SELinux는 PHP에서 ps 명령 사용을 허용하지 않습니다.

이 코드를 사용하여 myservice가 PHP에서 실행되고 있는지 확인합니다. exec("ps -A | grep -i myservicename | grep -v grep 2>&1", $output);. $output은 항상 비어 있습니다. 하지만 실행하면 훌륭하게 작동합니다 setenforce 0. 따라서 SELinux는 httpd가 이 명령을 실행하는 것을 방지합니다. audit2why도 나에게 다음 메시지를 보냈습니다.

type=AVC msg=audit(1503739681.450:2905): avc:  denied  { search } for  pid=11273 comm="ps" name="11017" dev="proc" ino=97841 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

httpd가 내 명령을 실행할 수 있도록 SELinux에 어떻게 지시합니까?

고쳐 쓰다

결과 audit2allow -a는 다음과 같습니다.

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t NetworkManager_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t NetworkManager_t:dir getattr;
allow httpd_sys_script_t abrt_watch_log_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t abrt_watch_log_t:dir getattr;
allow httpd_sys_script_t auditd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t auditd_t:dir getattr;
allow httpd_sys_script_t crond_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t crond_t:dir getattr;
allow httpd_sys_script_t firewalld_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t firewalld_t:dir getattr;
allow httpd_sys_script_t fsdaemon_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t fsdaemon_t:dir getattr;
allow httpd_sys_script_t getty_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t getty_t:dir getattr;
allow httpd_sys_script_t httpd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t httpd_t:dir getattr;
allow httpd_sys_script_t init_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t init_t:dir getattr;
allow httpd_sys_script_t initrc_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t initrc_t:dir getattr;
allow httpd_sys_script_t irqbalance_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t irqbalance_t:dir getattr;
allow httpd_sys_script_t kernel_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t kernel_t:dir getattr;
allow httpd_sys_script_t lsmd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t lsmd_t:dir getattr;
allow httpd_sys_script_t lvm_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t lvm_t:dir getattr;
allow httpd_sys_script_t mysqld_safe_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t mysqld_safe_t:dir getattr;
allow httpd_sys_script_t mysqld_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t mysqld_t:dir getattr;
allow httpd_sys_script_t policykit_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t policykit_t:dir getattr;
allow httpd_sys_script_t postfix_master_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_master_t:dir getattr;
allow httpd_sys_script_t postfix_pickup_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_pickup_t:dir getattr;
allow httpd_sys_script_t postfix_qmgr_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_qmgr_t:dir getattr;
allow httpd_sys_script_t sshd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t sshd_t:dir getattr;
allow httpd_sys_script_t syslogd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t syslogd_t:dir getattr;
allow httpd_sys_script_t system_dbusd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t system_dbusd_t:dir getattr;
allow httpd_sys_script_t systemd_logind_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t systemd_logind_t:dir getattr;
allow httpd_sys_script_t tuned_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t tuned_t:dir getattr;
allow httpd_sys_script_t udev_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t udev_t:dir getattr;
allow httpd_sys_script_t unconfined_service_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t unconfined_service_t:dir getattr;
allow httpd_sys_script_t unconfined_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t unconfined_t:dir getattr;

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t etc_runtime_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow httpd_t mysqld_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t self:rawip_socket create;

#============= mysqld_safe_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_safe_t var_lib_t:lnk_file read;

#============= mysqld_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:dir { add_name remove_name write };

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:file { create rename unlink write };

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:sock_file { create unlink };

#!!!! This avc is allowed in the current policy
allow mysqld_t var_lib_t:lnk_file { getattr read };

해결책

이 명령으로 내 문제가 해결되었습니다.

semanage permissive -a httpd_sys_script_t

또는

semanage permissive -a httpd_t

이제 httpd는 어떤 명령이라도 실행할 수 있습니다.