我在 Rocky Linux 9 中运行 Wordpress,需要optipng执行一些图像转换任务,但它被阻止了:
SELinux is preventing /usr/sbin/php-fpm from execute access on the file optipng.
***** Plugin catchall_boolean (89.3 confidence) suggests ******************
If you want to allow httpd to unified
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
Do
setsebool -P httpd_unified 1
***** Plugin catchall (11.6 confidence) suggests **************************
If you believe that php-fpm should be allowed execute access on the optipng file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm
# semodule -X 300 -i my-phpfpm.pp
如果我错了,请纠正我,但我想避免做类似的事情,setsebool -P httpd_unified 1因为我的理解是它将授予相当广泛的权限并允许php-fpm执行任何标有的文件httpd_sys_rw_content_t。
此外,当我运行ausearch -c 'php-fpm' --raw | audit2allow -M my-phpfpm它时,它会创建一个具有相同广泛效果的策略:
module my-phpfpm 1.0;
require {
type httpd_sys_rw_content_t;
type httpd_t;
class file execute;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean 'httpd_unified'
allow httpd_t httpd_sys_rw_content_t:file execute;
这让我想到了我的问题:我怎样才能安全地php-fpm执行/usr/bin/optipng?
也许最好的方法就是直接执行setsebool -P httpd_unified 1,或者我需要为创建一个新类型optipng,例如semanage fcontext -a -t my_optipng_exec_t '/usr/bin/optipng'并允许php-fpm使用自定义策略执行该特定类型。我试过了,但无法让它工作。
请让我知道您的建议。
谢谢。