允许 httpd 在 /usr/bin/ 中运行 bash 脚本

tag-icon tag-icon permissions bash apache-2.4 selinux rhel7
允许 httpd 在 /usr/bin/ 中运行 bash 脚本

将系统从 CentOS6 迁移到 RHEL7,并强制运行 SELinux。php脚本调用以/usr/bin/processdata.sh在后台生成一些数据。这在旧系统上运行良好,但exec在 SELinux 设置为启用时,php 调用会阻塞。

这是 sh 权限

-rwxrwx--x. root root unconfined_u:object_r:bin_t:s0   /usr/bin/process_data.sh

在调用php页面的同时会出现这个审计错误:

ausearch -l -i | grep httpd

类型 = SYSCALL msg = 审核(2016 年 2 月 27 日 14:07:52.662:23480):arch = x86_64 syscall = 套接字成功 = 否退出 = -97(协议不支持地址系列)a0 = inet6 a1 = SOCK_DGRAM a2 = ip a3 = 0x672e76656473626e items = 0 ppid = 15686 pid = 3852 auid = unset uid = apache gid = apache euid = apache suid = apache fsuid = apache egid = apache sgid = apache fsgid = apache tty =(无)ses = unset comm = httpd exe = / usr / sbin / httpd subj = system_u:system_r:httpd_t:s0 key =(null)类型 = AVC msg=audit(2016 年 2 月 27 日 14:07:52.662:23480):avc:拒绝 pid=3852 的 {module_request} comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

以下是我当前的 httpd 布尔值:

httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_connect_mythtv       (off  ,  off)  Allow httpd to can connect mythtv
httpd_can_network_connect_db   (off  ,  off)  Allow httpd to can network connect db
httpd_use_gpg                  (off  ,  off)  Allow httpd to use gpg
httpd_dbus_sssd                (off  ,  off)  Allow httpd to dbus sssd
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
httpd_verify_dns               (off  ,  off)  Allow httpd to verify dns
httpd_dontaudit_search_dirs    (off  ,  off)  Allow httpd to dontaudit search dirs
httpd_anon_write               (off  ,  off)  Allow httpd to anon write
httpd_use_cifs                 (off  ,  off)  Allow httpd to use cifs
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_unified                  (off  ,  off)  Allow httpd to unified
httpd_mod_auth_pam             (off  ,  off)  Allow httpd to mod auth pam
httpd_run_stickshift           (off  ,  off)  Allow httpd to run stickshift
httpd_use_fusefs               (off  ,  off)  Allow httpd to use fusefs
httpd_can_connect_ldap         (off  ,  off)  Allow httpd to can connect ldap
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect
httpd_mod_auth_ntlm_winbind    (off  ,  off)  Allow httpd to mod auth ntlm winbind
httpd_tty_comm                 (off  ,  off)  Allow httpd to tty comm
httpd_sys_script_anon_write    (off  ,  off)  Allow httpd to sys script anon write
httpd_graceful_shutdown        (on   ,   on)  Allow httpd to graceful shutdown
httpd_can_connect_ftp          (off  ,  off)  Allow httpd to can connect ftp
httpd_run_ipa                  (off  ,  off)  Allow httpd to run ipa
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
httpd_use_nfs                  (off  ,  off)  Allow httpd to use nfs
httpd_can_connect_zabbix       (off  ,  off)  Allow httpd to can connect zabbix
httpd_tmp_exec                 (off  ,  off)  Allow httpd to tmp exec
httpd_run_preupgrade           (off  ,  off)  Allow httpd to run preupgrade
httpd_manage_ipa               (off  ,  off)  Allow httpd to manage ipa
httpd_can_sendmail             (on   ,   on)  Allow httpd to can sendmail
httpd_builtin_scripting        (on   ,   on)  Allow httpd to builtin scripting
httpd_dbus_avahi               (off  ,  off)  Allow httpd to dbus avahi
httpd_can_check_spam           (off  ,  off)  Allow httpd to can check spam
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
httpd_use_sasl                 (off  ,  off)  Allow httpd to use sasl
httpd_serve_cobbler_files      (off  ,  off)  Allow httpd to serve cobbler files
httpd_execmem                  (off  ,  off)  Allow httpd to execmem
httpd_ssi_exec                 (off  ,  off)  Allow httpd to ssi exec
httpd_use_openstack            (off  ,  off)  Allow httpd to use openstack
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to enable ftp server
httpd_setrlimit                (off  ,  off)  Allow httpd to setrlimit

我的 selinux 配置中是否存在我没​​有看到的东西?

答案1

我的 selinux 配置中是否存在我没​​有看到的东西?

您向我们展示的 SELinux 配置看起来“正常”,但这并不是说它不需要调整以满足您的特定工作负载。

我在这里要做的是将 SELinux 置于宽容模式 ( setenforce 0),然后使 auditd 启动一个新的日志文件 ( kill -USR1<auditd 的 PID>。然后继续您的正常业务。SELinux 将生成消息以供稍后分析。

当您在宽容模式下运行“一段时间”后,您可以使用标准工具来调查 SELinux 消息。

audit2why实用程序可以阐明已记录的消息,还可以提供有关如何操作的建议,例如,它可以对您发布的片段做出说明。

avc: denied { module_request } for pid=3852 comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

        Was caused by:
        The boolean domain_kernel_load_modules was set incorrectly.
        Description:
        Allow all domains to have the kernel load modules

        Allow access by executing:
        # setsebool -P domain_kernel_load_modules 1

由于您当前在强制模式下运行,因此仅记录第一次拒绝,如果您要修复该问题,您可能会发现更多,这就是为什么您应该暂时在宽容模式下运行,所有拒绝都会被记录。

有时audit2why并没有什么帮助。在这种情况下,更深入地了解 SELinux 会有所帮助。例如,您可以运行审计日志audit2allow并生成可以应用的本地策略semodule。但这应该仔细审计,因为您可能会泄露比需要更多的信息。

答案2

要允许 lighttpd 执行文件,请启用 SELinux bool http_execmem

然后更改文件类型以允许lighttpd执行:chcon system_u:object_r:httpd_exec_t:s0 [file]

通过使用 使该更改在内核中持久有效semanage fcontext -a -t httpd_exec_t [file]

相关内容