主页 / server / 问题 / 760322
Accepted
a coder
Asked: 2016-02-29 05:23:56 +0800 CST

允许 httpd 在 /usr/bin/ 中运行 bash 脚本

  • 772

将系统从 CentOS6 迁移到 RHEL7,SELinux 运行 Enforced。php脚本调用以在/usr/bin/processdata.sh幕后生成一些数据。这在旧系统上运行良好,但在execSELinux 设置为启用时 php 调用阻塞。

这是 sh 权限

-rwxrwx--x. root root unconfined_u:object_r:bin_t:s0   /usr/bin/process_data.sh

在调用 php 页面的同时会看到此审计错误:

ausearch -l -i | grep httpd

type=SYSCALL msg=audit(02/27/2016 14:07:52.662:23480) : arch=x86_64 syscall=socket success=no exit=-97(Address family not supported by protocol) a0=inet6 a1=SOCK_DGRAM a2= ip a3=0x672e76656473626e items=0 ppid=15686 pid=3852 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm= httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(02/27/2016 14:07:52.662:23480) : avc: denied { module_request }对于 pid=3852 comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

这是我当前的 httpd 布尔值:

httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_connect_mythtv       (off  ,  off)  Allow httpd to can connect mythtv
httpd_can_network_connect_db   (off  ,  off)  Allow httpd to can network connect db
httpd_use_gpg                  (off  ,  off)  Allow httpd to use gpg
httpd_dbus_sssd                (off  ,  off)  Allow httpd to dbus sssd
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
httpd_verify_dns               (off  ,  off)  Allow httpd to verify dns
httpd_dontaudit_search_dirs    (off  ,  off)  Allow httpd to dontaudit search dirs
httpd_anon_write               (off  ,  off)  Allow httpd to anon write
httpd_use_cifs                 (off  ,  off)  Allow httpd to use cifs
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_unified                  (off  ,  off)  Allow httpd to unified
httpd_mod_auth_pam             (off  ,  off)  Allow httpd to mod auth pam
httpd_run_stickshift           (off  ,  off)  Allow httpd to run stickshift
httpd_use_fusefs               (off  ,  off)  Allow httpd to use fusefs
httpd_can_connect_ldap         (off  ,  off)  Allow httpd to can connect ldap
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect
httpd_mod_auth_ntlm_winbind    (off  ,  off)  Allow httpd to mod auth ntlm winbind
httpd_tty_comm                 (off  ,  off)  Allow httpd to tty comm
httpd_sys_script_anon_write    (off  ,  off)  Allow httpd to sys script anon write
httpd_graceful_shutdown        (on   ,   on)  Allow httpd to graceful shutdown
httpd_can_connect_ftp          (off  ,  off)  Allow httpd to can connect ftp
httpd_run_ipa                  (off  ,  off)  Allow httpd to run ipa
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
httpd_use_nfs                  (off  ,  off)  Allow httpd to use nfs
httpd_can_connect_zabbix       (off  ,  off)  Allow httpd to can connect zabbix
httpd_tmp_exec                 (off  ,  off)  Allow httpd to tmp exec
httpd_run_preupgrade           (off  ,  off)  Allow httpd to run preupgrade
httpd_manage_ipa               (off  ,  off)  Allow httpd to manage ipa
httpd_can_sendmail             (on   ,   on)  Allow httpd to can sendmail
httpd_builtin_scripting        (on   ,   on)  Allow httpd to builtin scripting
httpd_dbus_avahi               (off  ,  off)  Allow httpd to dbus avahi
httpd_can_check_spam           (off  ,  off)  Allow httpd to can check spam
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
httpd_use_sasl                 (off  ,  off)  Allow httpd to use sasl
httpd_serve_cobbler_files      (off  ,  off)  Allow httpd to serve cobbler files
httpd_execmem                  (off  ,  off)  Allow httpd to execmem
httpd_ssi_exec                 (off  ,  off)  Allow httpd to ssi exec
httpd_use_openstack            (off  ,  off)  Allow httpd to use openstack
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to enable ftp server
httpd_setrlimit                (off  ,  off)  Allow httpd to setrlimit

我的 selinux 配置中有什么我没有看到的东西吗?

permissions

2 个回答

  1. Best Answer

    我的 selinux 配置中有什么我没有看到的东西吗?

    您向我们展示的 SELinux 配置看起来很“正常”,但这并不是说它不需要调整以满足您的特定工作负载。

    我在这里要做的是将 SELinux 置于许可模式(setenforce 0),然后使 auditd 启动一个新的日志文件(kill -USR1< PID of auditd >。然后继续您的正常业务。SELinux 将生成消息以供以后分析。

    当您在许可模式下运行“一段时间”后,您可以使用标准工具来调查 SELinux 消息。

    audit2why实用程序可以阐明记录的消息,还可以就做什么提供建议,例如,它可以说明您发布的片段。

    avc: denied { module_request } for pid=3852 comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

        Was caused by:
        The boolean domain_kernel_load_modules was set incorrectly.
        Description:
        Allow all domains to have the kernel load modules

        Allow access by executing:
        # setsebool -P domain_kernel_load_modules 1

    由于您当前在强制模式下运行,因此只有第一次拒绝会被记录,如果您要修复这个问题,您可能会发现更多,这就是您应该暂时在许可模式下运行的原因,所有拒绝都会被记录下来。

    有时audit2why不是很有帮助。在这些情况下,更深入地了解 SELinux 可能会有所帮助。例如,您可以运行审核日志audit2allow并生成可以应用的本地策略semodule。不过,这应该经过仔细审核,因为您可以提供比您需要的更多的东西。

    • 3

  2. 要允许 lighttpd 执行文件,请启用 SELinux bool http_execmem

    然后更改文件类型以允许执行 lighttpd chcon system_u:object_r:httpd_exec_t:s0 [file]:.

    使用semanage fcontext -a -t httpd_exec_t [file].

    • 1

相关问题