如何在 Centos 7.4 上仅为 Apache 禁用 Selinux

tag-icon tag-icon apache-2.4 centos7 selinux
如何在 Centos 7.4 上仅为 Apache 禁用 Selinux

我不想禁用 Selinux,但我遇到了问题。我正在使用 FFMPEG(位于 /var/www/tester/ffmpeg 并归 apache 所有)

[root@betaX tester]# ls -Z /var/www/html/tester/ffmpeg/
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffmpeg
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffmpeg-10bit
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffprobe
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffserver
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 manpages
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 model
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 qt-faststart

但每次我尝试运行 ffmpeg

{ffmpeg-cmd} -i {input} -vcodec libx264 -s {ffmpeg-vsize} -threads 16 -movflags faststart {output}.mp4

我收到权限被拒绝错误。

[root@betaX tester]# tail -f /var/log/httpd/error_log
sh: /var/www/html/tester/ffmpeg/ffmpeg: Permission denied

我只想为 Apache 禁用 Selinux,因为这会花费我很多时间,在 Centos 7.x 上有什么方法可以做到这一点吗?我在 Fedora 中找到了解决方案,但我没有任何名为 的文件夹或文件/etc/selinux/targeted/booleans

有什么线索或建议吗?

当前的设置

[root@betaX tester]# /usr/sbin/getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> on
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> on
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

答案1

您的问题是由错误标记的可执行文件引起的。

将其重新标记为http_sys_script_exec_t(参见语义管理上下文恢复控制):

semanage fcontext -a -t http_sys_script_exec_t '/var/www/html/tester/ffmpeg/.*'
restorecon -Rv /var/www/html/tester/ffmpeg/

为了完整起见,这里只介绍了如何禁用 Apache 的 SELinux(使用语义管理宽容):

semanage permissive -a httpd_t

答案2

您可以使用 sealert 来修复被拒绝的权限。

# sealert -a /var/log/audit/audit.log

相关内容