœ¼í‚¬ 수 있습니다 ì‹œìŠ¤í…œì´ ì•„ì£¼ 쉽게 ì†ìƒë  수 있습니다. SELinux는 $SOURCEê°€ $TARGETì„ ìˆ˜ì •í•˜ì§€ 못하게 합니다. ì´ëŠ” $SOURCEê°€ selinux ì •ì±… ì„¤ì •ì„ ìˆ˜ì •í•˜ë ¤ 했다고 나타날 수 있습니다. ì´ëŸ¬í•œ ì ‘ê·¼ì´ í•„ìš”í•œ 모든 ì‘ìš© 프로그램ì—는 해당하는 ì •ì±…ì´ ìžˆì–´ì•¼ 합니다. ì˜í–¥ì„ ë°›ì„ ìˆ˜ 있는 ì‘ìš© í”„ë¡œê·¸ëž¨ì´ SELinux ì •ì±…ì„ ìˆ˜ì •í•˜ë ¤ í•  경우 AVCê°€ ìƒì„±ë˜ì–´ 심ê°í•œ 문제를 ì¼ìœ¼í‚¬ 수 있으며 ì‹œìŠ¤í…œì´ ì‰½ê²Œ ì†ìƒë  수 있습니다. SELinux는 $SOURCEê°€ $TARGETì„ ìˆ˜ì •í•˜ì§€ 못하게 합니다. ì´ëŠ” $SOURCEê°€ 커ë„ì´ ì‹¤í–‰í•˜ëŠ” ë°©ì‹ì„ 수정하려 했거나 ë˜ëŠ” 커ë„ì— ì½”ë“œë¥¼ 삽입하려 í–ˆìŒì„ 나타냅니다. ì´ëŸ¬í•œ ì ‘ê·¼ì´ í•„ìš”í•œ 모든 ì‘ìš© 프로그램ì—는 해당하는 ì •ì±…ì´ ìžˆì–´ì•¼ 합니다. ì˜í–¥ì„ ë°›ì„ ìˆ˜ 있는 ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ì»¤ë„ì„ ìˆ˜ì •í•˜ë ¤ í•  경우 AVCê°€ ìƒì„±ë˜ì–´ 심ê°í•œ 문제를 ì¼ìœ¼í‚¬ 수 있으며 ì‹œìŠ¤í…œì´ ì‰½ê²Œ ì†ìƒë  수 있습니다. SELinuxê°€ 막았습니다. $SOURCE / sys / fs / selinux ì•„ëž˜ì— íŒŒì¼ì„ 쓰는 것ì—ì„œ. / sys / fs / selinux ì•„ëž˜ì˜ íŒŒì¼ì€ SELinuxê°€ êµ¬ì„±ëœ ë°©ì‹ì„ 제어합니다. / sys / fs / selinux 아래ì—있는 파ì¼ì— 쓸 필요가있는 모든 프로그램ì—는 ì´ë¯¸ ì •ì±…ì´ ìž‘ì„±ë˜ì–´ 있어야합니다. ì†ìƒëœ ì‘ìš© í”„ë¡œê·¸ëž¨ì´ SELinux를 ë„ë ¤ê³ í•˜ë©´ì´ AVCê°€ ìƒì„±ë©ë‹ˆë‹¤. ì´ê²ƒì€ 심ê°í•œ 문제입니다. ì‹œìŠ¤í…œì´ ì†ìƒ ë  ìˆ˜ 있습니다. SELinux는 vbetoolì´ ì•ˆì „í•˜ì§€ ì•Šì€ ë©”ëª¨ë¦¬ ìš´ì˜ì„ 수행하지 못하게 합니다. SELinux는 wineì´ ì•ˆì „í•˜ì§€ ì•Šì€ ë©”ëª¨ë¦¬ ìš´ì˜ì„ 실행하지 못하게 합니다. SELinux는 $SOURCEê°€ íŒŒì¼ ì‹œìŠ¤í…œì— ìžˆëŠ” $SOURCE_TYPEì˜ ë¬¸ë§¥ìœ¼ë¡œ 파ì¼ì„ ìƒì„±í•˜ì§€ 못하게 합니다. 주로 ì´ëŠ” "cp -a"ê³¼ ê°™ì´ íŒŒì¼ ì‹œìŠ¤í…œ 사ì´ì—ì„œ 복사할 ë•Œ íŒŒì¼ ë¬¸ë§¥ì„ ìœ ì§€í•˜ê¸° 위해 cp ëª…ë ¹ì„ ìš”ì²­í•  ë•Œ ë°œìƒí•©ë‹ˆë‹¤. 모든 íŒŒì¼ ë¬¸ë§¥ì´ íŒŒì¼ ì‹œìŠ¤í…œ 사ì´ì—ì„œ 유지ë˜ì–´ì•¼ í•  필요는 없습니다. 예를 들어, iso9660_t와 ê°™ì´ ì½ê¸° ì „ìš© íŒŒì¼ ìœ í˜•ì€ r/w ì‹œìŠ¤í…œì— ì—†ì–´ë„ ë©ë‹ˆë‹¤. "cp -p"는 기본값 íŒŒì¼ ë¬¸ë§¥ì„ ì±„íƒí•˜ë¯€ë¡œ ì´ë¥¼ 사용하는 ê²ƒì´ ë” ì¢‹ìŠµë‹ˆë‹¤. SELinux는 $TARGET_PATHë¡œ $SOURCE_PATH "$ACCESS" 접근하지 못하게 합니다. SELinux는 $TARGET_PATHë¡œ $SOURCE_PATH "$ACCESS" 접근하지 못하게 합니다. SELinux는 $TARGET_PATH 장치로 $SOURCE_PATH "$ACCESS" 접근하지 못하게 합니다. SELinux는 $TARGET_PATHë¡œ $SOURCE_PATH "$ACCESS"하지 못하게 합니다. SELinux는 ëˆ„ì¶œëœ $TARGET_PATH íŒŒì¼ ì„œìˆ ìžë¡œ $SOURCE_PATH 접근하지 못하게 합니다. SELinux는 $SOURCE_PATHê°€ í¬íŠ¸ $PORT_NUMBERë¡œ 연결하지 못하게 합니다. SELinux는 $SOURCEê°€ íž™ ì˜ì—­ì—ì„œ ë©”ëª¨ë¦¬ì˜ ì ‘ê·¼ ë³´ì•ˆì„ ë³€ê²½í•˜ì§€ 못하게 합니다. SELinux는 $SOURCE_PATHê°€ í¬íŠ¸ $PORT_NUMBERë¡œ 연결하지 못하게 합니다. SELinux는 $SOURCE_PATHê°€ íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ $SOURCE_TYPEì˜ ë¬¸ë§¥ì„ ì‚¬ìš©í•˜ì—¬ 파ì¼ì„ ìƒì„±í•˜ì§€ 못하게 합니다. SELinux는 $SOURCE_PATHê°€ í…스트 재배치가 필요한 $TARGET_PATH를 불러오지 못하게 합니다. SELinux는 $SOURCE_PATHê°€ 프로그램 스íƒì„ 실행 불가능하게 합니다. SELinux는 $SOURCE_PATHì˜ "$ACCESS" ê¸°ëŠ¥ì„ ì°¨ë‹¨í•˜ê³  있습니다. SELinux는 $SOURCE_PATHì˜ "sys_resource" ê¸°ëŠ¥ì„ ìž‘ë™í•˜ì§€ 못하게 합니다. SELinux는 $TARGET_PATHë¡œ Samba ($SOURCE_PATH) "$ACCESS" 접근하지 못하게 합니다. SELinuxê°€ unlabeled_të¡œ ë ˆì´ë¸”ëœ íŒŒì¼ì— 대한 액세스를 금지하고 있습니다. SELinux는 $TARGET_PATHë¡œ cvs ($SOURCE_PATH) "$ACCESS" 접근하지 못하게 합니다. SELinux는 $SOURCEê°€ 잠재ì ìœ¼ë¡œ ìž˜ëª»ëœ ì´ë¦„표를 íŒŒì¼ $TARGET_PATH를 사용하지 못하게 합니다. SELinux는 http ë°ëª¬ì´ ì „ìžìš°íŽ¸ì„ 전송하지 못하게 합니다. SELinux는 $TARGET_PATHë¡œ xen ($SOURCE_PATH) "$ACCESS" 접근하지 못하게 합니다. unlabeled_të¡œ ë ˆì´ë¸” ëœ íŒŒì¼ì— 대한 SELinux 권한 검사가 거부ë˜ì—ˆìŠµë‹ˆë‹¤. unlabeled_t는 SELinux 커ë„ì´ ì´ë¦„표가 없는 파ì¼ì— 제공하는 컨í…스트입니다. ì´ëŠ” 심ê°í•œ ë ˆì´ë¸” 문제를 ë³´ì—¬ì¤ë‹ˆë‹¤. SELinux ìƒìžì˜ ì–´ë–¤ 파ì¼ë„ unlabeled_të¡œ ì´ë¦„표가 않아야합니다. ì‹œìŠ¤í…œì— ë””ìŠ¤í¬ ë“œë¼ì´ë¸Œë¥¼ 추가 í•œ 경우 restorecon ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬ ì´ë¦„표를 다시 지정할 수 있습니다. 예를 들어 SELinux를 사용하지 ì•Šì€ ì´ì „ 설치ì—ì„œ 홈 디렉토리를 저장 í•œ 경우 'restorecon -R -v / home'ì€ ì´ë¦„표를 수정합니다. 그렇지 않으면 ì „ì²´ íŒŒì¼ ì‹œìŠ¤í…œì˜ ì´ë¦„표를 다시 지정해야합니다. SELinux ì •ì±…ì€ httpd 스í¬ë¦½íŠ¸ê°€ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게 합니다. SELinux ì •ì±…ì€ httpd 스í¬ë¦½íŠ¸ê°€ 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ì§€ 못하게 합니다. 공개 ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ê¸° 위해 httpdê°€ 설정ë˜ì§€ ì•Šì•˜ì„ ê²½ìš°, ì¹¨ìž…ì„ ì‹œë„하였다는 신호가 나타날 수 있습니다. SELinux는 $SOURCEê°€ "$TARGET_TYPE"ìœ í˜•ì˜ íŒŒì¼ ë˜ëŠ” 디렉토리 "$TARGET_PATH"ì— ìžˆëŠ” 파ì¼ì‹œìŠ¤í…œì„ 마운트하지 못하게 합니다. 기본 값으로 SELinux는 ì¼ë¶€ íŒŒì¼ ë˜ëŠ” 디렉토리 (마운트 í¬ì¸íŠ¸ ì†ì„±ì„ 가진 ìœ í˜•ì˜ ë””ë ‰í† ë¦¬)ì— íŒŒì¼ì‹œìŠ¤í…œì„ 마운트하는 ê²ƒì„ ì œí•œí•©ë‹ˆë‹¤. "$TARGET_TYPE" ìœ í˜•ì€ ì´ëŸ¬í•œ ì†ì„±ì„ 가지고 있지 않습니다. íŒŒì¼ ë˜ëŠ” ë””ë ‰í† ë¦¬ì˜ ë ˆì´ë¸”ì„ ë³€ê²½í•˜ì‹¤ 수 있습니다. SELinux는 $SOURCEê°€ íŒŒì¼ ë˜ëŠ” 디렉토리 "$TARGET_PATH" (유형 "$TARGET_TYPE")ì— ì ìž¬í•˜ì§€ 못하게 합니다. SELinux는 $TARGET_PATHë¡œ httpd $ACCESS 액세스하지 못하게 합니다. httpd 스í¬ë¦½íŠ¸ëŠ” 모든 파ì¼ì„ 명확하게 ë ˆì´ë¸”하지 ì•Šê³  ë¬¸ë§¥ì— ì“°ê¸°ë¥¼ 허용하지 않습니다. $TARGET_PATHê°€ 쓰기 가능한 ë¬¸ë§¥ì¼ ê²½ìš°, httpd_sys_rw_content_të¡œ ë ˆì´ë¸”하거나 ë˜ëŠ” 필요한 모든 ê²ƒì´ ì¶”ê°€ë˜ì–´ ìžˆì„ ê²½ìš° httpd_sys_ra_content_të¡œ ë ˆì´ë¸” í•  수 있습니다. httpd ë° SELinux ì„¤ì •ì— ëŒ€í•œ 보다 ìžì„¸í•œ ë‚´ìš©ì€ 'man httpd_selinux'ì—ì„œ 참조하십시오. SELinuxê°€ httpd를 막았습니다 $ACCESS http 파ì¼ì— 대한 ì ‘ê·¼. ì¼ë°˜ì ìœ¼ë¡œ httpd는 http íŒŒì¼ ì»¨í…스트로 ë ˆì´ë¸” ëœ ëª¨ë“  파ì¼ì— 대한 ì „ì²´ ì ‘ê·¼ì´ í—ˆìš©ë©ë‹ˆë‹¤. ì´ ê¸°ê³„ëŠ” $BOOLEAN모든 파ì¼ì„ 명시 ì ìœ¼ë¡œ ì´ë¦„표를 해야 합니다. 파ì¼ì´ cgi 스í¬ë¦½íŠ¸ì´ë©´ ì‹¤í–‰ë  ìˆ˜ 있ë„ë¡ httpd_TYPE_script_exec_të¡œ ì´ë¦„í‘œë˜ì–´ì•¼í•©ë‹ˆë‹¤. ì½ê¸° ì „ìš© ë‚´ìš©ì¸ ê²½ìš° httpd_TYPE_content_të¼ëŠ” ì´ë¦„í‘œì´ ìžˆì–´ì•¼í•©ë‹ˆë‹¤. 쓰기 가능한 ë‚´ìš©ì´ë©´ httpd_TYPE_script_rw_t ë˜ëŠ” httpd_TYPE_script_ra_të¼ëŠ” ì´ë¦„표가 있어야합니다. chcon ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬ ì´ëŸ¬í•œ ë‚´ìš©ì„ ë³€ê²½ í•  수 있습니다. man 페ì´ì§€ "man httpd_selinux"ë˜ëŠ” ìžì£¼í•˜ëŠ” 질문" TYPE"ì€ "sys", "user"ë˜ëŠ” "staff"ë˜ëŠ” 잠재ì ìœ¼ë¡œ 다른 스í¬ë¦½íŠ¸ 유형 중 하나를 나타냅니다. SELinux는 http 파ì¼ì— httpd $ACCESS 액세스하지 못하게 합니다. SELinux는 ftp ë°ëª¬ì´ CIFS íŒŒì¼ ì‹œìŠ¤í…œì— ì €ìž¥ëœ íŒŒì¼ì— $ACCESS 하지 못하게 합니다. SELinux는 ftp ë°ëª¬ì´ CIFS íŒŒì¼ ì‹œìŠ¤í…œì— ì €ìž¥ëœ íŒŒì¼ì„ $ACCESS하지 못하게 합니다. CIFS (Comment Internet File System)는 SMBê³¼ 유사한 ë„¤íŠ¸ì›Œí¬ íŒŒì¼ ì‹œìŠ¤í…œ 입니다 (http://www.microsoft.com/mind/1196/cifs.asp) ftp ë°ëª¬ì€ ì´ëŸ¬í•œ 유형으로 