SELinux 不允许在 PHP 中使用 ps 命令

我使用这段代码来检查 myservice 是否在 php 中运行。 exec("ps -A | grep -i myservicename | grep -v grep 2>&1", $output);。 $output 始终为空。但执行后setenforce 0效果很好。所以SELinux正在阻止httpd执行这个命令。 audit2why 还给了我以下消息。

type=AVC msg=audit(1503739681.450:2905): avc:  denied  { search } for  pid=11273 comm="ps" name="11017" dev="proc" ino=97841 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

我如何告诉 SELinux 允许 httpd 执行我的命令？

更新

的结果audit2allow -a是：

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t NetworkManager_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t NetworkManager_t:dir getattr;
allow httpd_sys_script_t abrt_watch_log_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t abrt_watch_log_t:dir getattr;
allow httpd_sys_script_t auditd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t auditd_t:dir getattr;
allow httpd_sys_script_t crond_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t crond_t:dir getattr;
allow httpd_sys_script_t firewalld_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t firewalld_t:dir getattr;
allow httpd_sys_script_t fsdaemon_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t fsdaemon_t:dir getattr;
allow httpd_sys_script_t getty_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t getty_t:dir getattr;
allow httpd_sys_script_t httpd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t httpd_t:dir getattr;
allow httpd_sys_script_t init_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t init_t:dir getattr;
allow httpd_sys_script_t initrc_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t initrc_t:dir getattr;
allow httpd_sys_script_t irqbalance_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t irqbalance_t:dir getattr;
allow httpd_sys_script_t kernel_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t kernel_t:dir getattr;
allow httpd_sys_script_t lsmd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t lsmd_t:dir getattr;
allow httpd_sys_script_t lvm_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t lvm_t:dir getattr;
allow httpd_sys_script_t mysqld_safe_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t mysqld_safe_t:dir getattr;
allow httpd_sys_script_t mysqld_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t mysqld_t:dir getattr;
allow httpd_sys_script_t policykit_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t policykit_t:dir getattr;
allow httpd_sys_script_t postfix_master_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_master_t:dir getattr;
allow httpd_sys_script_t postfix_pickup_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_pickup_t:dir getattr;
allow httpd_sys_script_t postfix_qmgr_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_qmgr_t:dir getattr;
allow httpd_sys_script_t sshd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t sshd_t:dir getattr;
allow httpd_sys_script_t syslogd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t syslogd_t:dir getattr;
allow httpd_sys_script_t system_dbusd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t system_dbusd_t:dir getattr;
allow httpd_sys_script_t systemd_logind_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t systemd_logind_t:dir getattr;
allow httpd_sys_script_t tuned_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t tuned_t:dir getattr;
allow httpd_sys_script_t udev_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t udev_t:dir getattr;
allow httpd_sys_script_t unconfined_service_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t unconfined_service_t:dir getattr;
allow httpd_sys_script_t unconfined_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t unconfined_t:dir getattr;

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t etc_runtime_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow httpd_t mysqld_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t self:rawip_socket create;

#============= mysqld_safe_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_safe_t var_lib_t:lnk_file read;

#============= mysqld_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:dir { add_name remove_name write };

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:file { create rename unlink write };

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:sock_file { create unlink };

#!!!! This avc is allowed in the current policy
allow mysqld_t var_lib_t:lnk_file { getattr read };

解决方案

这个命令解决了我的问题。

semanage permissive -a httpd_sys_script_t

或者

semanage permissive -a httpd_t

现在 httpd 可以运行任何命令。