아파치를 통해 서비스를 다시 시작

tag-icon tag-icon linux services selinux
아파치를 통해 서비스를 다시 시작

CentOS 6.6을 사용하고 있습니다. PHP 코드에서 서비스 명령을 호출하려고 합니다.

exec("sudo -u kouser bash  ./1.bash 2>&1",$output,$code);

1.배쉬

#!/bin/bash
sudo service httpd graceful

실행 출력

httpd: unrecognized service

SElinux를 중지하면 실행이 성공합니다. SELinux를 중지하지 않고 코드를 실행하고 싶지만 사용하고 싶지 않습니다 audit2allow. 그러면 문제가 해결되지만 이유를 모르겠습니다. 내가 그것을 사용할 때 audit2why더 이상 정보를 제공하지 않습니다.

꼬리/var/로그/메시지

May 16 11:21:34 Server6 setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd. For complete SELinux messages. run sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051

sealert-l 92a5910b-1bfe-4b98-a2de-d773cce85051

SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the httpd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep service /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_initrc_exec_t:s0
Target Objects                /etc/rc.d/init.d/httpd [ file ]
Source                        service
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ERP-Server
Source RPM Packages           bash-4.1.2-40.el6.x86_64
Target RPM Packages           httpd-2.2.15-53.el6.centos.x86_64
Policy RPM                    selinux-policy-3.7.19-292.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ERP-Server
Platform                      Linux ERP-Server 2.6.32-504.3.3.el6.x86_64 #1 SMP
                              Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64
Alert Count                   22
First Seen                    Mon 23 May 2016 11:06:03 AM EEST
Last Seen                     Tue 07 Jun 2016 11:36:47 AM EEST
Local ID                      91c2c1ed-cb12-4d36-a655-c91d63827a16

Raw Audit Messages
type=AVC msg=audit(1465288607.625:383): avc:  denied  { getattr } for  pid=14705 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918236 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1465288607.625:383): arch=x86_64 syscall=stat success=no exit=EACCES a0=19ab9b0 a1=7fffc22e8060 a2=7fffc22e8060 a3=8 items=0 ppid=14704 pid=14705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=service exe=/bin/bash subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Hash: service,httpd_t,httpd_initrc_exec_t,file,getattr

audit2allow

#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;

audit2allow -R

#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;

테일/var/log/audit/audit.log

type=CRED_DISP msg=audit(1463317995.800:917): user pid=5427 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_CMD msg=audit(1463317995.806:918): user pid=5434 uid=512 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='cwd="/var/www/html/1.php" cmd=7365727669636520687474706420677261636566756C terminal=? res=success'
type=CRED_ACQ msg=audit(1463317995.807:919): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1463317995.807:920): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1463317995.818:921): avc:  denied  { getattr } for  pid=5435 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918237 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1463317995.818:921): arch=c000003e syscall=4 success=no exit=-13 a0=1f37b20 a1=7fff10f16500 a2=7fff10f16500 a3=8 items=0 ppid=5434 pid=5435 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="service" exe="/bin/bash" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=USER_END msg=audit(1463317995.819:922): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.819:923): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1463317995.820:924): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.820:925): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'

답변1

sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051정확한 이유가 설명되고 요약 섹션에서 파일 이름과 selinux 컨텍스트를 찾을 수 있습니다.

문제를 해결하려면 다음 명령을 실행하십시오.

chcon -t selinux_context 'file_name'

접근 허용 및 거부 문제 해결을 위한 추천 명령어입니다. file1 유형을 Apache HTTP Server에서 접근할 수 있는 public_content_t로 변경하는 명령을 제공합니다.

가능한 오류링크 1 링크 2

관련 정보