ë§ˆìš´íŠ¸ëœ íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ 하나 ì´ìƒì˜ íŒŒì¼ ë˜ëŠ” 디렉토리를 ì½ì–´ì˜¤ëŠ” ê²ƒì„ ì‹œë„합니다. CIFS íŒŒì¼ ì‹œìŠ¤í…œì´ ì •êµí•˜ê²Œ SELinux ë ˆì´ë¸”하는 ê²ƒì„ ì§€ì›í•˜ì§€ ì•ŠìŒìœ¼ë¡œì„œ íŒŒì¼ ì‹œìŠ¤í…œì— ìžˆëŠ” 모든 íŒŒì¼ ë° ë””ë ‰í† ë¦¬ëŠ” ë™ì¼í•œ 보안 ë¬¸ë§¥ì„ ê°–ê²Œ ë©ë‹ˆë‹¤. CIFS íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ 파ì¼ì„ ì½ì–´ì˜¤ê¸° 위해 ftp ë°ëª¬ì„ 설정하지 ì•Šì€ ê²½ìš° ì´ëŸ¬í•œ 액세스를 ì‹œë„하면 침입 ì‹œë„ ì‹ í˜¸ê°€ 나타날 수 있습니다. SELinux는 ftp ë°ëª¬ì´ NFS íŒŒì¼ ì‹œìŠ¤í…œì— ì§€ì •ëœ íŒŒì¼ì„ $ACCESS하지 못하게 합니다. SELinux는 ftp ë°ëª¬ì´ NFS íŒŒì¼ ì‹œìŠ¤í…œì— ì €ìž¥ëœ íŒŒì¼ì„ $ACCESS하지 못하게 합니다. NFS (Network Filesystem)는 유닉스/리눅스ìƒì—ì„œ 주로 사용ë˜ëŠ” ë„¤íŠ¸ì›Œí¬ íŒŒì¼ ì‹œìŠ¤í…œìž…ë‹ˆë‹¤. ftp ë°ëª¬ì€ ì´ëŸ¬í•œ 유형으로 ë§ˆìš´íŠ¸ëœ íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ 하나 ì´ìƒì˜ íŒŒì¼ ë˜ëŠ” 디렉토리 ì½ì–´ì˜¤ê¸°ë¥¼ ì‹œë„합니다. NFS íŒŒì¼ ì‹œìŠ¤í…œì´ ì •êµí•˜ê²Œ SELinux ë ˆì´ë¸”하는 ê²ƒì„ ì§€ì›í•˜ì§€ ì•ŠìŒìœ¼ë¡œì„œ íŒŒì¼ ì‹œìŠ¤í…œì— ìžˆëŠ” 모든 íŒŒì¼ ë° ë””ë ‰í† ë¦¬ëŠ” ë™ì¼í•œ 보안 ë¬¸ë§¥ì„ ê°–ê²Œ ë©ë‹ˆë‹¤. NFS íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ 파ì¼ì„ ì½ì–´ì˜¤ê¸° 위해 ftp ë°ëª¬ì„ 설정하지 ì•Šì€ ê²½ìš° ì´ëŸ¬í•œ 액세스를 ì‹œë„í–ˆì„ ë•Œ 침입 ì‹œë„ ì‹ í˜¸ê°€ 나타날 수 있습니다. ì¼ë¶€ 경우 ë¼ì´ë¸ŒëŸ¬ë¦¬ê°€ 실수로 execstack 플래그로 í‘œì‹œë  ìˆ˜ 있습니다, ì´ í”Œëž˜ê·¸ë¡œ í‘œì‹œëœ ë¼ì´ë¸ŒëŸ¬ë¦¬ë¥¼ 발견한 경우 execstack -c LIBRARY_PATH를 사용하여 ì´ë¥¼ 삭제할 수 있습니다. ê·¸ 후 애플리케ì´ì…˜ì„ 다시 ì‹œë„합니다. 애플리케ì´ì…˜ì´ 계ì†í•˜ì—¬ ìž‘ë™í•˜ì§€ ì•Šì„ ê²½ìš°, execstack -s LIBRARY_PATH를 사용하여 플래그를 ë˜ëŒë¦´ 수 있습니다. $SOURCE ì‘ìš© í”„ë¡œê·¸ëž¨ì€ íž™ ì˜ì—­(예, mallocì„ ì‚¬ìš©í•œ 할당)ì—ì„œ ë©”ëª¨ë¦¬ì˜ ì ‘ê·¼ë³´ì•ˆ ë³€ê²½ì„ ì‹œë„합니다. 잠재ì ìœ¼ë¡œ 보안 문제가 ë°œìƒí•  수 있습니다. ì‘ìš© í”„ë¡œê·¸ëž¨ì€ ì´ë¥¼ 실행해서는 안ë©ë‹ˆë‹¤. 때때로 ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ìž˜ëª» 코드ë˜ì–´ ì´ëŸ¬í•œ ê¶Œí•œì„ ìš”ì²­í•©ë‹ˆë‹¤. SELinux 메모리 보안 테스트 웹 페ì´ì§€ì—ì„œ ì´ëŸ¬í•œ 요구 ì‚¬í•­ì„ ì–´ë–»ê²Œ 삭제하는 ì§€ì— ëŒ€í•˜ì—¬ 설명합니다. $SOURCE ê°€ ìž‘ë™í•˜ì§€ ì•Šì„ ê²½ìš°, ì´ë¥¼ ìž‘ë™ì‹œí‚¤ì‹œë ¤ë©´, ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ìž‘ë™í•  ë•Œ 까지 ì´ëŸ¬í•œ 액세스를 허용하기 위해 ìž„ì‹œì ìœ¼ë¡œ SELinux를 설정하실 수 있습니다. ì´ëŸ¬í•œ ê¾¸ëŸ¬ë¯¸ì— ëŒ€í•´ ê²°ì ë³´ê³ ì„œë¥¼ 제출해 주시기 ë°”ëžë‹ˆë‹¤. ê·¸ë§Œí¼ $SOURCE ì‘ìš© 프로그램ì„로드하려고했습니다. $TARGETí…스트 재배치가 필요한 _PATH. ì´ëŠ” ìž ìž¬ì  ì¸ ë³´ì•ˆ 문제입니다. ëŒ€ë¶€ë¶„ì˜ ë„서관ì—ëŠ”ì´ í—ˆê°€ê°€ 필요하지 않습니다. ë¼ì´ë¸ŒëŸ¬ë¦¬ê°€ 잘못 코딩ë˜ëŠ” 경우가 ìžˆìœ¼ë©°ì´ ê¶Œí•œì„ ìš”ì²­í•˜ì‹­ì‹œì˜¤. ê·¸ë§Œí¼ SELinux 메모리 보호 테스트 웹 페ì´ì§€ëŠ”ì´ ìš”êµ¬ ì‚¬í•­ì„ ì œê±°í•˜ëŠ” ë°©ë²•ì„ ì„¤ëª…í•©ë‹ˆë‹¤. SELinux를 ì¼ì‹œì ìœ¼ë¡œ 허용하ë„ë¡ êµ¬ì„± í•  수 있습니다. $TARGET_PATH는 ë¼ì´ë¸ŒëŸ¬ë¦¬ê°€ 수정 ë  ë•Œê¹Œì§€ 재배치를 ìž„ì‹œ 해결책으로 사용합니다. 버그 보고서를 제출하십시오. ê·¸ë§Œí¼ $SOURCE ì‘ìš© í”„ë¡œê·¸ëž¨ì„ ì ìž¬í•˜ë ¤ 했습니다. $TARGET í…스트 재배치가 필요한 _PATH. ì´ëŠ” 잠재ì ì¸ 보안문제입니다. ëŒ€ë¶€ë¶„ì˜ ë¼ì´ë¸ŒëŸ¬ë¦¬ì—는 ì´í—ˆê°€ê°€ 필요하지 않습니다. ê·¸ë§Œí¼ SELinux 메모리보호 시험웹 페ì´ì§€ì—ì„œì´ ì ê²€ì„ 설명합니다. ì´ ë„구는 ë¼ì´ë¸ŒëŸ¬ë¦¬ë¥¼ 검사하여 올바르게 구성(built) ëœ ê²ƒì²˜ëŸ¼ 보입니다. 