我的用户主目录位于 /data/test_user。我正在使用索引来允许使用 Apache 2.4 通过 Web 浏览器浏览此目录。然而,突然间我遇到了一个问题,我看不到任何内容。请注意,我可以看到该目录,并且可以进入它,但是当我这样做时,没有显示任何内容(即使文件系统中有内容)。具体来说,那里有一个名为testfile
该目录具有以下标签:
unconfined_u:object_r:user_home_dir_t:s0 test_user
/home/test_user/testfile标签和权限:
-rw-r--r--. test_user remote-users unconfined_u:object_r:user_home_dir_t:s0 testfile
此外,我设置了以下布尔值:
httpd_can_network_relay (off , off) Allow httpd to can network relay
httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv
httpd_can_network_connect_db (off , off) Allow httpd to can network connect db
httpd_use_gpg (off , off) Allow httpd to use gpg
httpd_dbus_sssd (off , off) Allow httpd to dbus sssd
httpd_enable_cgi (on , on) Allow httpd to enable cgi
httpd_verify_dns (off , off) Allow httpd to verify dns
httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs
httpd_use_cifs (off , off) Allow httpd to use cifs
httpd_manage_ipa (off , off) Allow httpd to manage ipa
httpd_run_stickshift (off , off) Allow httpd to run stickshift
httpd_enable_homedirs (off , off) Allow httpd to enable homedirs
httpd_dbus_avahi (off , off) Allow httpd to dbus avahi
httpd_unified (off , off) Allow httpd to unified
httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam
httpd_can_network_connect (off , off) Allow httpd to can network connect
httpd_execmem (off , off) Allow httpd to execmem
httpd_use_fusefs (off , off) Allow httpd to use fusefs
httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind
httpd_use_sasl (off , off) Allow httpd to use sasl
httpd_tty_comm (off , off) Allow httpd to tty comm
httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write
httpd_graceful_shutdown (on , on) Allow httpd to graceful shutdown
httpd_can_connect_ftp (off , off) Allow httpd to can connect ftp
httpd_run_ipa (off , off) Allow httpd to run ipa
httpd_read_user_content (on , on) Allow httpd to read user content
httpd_use_nfs (off , off) Allow httpd to use nfs
httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix
httpd_tmp_exec (off , off) Allow httpd to tmp exec
httpd_run_preupgrade (off , off) Allow httpd to run preupgrade
httpd_can_sendmail (off , off) Allow httpd to can sendmail
httpd_builtin_scripting (on , on) Allow httpd to builtin scripting
httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap
httpd_can_check_spam (off , off) Allow httpd to can check spam
httpd_can_network_memcache (off , off) Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler
httpd_anon_write (off , off) Allow httpd to anon write
httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files
httpd_ssi_exec (off , off) Allow httpd to ssi exec
httpd_use_openstack (off , off) Allow httpd to use openstack
httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server
httpd_setrlimit (off , off) Allow httpd to setrlimit
SELinux 警报:
SELinux is preventing /usr/sbin/httpd from getattr access on the file /data/test_user/testfile.
***** Plugin restorecon (99.5 confidence) suggests ************************
If you want to fix the label.
/data/test_user/testfile default label should be default_t.
Then you can run restorecon.
Do
# /sbin/restorecon -v /data/test_user/testfile
***** Plugin catchall (1.49 confidence) suggests **************************
If you believe that httpd should be allowed getattr access on the testfile file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:user_home_dir_t:s0
Target Objects /data/test_user/testfile [ file ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host <redacted>
Source RPM Packages httpd-2.4.6-45.el7.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-102.el7_3.15.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name <redacted>
Platform Linux 3.10.0-514.10.2.el7.x86_64
#1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64
Alert Count 16
First Seen 2017-03-16 22:36:36 UTC
Last Seen 2017-03-22 19:10:23 UTC
Local ID a6ae731b-71aa-446f-9be7-445e3656ef06
Raw Audit Messages
type=AVC msg=audit(1490209823.491:352): avc: denied { getattr } for pid=2508 comm="httpd" path="/data/test_user/testfile" dev="dm-0" ino=2122369 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file
type=SYSCALL msg=audit(1490209823.491:352): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7ffe31303d60 a1=7ffe31303c70 a2=7ffe31303c70 a3=6d69762e726f6c items=0 ppid=2503 pid=2508 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,user_home_dir_t,file,getattr
我还在 /data/ 中拥有以下默认上下文的所有内容:
/data(/.*)? all files system_u:object_r:user_home_dir_t:s0
我在这里缺少什么?这以前是有效的。
答案1
快速查看一下sesearch --allow -s httpd_t -b httpd_read_user_content | grep user_home_dir_t,实际上 SELinux 工作正常:
allow httpd_t user_home_dir_t : lnk_file { read getattr } ;
allow httpd_t user_home_dir_t : dir { getattr search open } ;
allow httpd_t user_home_dir_t : dir { ioctl read getattr lock search open } ;
allow httpd_t user_home_dir_t : dir { getattr search open } ;
这里重要的因素是我想要读取目录中的文件,而不仅仅是目录。但是,如果我们将上下文更改为user_home_t它允许 apache 读取目录中的文件,如所解释的sesearch --allow -s httpd_t -b httpd_read_user_content | grep user_home_t
allow httpd_t user_home_type : dir { getattr search open } ;
allow httpd_t user_home_type : dir { ioctl read getattr lock search open } ;
allow httpd_t user_home_type : dir { getattr search open } ;
allow httpd_t user_home_type : file { ioctl read getattr lock open } ;
这里感兴趣的具体行是file最后的 ,显示 apache 可以使用 ioctl 读取 getattr 锁并打开具有此上下文的文件。使用 标记目录使user_home_t我可以毫无问题地查看索引列表中的文件。