그래서 setroubleshootëŠ”ì´ ì‘ìš©í”„ë¡œê·¸ëž¨ì´ ì†ìƒ ë˜ì—ˆëŠ”지 여부를 íŒë‹¨ í•  수 없습니다. ì´ê²ƒì€ 심ê°í•œ 문제 ì¼ ìˆ˜ 있습니다. ì‹œìŠ¤í…œì´ ì†ìƒ ë  ìˆ˜ 있습니다. 보안 관리ìžì—게 문ì˜í•˜ì—¬ ì´ ë¬¸ì œì ì„ 보고하십시오. $SOURCE ì‘ìš© í”„ë¡œê·¸ëž¨ì€ ìŠ¤íƒì„ 실행가능하게 합니다. ì´ë¡œ ì¸í•´ ìž ìž¬ì  ë³´ì•ˆ 문제가 ë°œìƒí•  수 있습니다. ì´ëŠ” 절대 필요하지 ì•Šì€ ì‚¬í•­ìž…ë‹ˆë‹¤. 최근 ìŠ¤íƒ ë©”ëª¨ë¦¬ëŠ” ëŒ€ë¶€ë¶„ì˜ OSì—ì„œ 실행가능하지 않으며 ì´ëŠ” 변경ë˜ì§€ ì•Šì„ ê²ƒìž…ë‹ˆë‹¤. 실행 가능한 ìŠ¤íƒ ë©”ëª¨ë¦¬ëŠ” 가장 심ê°í•œ 보안 문제 중 하나입니다. 사실 execstack 오류는 악성 ì½”ë“œì— ì˜í•´ 가장 ë§Žì´ ì œê¸°ë˜ëŠ” 문제입니다. 때때로 ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ìž˜ëª» 코드ë˜ì–´ ì´ëŸ¬í•œ ê¶Œí•œì„ ìš”ì²­í•©ë‹ˆë‹¤. SELinux 메모리 보안 테스트 웹 페ì´ì§€ì—ì„œ ì´ëŸ¬í•œ ìš”ì²­ì„ ì‚­ì œí•˜ëŠ” ë°©ë²•ì„ ì„¤ëª…í•©ë‹ˆë‹¤. $SOURCEê°€ 제대로 ìž‘ë™í•˜ì§€ ì•Šì„ ê²½ìš° ì‘ìš© í”„ë¡œê·¸ëž¨ì´ ìˆ˜ì •ë  ë•Œ 까지 ì´ëŸ¬í•œ 액세스를 허용하기 위해 SELinux를 임시로 설정할 수 있습니다. ì´ ê¾¸ëŸ¬ë¯¸ì— ëŒ€í•œ ê²°ì  ë³´ê³ ì„œë¥¼ 제출해 주시기 ë°”ëžë‹ˆë‹¤. "cp -p"와 ê°™ì€ ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬ SELinux ë¬¸ë§¥ì„ ì œì™¸í•œ 모든 ê¶Œí•œì„ ë³´ì¡´í•©ë‹ˆë‹¤. chcon -R -t cvs_data_t ' $TARGET_PATH'를 실행하여 íŒŒì¼ ë‚´ìš©ì„ ë³€ê²½í•  수 있습니다. ì „ì²´ relabelì—ì„œë„ íŒŒì¼ì„ 보존하려면 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ íŒŒì¼ ë‚´ìš©ì„ íŒŒì¼ì„ 변경해야합니다. "semanage fcontext -a -t cvs_data_t '$FIX_TARGET_PATH ' " chcon -R -t rsync_data_t '$TARGET_PATH'를 실행하여 íŒŒì¼ ë¬¸ë§¥ì„ ë³€ê²½í•  수 있습니다 ì „ì²´ ì´ë¦„í‘œ 변경 ì‹œ ì´ë¥¼ 보존하기 위해 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ê°’ íŒŒì¼ ë¬¸ë§¥ 파ì¼ì„ 변경해야 합니다. "semanage fcontext -a -t rsync_data_t '$FIX_TARGET_PATH'" chcon -R -t samba_share_t '$TARGET_PATH'를 실행하여 íŒŒì¼ ë¬¸ë§¥ì„ ë³€ê²½í•  수 있습니다 ì „ì²´ ë ˆì´ë¸” 변경 ì‹œ ì´ë¥¼ 보존하기 위해 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ê°’ íŒŒì¼ ë¬¸ë§¥ 파ì¼ì„ 변경해야 합니다. "semanage fcontext -a -t samba_share_t 'FIX_$TARGET_PATH'" chcon -t public_content_t '$TARGET_PATH'를 실행하여 íŒŒì¼ ë¬¸ë§¥ì„ ë³€ê²½í•  수 있습니다 ì „ì²´ ë ˆì´ë¸” 변경 ì‹œ ì´ë¥¼ 보존하기 위해 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ê°’ íŒŒì¼ ë¬¸ë§¥ 파ì¼ì„ 변경해야 합니다. "semanage fcontext -a -t public_content_t '$FIX_TARGET_PATH'" chcon -t swapfile_t '$TARGET_PATH'를 실행하여 íŒŒì¼ ë¬¸ë§¥ì„ ë³€ê²½í•  수 있습니다 ì „ì²´ ë ˆì´ë¸” 변경 ì‹œ ì´ë¥¼ 보존하기 위해 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ê°’ íŒŒì¼ ë¬¸ë§¥ 파ì¼ì„ 변경해야 합니다. "semanage fcontext -a -t swapfile_t '$FIX_TARGET_PATH'" chcon -t virt_image_t '$TARGET_PATH'를 실행하여 íŒŒì¼ ë¬¸ë§¥ì„ ë³€ê²½í•  수 있습니다 ì „ì²´ ë ˆì´ë¸” 변경 ì‹œ ì´ë¥¼ 보존하기 위해 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ê°’ íŒŒì¼ ë¬¸ë§¥ 파ì¼ì„ 변경해야 합니다. "semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH'" chcon -t xen_image_t '$TARGET_PATH'를 실행하여 íŒŒì¼ ë¬¸ë§¥ì„ ë³€ê²½í•  수 있습니다. ì „ì²´ ì´ë¦„í‘œ 변경 ì‹œ ì´ë¥¼ 보존하기 위해 ì‹œìŠ¤í…œì˜ ê¸°ë³¸ê°’ íŒŒì¼ ë¬¸ë§¥ 파ì¼ì„ 변경해야 합니다. "semanage fcontext -a -t xen_image_t '$FIX_TARGET_PATH'" 컴퓨터 ì‹œìŠ¤í…œì— ë ˆì´ë¸”하기 위하여 root 계정으로 ë‹¤ìŒ ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬ 실행할 수 있습니다: "touch /.autorelabel; reboot" ì´ëŸ¬í•œ 접근를 허용하기 위해 로컬 ì •ì±… ëª¨ë“ˆì„ ìƒì„±í•  수 있습니다 ì ‘ê·¼ - 참고 FAQ ì´ëŸ¬í•œ ê²°ì  ë³´ê³ ë¥¼ 파ì¼ë¡œ 해주세요. ì´ëŸ¬í•œ ì ‘ê·¼ì„ í—ˆìš©í•˜ê¸° 위해 로컬 ì •ì±… ëª¨ë“ˆì„ ìƒì„± í•  수 있습니다 - FAQ를 참조하십시오. restorecon ëª…ë ¹ì„ ì‹¤í–‰í•˜ì—¬ 기본 시스템 컨í…스트를 ì´ íŒŒì¼ë¡œ ë³µì› í•  수 있습니다. # restorecon -R /root/.ssh rstorecon ëª…ë ¹ì„ ì‹¤í–‰í•˜ì—¬ 기본 시스템 컨í…ìŠ¤íŠ¸ë¥¼ì´ íŒŒì¼ë¡œ ë³µì› í•  수 있습니다. # restorecon -R /root/.ssh restorecon ëª…ë ¹ì„ ì‹¤í–‰í•˜ì—¬ ì´ íŒŒì¼ì— 기본값 시스템 ë¬¸ë§¥ì„ ë³µêµ¬í•  수 있습니다. restorecon '$SOURCE_PATH'. restorecon ëª…ë ¹ì„ ì‹¤í–‰í•˜ì—¬ ì´ íŒŒì¼ì— 기본값 시스템 ë¬¸ë§¥ì„ ë³µêµ¬í•  수 있습니다. restorecon '$TARGET_PATH', ì´ íŒŒì¼ì´ ë””ë ‰í† ë¦¬ì¼ ê²½ìš°, restorecon -R '$TARGET_PATH'를 사용하여 재귀ì ìœ¼ë¡œ 복구할 수 있습니다. ë‹¹ì‹ ì˜ ì‹œìŠ¤í…œì´ ì‹¬ê°í•˜ê²Œ ì†ìƒë  수 있습니다! ì‹œìŠ¤í…œì´ ì‹¬ê°í•˜ê²Œ ì†ìƒë  수 있습니다! $SOURCE_PATH는 ìš©ëŸ‰ì´ ì ì€ ì»¤ë„ ë©”ëª¨ë¦¬ë¥¼ mmap하려 합니다. ì‹œìŠ¤í…œì´ ì‹¬ê°í•˜ê²Œ ì†ìƒë  수 있습니다! $SOURCE_PATHê°€ ì»¤ë„ ëª¨ë“ˆì„ ë¶ˆëŸ¬ì˜¤ë ¤ 합니다. ì‹œìŠ¤í…œì´ ì‹¬ê°í•˜ê²Œ ì†ìƒë  수 있습니다! $SOURCE_PATHê°€ SELinux 강제를 변경하려 합니다. ì‹œìŠ¤í…œì´ ì‹¬ê°í•˜ê²Œ ì†ìƒë  수 있습니다! $SOURCE_PATHê°€ ì»¤ë„ ì„¤ì •ì„ ë³€ê²½í•˜ë ¤ 합니다. IPV6를 올바르게 비활성화합니다. 'yum remove mozplugger'를 실행하여 mozplluger 꾸러미를 제거하거나 파ì´ì–´í­ìŠ¤ 플러그ì¸ì„ 통해 SELinux 강제를 비활성화합니다. setsebool -P unconfined_mozilla_plugin_transition 0 'yum remove mozplugger spice-xpi'를 실행하여 mozplugger ë˜ëŠ” spice-xpi 꾸러미를 제거하거나 파ì´ì–´í­ìŠ¤ 플러그ì¸ì„ 통해 SELinux 강제를 해제합니다. setsebool -P unconfined_mozilla_plugin_transition 0 'yum remove mozplugger spice-xpi'를 실행하여 mozplugger ë˜ëŠ” spice-xpi 꾸러미를 제거하거나 Chrome 플러그ì¸ì„ 통해 SELinuxì˜ ê°•ì œë¥¼ 비활성화합니다. setsebool -P unconfined_chrome_sandbox_transition 0 문제가 ë˜ê³  있는 í”„ë¡œê·¸ëž¨ì„ ê³„ì† ì‹¤í–‰í•˜ê¸°ë¡œ ê²°ì •í•œ 경우 ì´ëŸ¬í•œ ìž‘ì—…ì„ í—ˆìš©í•´ì•¼ 합니다. ì´ë¥¼ 위해 명령행ì—ì„œ 다ìŒê³¼ ê°™ì´ ì‹¤í–‰í•  수 있습니다: # setsebool -P mmap_low_allowed 1 SELinux는 비디오 하드웨어 ìƒíƒœë¥¼ 변경하기 위해 사용ë˜ëŠ” í”„ë¡œê·¸ëž¨ì¸ $SOURCEì—ì„œ 요청한 ìž‘ì—…ì„ ê±°ë¶€í–ˆìŠµë‹ˆë‹¤. vbetoolë¡œ 위장한 여러 불법/악성 프로그램과 마찬가지로 ì´ í”„ë¡œê·¸ëž¨ì€ ì‹œìŠ¤í…œ 메모리ì—ì„œ 안전하지 않게 ìž‘ë™í•˜ëŠ” 것으로 알려져 있습니다. ì´ ë„구는 컴퓨터가 중지 ìƒíƒœì—ì„œ 다시 시작할 ë•Œ 비디오 ìƒíƒœë¥¼ 다시 ì„¤ì •í•˜ëŠ”ë° ì‚¬ìš©ë©ë‹ˆë‹¤. 컴퓨터가 ì •ìƒì ìœ¼ë¡œ 다시 시작ë˜ì§€ ì•Šì„ ê²½ìš°, ì´ ìž‘ì—…ì„ í—ˆìš©í•˜ëŠ” ê²ƒì´ ìœ ì¼í•œ 방법ì´ë©° 악성 í”„ë¡œê·¸ëž¨ì— ëŒ€í•œ 시스템 ë³´ì•ˆì´ ì €í•˜ë©ë‹ˆë‹¤. SELinux는 Linuxì—ì„œ Windows ì‘ìš© í”„ë¡œê·¸ëž¨ì„ ì‹¤í–‰í•˜ëŠ”ë° ì‚¬ìš©ë˜ëŠ” í”„ë¡œê·¸ëž¨ì¸ wine-preloaderì—ì„œ 요청한 ìž‘ì—…ì„ ê±°ë¶€í–ˆìŠµë‹ˆë‹¤. wine으로 위장한 여러 불법/악성 프로그램과 마찬가지로 ì´ í”„ë¡œê·¸ëž¨ì€ ì‹œìŠ¤í…œ 메모리ì—ì„œ 안전하지 ì•Šì€ ë™ìž‘ì„ ì‚¬ìš©í•˜ëŠ” 것으로 알려져있습니다. Windows ì‘ìš© í”„ë¡œê·¸ëž¨ì„ ì‹¤í–‰í•˜ê³ ìž í•˜ì‹¤ 경우 ì´ ìž‘ì—…ì„ í—ˆìš©í•˜ëŠ” ê²ƒì´ ìœ ì¼í•œ 방법ì´ë©° 악성 í”„ë¡œê·¸ëž¨ì— ëŒ€í•´ 시스템 ë³´ì•ˆì´ ì €í•˜ë©ë‹ˆë‹¤. ë˜ëŠ” Linuxì—ì„œ Windows ì‘ìš© í”„ë¡œê·¸ëž¨ì„ ì‹¤í–‰í•˜ì§€ 않는 ê²ƒì´ ì¢‹ìŠµë‹ˆë‹¤. Windows ì‘ìš© í”„ë¡œê·¸ëž¨ì„ ì‹¤í–‰í•˜ê³ ìž í•˜ì§€ 않으실 경우, ì´ëŠ” ì•…ì˜ë¡œ 사용ìžì˜ ì‹œìŠ¤í…œì— ì¹¨ìž… ì‹œë„하는 악성 í”„ë¡œê·¸ëž¨ì˜ ê³µê²©ì„ ë°›ê³  있다고 나타납니다. ë‹¤ìŒ ì‚¬ì´íŠ¸ë¥¼ 참조하십시오: http://wiki.winehq.org/PreloaderPageZeroProblem ì´ ì‚¬ì´íŠ¸ì—서는 ë©”ëª¨ë¦¬ì˜ ì•ˆì „í•˜ì§€ ì•Šì€ ì‚¬ìš©ìœ¼ë¡œ ì¸í•´ wineì—ì„œ ë°œìƒí•  수 있는 다른 문제 ë° ì´ëŸ¬í•œ 문제를 í•´ê²°í•  수 있는 ë°©ë²•ì— ëŒ€í•´ 설명합니다. 완전 ê°ì‹œë¥¼ 활성화합니다 # auditctl -w /etc/shadow -p w AVC 재ìƒì„±ì„ ì‹œë„합니다. ê·¸ 후 다ìŒì„ 실행합니다 # ausearch -m avc -ts recent 경로(PATH) 기ë¡ì´ ë³´ì´ë©´ 파ì¼ì˜ 소유권/ê¶Œí•œì„ í™•ì¸ í›„ ì´ë¥¼ 수정하고, ë³´ì´ì§€ 않으면 버그질ë¼ì— 보고합니다. %sì— íŒŒì¼ ìœ í˜•ì´ ì•„ë‹Œ ìœ í˜•ì„ ë°°ì¹˜ ì‹œë„했습니다. ì´ëŠ” 허용ë˜ì§€ 않으므로, íŒŒì¼ ìœ í˜•ì„ ì§€ì •í•´ì•¼ 합니다. seinfo ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬ 모든 íŒŒì¼ ìœ í˜•ì„ ë‚˜ì—´í•  수 있습니다. seinfo -afile_type -x "$BOOLEAN" ë° "$WRITE_BOOLEAN" ë¶€ìš¸ì„ trueë¡œ 변경하는 ê²ƒì€ ì´ëŸ¬í•œ 액세스를 허용하게 ë©ë‹ˆë‹¤: "setsebool -P $BOOLEAN=1 $WRITE_BOOLEAN=1". 경고: "$WRITE_BOOLEAN" ë¶€ìš¸ì„ trueë¡œ 설정하는 ê²ƒì€ ftp ë°ëª¬ì´ 모든 공개 ë‚´ìš© (public_content_t 유형으로 ëœ íŒŒì¼ ë° ë””ë ‰í† ë¦¬)ì— ì“°ëŠ” ê²ƒì„ í—ˆìš©í•˜ë©° CIFS íŒŒì¼ ì‹œìŠ¤í…œì— ìžˆëŠ” íŒŒì¼ ë° ë””ë ‰í† ë¦¬ì— ì“°ëŠ” ê²ƒë„ í—ˆìš©í•©ë‹ˆë‹¤. "allow_ftpd_use_nfs"ë° "ftpd_anon_write"booleanì„ trueë¡œ 변경하면 "setsebool -P allow_ftpd_use_nfs = 1 ftpd_anon_write = 1"액세스가 허용ë©ë‹ˆë‹¤. 경고 : "ftpd_anon_write"ë¶€ìš¸ì„ trueë¡œ 설정하면 ftp ë°ëª¬ì´ NFS íŒŒì¼ ì‹œìŠ¤í…œì˜ íŒŒì¼ ë° ë””ë ‰í† ë¦¬ì— ê¸°ë¡í•˜ëŠ” 것 외ì—ë„ ëª¨ë“  공용 컨í…츠 (public_content_t ìœ í˜•ì˜ íŒŒì¼ ë° ë””ë ‰í† ë¦¬)ì— ì“¸ 수 있습니다. # ausearch -x $SOURCE_PATH --raw | audit2allow -D -M my-$SOURCE # semodule -X 300 -i my-$SOURCE.pp# semanage fcontext -a -t FILE_TYPE '$FIX_TARGET_PATH' 여기서 파ì¼_ìœ í˜•ì€ ë‹¤ìŒ ì¤‘ 하나입니다.: %s. 그런 후 실행합니다: restorecon -v '$FIX_TARGET_PATH' # semanage fcontext -a -t SIMILAR_TYPE '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH'# semanage fcontext -a -t samba_share_t '$FIX_TARGET_PATH%s' # restorecon %s -v '$FIX_TARGET_PATH'# semanage fcontext -a -t virt_image_t '$FIX_TARGET_PATH' # restorecon -v '$FIX_TARGET_PATH'# semanage port -a -t %s -p %s $PORT_NUMBER# semanage port -a -t PORT_TYPE -p %s $PORT_NUMBER 여기서 PORT_TYPEì€ ë‹¤ìŒì¤‘ 하나가 ë©ë‹ˆë‹¤: %s.프로세스가 ì‹œìŠ¤í…œì— í•´í‚¹ì„ ì‹œë„하고 ìžˆì„ ìˆ˜ 있습니다.net.ipv6.conf.all.disable_ipv6 = 1ì„ /etc/sysctl.confì— ì¶”ê°€í•©ë‹ˆë‹¤ 다ìŒì„ 실행하여 현재ìƒíƒœì˜ ì´ ì ‘ê·¼ì„ í—ˆìš©í•˜ì„¸ìš”: # ausearch -c '$SOURCE- - | audit2allow -M my-$MODULE_NAME # semodule -X 300 -i my-$MODULE_NAME.ppíŒŒì¼ ì»¨í…스트를 변경하십시오.ë¼ë²¨ 변경ë¼ì´ë¸ŒëŸ¬ë¦¬ì—ì„œ ë ˆì´ë¸”ì„ ë³€ê²½í•˜ì‹­ì‹œì˜¤.íŒŒì¼ ë ˆì´ë¸”ì„ xen_image_të¡œ 변경하십시오.보안 관리ìžì—게 문ì˜í•˜ì—¬ ì´ ë¬¸ì œë¥¼ 보고하십시오.Chrome 플러그ì¸ì—ì„œ SELinux ì»¨íŠ¸ë¡¤ì„ ì‚¬ìš© 중지합니다불리언 ì‚¬ìš©ë¶€ìš¸ì„ í™œì„±í™”í•˜ì‹­ì‹œì˜¤.만약 $TARGET_BASE_PATH는 ê°€ìƒí™” 대ìƒìž…니다만약 $TARGET_BASE_PATH는 RSYNC ë°ëª¬ì„ 통해 공유해야합니다만약 $TARGET_BASE_PATH는 cvs ë°ëª¬ì„ 통해 공유ë˜ì–´ì•¼í•©ë‹ˆë‹¤ë„¤ê°€ 믿으면 $SOURCE_BASE_PATH는 (는) ìƒì„±ì´ 허용ë˜ì–´ì•¼í•©ë‹ˆë‹¤. $TARGET_BASE_PATH 파ì¼ë„¤ê°€ 믿으면 $SOURCE_PATHê°€ SELinux를 비활성화하려고했습니다.ë‹¹ì‹ ì´ ê·¸ë ‡ê²Œ 믿으면 %s execstackì´ í•„ìš”í•˜ì§€ 않습니다네가 그렇게 ìƒê°í•˜ë©´ $SOURCE_BASE_PATHê°€ 허용ë˜ì–´ì•¼í•©ë‹ˆë‹¤. $ACCESS 액세스 권한 $TARGET_CLASS ë ˆì´ë¸”ì´ ë¶™ìŒ $TARGET기본ì ìœ¼ë¡œ _TYPE입니다.네가 그렇게 ìƒê°í•˜ë©´ $SOURCE_BASE_PATHê°€ 허용ë˜ì–´ì•¼í•©ë‹ˆë‹¤. $ACCESS ë¼ë²¨ì´ ì§€ì •ëœ í”„ë¡œì„¸ìŠ¤ì— ëŒ€í•œ 액세스 $TARGET기본ì ìœ¼ë¡œ _TYPE입니다.네가 그렇게 ìƒê°í•˜ë©´ $SOURCE_BASE_PATHê°€ 허용ë˜ì–´ì•¼í•©ë‹ˆë‹¤. $ACCESS ì— ëŒ€í•œ 액세스 $TARGET_BASE_PATH $TARGET_CLASS 기본ì ìœ¼ë¡œ.네가 그렇게 ìƒê°í•˜ë©´ $SOURCE_BASE_PATHì— $ACCESS ê¸°ëŠ¥ì´ ê¸°ë³¸ì ìœ¼ë¡œ 제공ë©ë‹ˆë‹¤.테스트를 í†µí•´ì´ AVC를 ì§ì ‘ ì¼ìœ¼í‚¤ì§€ ì•Šì€ ê²½ìš°.네가 그렇게 ìƒê°í•˜ì§€ 않는다면 $SOURCE_PATH는 ì»¤ë„ ëª¨ë“ˆì„로드하여 커ë„ì„ ìˆ˜ì •í•˜ë ¤ê³  ì‹œë„해야합니다.ë‹¹ì‹ ì´ ë‹¹ì‹ ì„ ë¯¿ì§€ 않는다면 $SOURCE_PATH는 ì»¤ë„ ëª¨ë“ˆì„ ì ìž¬í•˜ì—¬ 커ë„ì„ ìˆ˜ì •í•´ì•¼í•©ë‹ˆë‹¤ìƒê°í•˜ì§€ 않는다면 $SOURCE_BASE_PATHê°€ ì‹œë„해야 함 $ACCESS 액세스 권한 $TARGET_BASE_PATH.ìƒê°í•˜ì§€ 않는다면 $SOURCE_PATH는 쓰기 가능하고 실행 가능한 íž™ 메모리를 맵핑해야합니다.ìƒê°í•˜ì§€ 않는다면 $SOURCE_PATH는 쓰기 가능하고 실행 가능한 ìŠ¤íƒ ë©”ëª¨ë¦¬ë¥¼ 맵핑해야합니다.ìƒê°í•˜ì§€ 않는다면 $SOURCE_PATH는 커ë„ì˜ ë©”ëª¨ë¦¬ë¥¼ ì ê²Œ mmap해야합니다.프로세스가 ì‹œìŠ¤í…œì˜ ëª¨ë“  시스템 ìžì›ì„ 사용하는 ê¸°ëŠ¥ì„ í•„ìš”ë¡œí•˜ì§€ ì•Šë„ë¡ í•˜ë ¤ë©´;ì´ê²ƒì´ 잘못 ë¼ë²¨ì´ ë¶™ì€ ê¸°ê³„ë¡œ ì¸í•œ 것ì´ë¼ê³  ìƒê°í•œë‹¤ë©´.네가 ì›í•œë‹¤ë©´ %s허용하려는 경우 $SOURCE마운트 í•  _BASE_PATH $TARGET_BASE_PATH.허용하려는 경우 $SOURCEê³µë™ ê³µê°œ 콘í…ì¸ ì— ì“¸ 수있는 _PATH허용하려는 경우 $SOURCE_PATH를 사용하여 ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ì— ë°”ì¸ë”© $PORT_번호허용하려는 경우 $SOURCE_PATH를 사용하여 ë„¤íŠ¸ì›Œí¬ í¬íŠ¸ì— ì—°ê²° $PORT_번호ftpdê°€ cifs íŒŒì¼ ì‹œìŠ¤í…œì— ì“¸ 수 있ë„ë¡í•˜ë ¤ë©´ftpdê°€ nfs íŒŒì¼ ì‹œìŠ¤í…œì— ì“¸ 수있게하려면httpdê°€ cgi 스í¬ë¦½íŠ¸ë¥¼ 실행하고 모든 컨í…트 파ì¼ì˜ HTTPD 처리를 통합하ë„ë¡ í—ˆìš©í•˜ë ¤ëŠ” 경우.httpdê°€ ë©”ì¼ì„ ë³´ë‚´ë„ë¡ í—ˆìš©í•˜ë ¤ë©´ë¼ë²¨ì„ 변경하려는 경우 $TARGET_PATHì— %s, 유효한 íŒŒì¼ ìœ í˜•ì´ ì•„ë‹ˆê¸° ë•Œë¬¸ì— í—ˆìš©ë˜ì§€ 않습니다.ì´ ì»´í“¨í„°ì—ì„œ IPV6ì„ ë¹„í™œì„±í™”í•˜ë ¤ë©´ì´ë¦„표를 고치려면. $SOURCE_PATH 기본 ë¼ë²¨ì´ 있어야합니다. %s.ì´ë¦„표를 고치려면. $TARGET_PATH 기본 ì´ë¦„표가 있어야합니다. %s.ë„ë©”ì¸ì—ì´ ì•¡ì„¸ìŠ¤ê°€ 필요한지 ë˜ëŠ” ì‹œìŠ¤í…œì— ìž˜ëª»ëœ ì‚¬ìš© ê¶Œí•œì„ ê°€ì§„ 파ì¼ì´ 있는지 확ì¸í•˜ë ¤ëŠ” 경우무시하고 싶다면 $SOURCEì‹œë„ì¤‘ì¸ _BASE_PATH $ACCESS ê·¸ $TARGET_BASE_PATH $TARGET_CLASS,ì´ ì•¡ì„¸ìŠ¤ê°€ 필요하지 않아야한다고 ìƒê°í•˜ê¸° 때문입니다.위험하기 때문ì—ì´ AVC를 무시하고 컴퓨터가 제대로 ìž‘ë™í•˜ëŠ” 것 같습니다.위험하고 ì™€ì¸ ì‘ìš©í”„ë¡œê·¸ëž¨ì´ ì˜¬ë°”ë¥´ê²Œ ìž‘ë™í•˜ê¸° 때문ì—ì´ AVC를 무시하고 싶습니다.ë¼ë²¨ì„ 수정하려면 $TARGET_BASE_PATH ì´ë ‡ê²Œ $SOURCE_BASE_PATH는 가질 수 ìžˆìŒ $ACCESS ê·¸ê²ƒì— ëŒ€í•œ ì•¡ì„¸ìŠ¤ë‹¹ì‹ ì´ mvì— ì›í•˜ë©´ $TARGET_BASE_PATH를 표준 위치로 설정하면 $SOURCE_BASE_PATH는 가질 수 ìžˆìŒ $ACCESS ì ‘ì†í•˜ë‹¤mozplugger 꾸러미를 사용하지 ì•Šê³  SELinux Firefox í”ŒëŸ¬ê·¸ì¸ ë´‰ì‡„ë¥¼ ê³„ì† ì‚¬ìš©í•˜ë ¤ë©´ì¹˜ë£Œí•˜ê³  싶다면 $TARGET_BASE_PATH (공개 콘í…츠)ë‹¹ì‹ ì´ %s ê¾¸ëŸ¬ë¯¸ìž¬ì‹œìž‘ì„ í¬í•¨í•˜ì—¬, ì „ì²´ íŒŒì¼ ì‹œìŠ¤í…œì˜ ì´ë¦„표를 재지정하세요!문맥 복구문맥 복구SELinux는 $SOURCE_PATH "$ACCESS" 접근를 차단합니다.ì´ë¯¸ì§€ ë ˆì´ë¸”ì„ virt_image_të¡œ 설정하십시오.ì´ëŠ” 새로 ìƒì„± ëœ íŒŒì¼ ì‹œìŠ¤í…œì— ì˜í•´ ë°œìƒí•©ë‹ˆë‹¤.ë ˆì´ë¸”ì„ ìˆ˜ì •í•˜ì‹­ì‹œì˜¤.메모리 보호 비활성화보다 ìžì„¸í•œ ë‚´ìš©ì€ '%s' man 페ì´ì§€ë¥¼ ì½ì–´ë³´ì‹­ì‹œì˜¤.해킹ë˜ê³  ìžˆì„ ìˆ˜ 있습니다.'%s' ë¶€ìš¸ì„ í™œì„±í™”í•˜ì—¬ ì´ì— 대해 SELinuxì— ì•Œë ¤ì•¼ 합니다. $FIX_TARGET_PATHì˜ ì´ë¦„í‘œì„ ë³€ê²½í•´ì•¼ 합니다$TARGET_BASE_PATHì— ìžˆëŠ” ì´ë¦„표를 변경해야 합니다$TARGET_BASE_PATH to public_content_t or public_content_rw_tì— ì´ë¦„표를 변경해야 합니다.$TARGET_BASE_PATH'ì˜ ì´ë¦„í‘œì„ ë³€ê²½í•´ì•¼ 합니다$TARGET_PATH ì˜ ë ˆì´ë¸”ì„ ìœ ì‚¬í•œ 장치 유형으로 변경해야 합니다.'$FIX_TARGET_PATH'ì˜ ì´ë¦„표를 변경해야 í•©ë‹ˆë‹¤ì´ ê²°ì ë¥¼ 보고해야 합니다. ì´ëŸ¬í•œ 접근를 허용하기 위해 로컬 정채 ëª¨ë“ˆì„ ìƒì„±í•  수 있습니다.ì´ë¥¼ ê²°ì ë¡œ 보고해야 합니다. ì´ëŸ¬í•œ ì ‘ê·¼ì„ ê°ì‚¬í•˜ì§€ ì•Šë„ë¡ ë¡œì»¬ ì •ì±… ëª¨ë“ˆì„ ìƒì„±í•  수 있습니다.execstack -c %s만약 ë‹¹ì‹ ì´ í•´í‚¹ë˜ì—ˆë‹¤ê³  ìƒê°í•  것입니다setsebool -P %s %sìž˜ëª»ëœ íŒŒì¼ê³¼ 반복ì ì¸ 오류 ë°œìƒì— 대해 경로 정보를 얻기 위해 완전 ê°ì‹œë¥¼ 활성화합니다."cp -p"와 ê°™ì€ ëª…ë ¹ì„ ì‚¬ìš©í•˜ì—¬ SELinux ë¬¸ë§¥ì„ ì œì™¸í•œ 모든 ê¶Œí•œì„ ì €ìž¥í•©ë‹ˆë‹¤.restoreconì„ ì‹¤í–‰í•  수 있습니다.restoreconì„ ì‹¤í–‰í•  수 있습니다. ìƒìœ„ ë””ë ‰í† ë¦¬ì— ì•¡ì„¸ìŠ¤ í•  ê¶Œí•œì´ ì—†ê¸° ë•Œë¬¸ì— ì•¡ì„¸ìŠ¤ ì‹œë„ê°€ 중지ë˜ì—ˆì„ 수 있습니다.ì´ ê²½ìš° ë‹¤ìŒ ëª…ë ¹ì„ ì ì ˆí•˜ê²Œ 변경하십시오.ì§€ì •ëœ ì‘용프로그램ì—는 ì´ëŸ¬í•œ ì ‘ê·¼ì´ í•„ìš”í•˜ì§€ 않으므로 해커가 공격하고 ìžˆì„ ìˆ˜ 있습니다.ì§€ì •ëœ ì‘ìš©í”„ë¡œê·¸ëž¨ì´ ì´ëŸ¬í•œ ì ‘ê·¼ì´ í•„ìš”ë¡œ 하지 않기 ë•Œë¬¸ì— í•´ì»¤ë¡œ 부터 ê³µê²©ì„ ë°›ì„ ìˆ˜ 있습니다.해커로 부터 ê³µê²©ì„ ë°›ì„ ìˆ˜ 있고 ì´ëŠ” 매우 위험한 접근입니다.$TARGET_PATHì˜ ì´ë¦„í‘œì„ ë³€ê²½í•´ì•¼ 합니다.ì´ë¦„표를 수정해야 합니다.ì¸ì¦ì„œ 파ì¼ì„ ~/.cert 디렉토리로 옮겨야 함유효한 íŒŒì¼ ë ˆì´ë¸”ì„ ì„ íƒí•´ì•¼ 합니다.mozplugger 꾸러미를 제거해야 합니다.ì´ë¥¼ 허용하려면 SELinux를 설정해야 합니다ì´ì— 대해 SELinuxì— ì•Œë ¤ì•¼ 합니다'httpd_unified' ë° 'http_enable_cgi' ë¶€ìš¸ì„ í™œì„±í™”í•˜ì—¬ ì´ì— 대해 SELinuxì— ì•Œë ¤ì•¼ 합니다vbetool_mmap_zero_ignore ë¶€ìš¸ì„ í™œì„±í™”í•˜ì—¬ ì´ì— 대해 SELinuxì— ì•Œë ¤ì•¼ 합니다.wine_mmap_zero_ignore ë¶€ìš¸ì„ í™œì„±í™”í•˜ì—¬ ì´ì— 대해 SELinuxì— ì•Œë ¤ì•¼ 합니다.Chrome 플러그ì¸ì—ì„œ SELinux 제어를 비활성화해야 합니다.Firefox 플러그ì¸ì—ì„œ SELinux 제어를 비활성화해야 합니다.ì´ë¦„표를 추가해야 합니다.$TARGET_PATHì—ì„œì˜ ë ˆì´ë¸”ì„ public_content_rw_të¡œ 변경해야 하며 allow_httpd_sys_script_anon_write ë¶€ìš¸ì„ í™œì„±í™”í•´ì•¼ 합니다.시스템 리소스가 부족한 ì´ìœ ë¥¼ 진단하고 문제를 해결해야합니다 . /usr/include/linux/capability.hì— ë”°ë¥´ë©´ sys_resource는 다ìŒì„ 수행해야합니다: /* 리소스 ì œí•œì„ ë¬´ì‹œí•©ë‹ˆë‹¤. ìžì› ì œí•œì„ ì„¤ì •í•˜ì‹­ì‹œì˜¤. */ /* 할당량 í•œë„를 재정ì˜í•©ë‹ˆë‹¤. */ /* ext2 íŒŒì¼ ì‹œìŠ¤í…œì˜ ë°ì´í„° ì €ë„ë§ ëª¨ë“œ 수정 (ì €ë„ë§ ë¦¬ì†ŒìŠ¤ 사용) */ / * 참고 : ext2는 리소스 오버ë¼ì´ë“œë¥¼ 확ì¸í•  ë•Œ fsuid를 기하여 fsuid를 사용하여 ìž¬ì •ì˜ í•  ìˆ˜ë„ ìžˆìŠµë‹ˆë‹¤. */ / * IPC 메시지 ëŒ€ê¸°ì—´ì˜ í¬ê¸° 제한 무시 */ / * 실시간 í´ëŸ­ì—ì„œ 64hz ì´ìƒì˜ ì¸í„°ëŸ½íŠ¸ 허용 */ / * 콘솔 할당시 ì½˜ì†”ì˜ ìµœëŒ€ 수 무시 */ / * 키맵 최대 무시 */ ëª¨ë‘ ë‹¤ì‹œ ì´ë¦„표를 해야 합니다.샌드박스 ìœ í˜•ì„ ìˆ˜ì •í•´ì•¼ 합니다. sandbox_web_t ë˜ëŠ” sandbox_net_t. 예: sandbox -X -t sandbox_net_t $SOURCE_PATH 보다 ìžì„¸í•œ ë‚´ìš©ì€ '샌드박스' man 페ì´ì§€ì—ì„œ 참조하십시오. 버그를 보고해야 합니다. ì´ëŠ” 잠재ì ìœ¼ë¡œ 위험한 접근입니다.ê²°ì ë¥¼ 보고해야 합니다. ì´ëŠ” 잠재ì ìœ¼ë¡œ 위험한 접근입니다./proc/sys/net/ipv6/conf/all/disable_ipv6를 1ë¡œ 설정하고 ëª¨ë“ˆì„ ë¸”ëž™ë¦¬ìŠ¤íŠ¸í•˜ì§€ 않습니다다른 ëª…ë ¹ì„ ì‚¬ìš©í•´ì•¼ 합니다. ëŒ€ìƒ íŒŒì¼ ì‹œìŠ¤í…œì—ì„œ SELinux ë¬¸ë§¥ì„ ì €ìž¥í•˜ëŠ” ê²ƒì„ í—ˆìš©í•˜ì§€ 않습니다.execstack 플래그를 삭제하고 $SOURCE_PATHê°€ 올바르게 ìž‘ë™í•˜ê³  있는지 확ì¸í•©ë‹ˆë‹¤. ì´ë¥¼ %sì— ë²„ê·¸ë¡œ 보고합니다. 다ìŒì„ 실행하여 exestack 플래그를 ì‚­ì œ í•  수 있습니다: