通过apache重启服务

tag-icon tag-icon linux services selinux
通过apache重启服务

我正在使用 CentOS 6.6 我尝试在 PHP 代码中调用服务命令

exec("sudo -u kouser bash  ./1.bash 2>&1",$output,$code);

1.bash

#!/bin/bash
sudo service httpd graceful

执行的输出

httpd: unrecognized service

当我停止SElinux时执行成功。我想在不停止 SELinux 的情况下执行我的代码,但我不想使用audit2allow;它会解决问题,但我不明白为什么。当我使用audit2why它时,它没有给我任何更多信息。

尾部 /var/log/messages

May 16 11:21:34 Server6 setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd. For complete SELinux messages. run sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051

sealert-l 92a5910b-1bfe-4b98-a2de-d773cce85051

SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the httpd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep service /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_initrc_exec_t:s0
Target Objects                /etc/rc.d/init.d/httpd [ file ]
Source                        service
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ERP-Server
Source RPM Packages           bash-4.1.2-40.el6.x86_64
Target RPM Packages           httpd-2.2.15-53.el6.centos.x86_64
Policy RPM                    selinux-policy-3.7.19-292.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ERP-Server
Platform                      Linux ERP-Server 2.6.32-504.3.3.el6.x86_64 #1 SMP
                              Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64
Alert Count                   22
First Seen                    Mon 23 May 2016 11:06:03 AM EEST
Last Seen                     Tue 07 Jun 2016 11:36:47 AM EEST
Local ID                      91c2c1ed-cb12-4d36-a655-c91d63827a16

Raw Audit Messages
type=AVC msg=audit(1465288607.625:383): avc:  denied  { getattr } for  pid=14705 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918236 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1465288607.625:383): arch=x86_64 syscall=stat success=no exit=EACCES a0=19ab9b0 a1=7fffc22e8060 a2=7fffc22e8060 a3=8 items=0 ppid=14704 pid=14705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=service exe=/bin/bash subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Hash: service,httpd_t,httpd_initrc_exec_t,file,getattr

audit2allow

#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;

audit2allow -R

#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;

尾部 /var/log/audit/audit.log

type=CRED_DISP msg=audit(1463317995.800:917): user pid=5427 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_CMD msg=audit(1463317995.806:918): user pid=5434 uid=512 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='cwd="/var/www/html/1.php" cmd=7365727669636520687474706420677261636566756C terminal=? res=success'
type=CRED_ACQ msg=audit(1463317995.807:919): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1463317995.807:920): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1463317995.818:921): avc:  denied  { getattr } for  pid=5435 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918237 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1463317995.818:921): arch=c000003e syscall=4 success=no exit=-13 a0=1f37b20 a1=7fff10f16500 a2=7fff10f16500 a3=8 items=0 ppid=5434 pid=5435 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="service" exe="/bin/bash" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=USER_END msg=audit(1463317995.819:922): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.819:923): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1463317995.820:924): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.820:925): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'

答案1

sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051将描述确切的原因,在摘要部分您将找到文件名和 selinux 上下文

要解决该问题,请执行以下命令。

chcon -t selinux_context 'file_name'

允许访问并解决拒绝问题的建议命令。它提供了将 file1 类型更改为 public_content_t 的命令,Apache HTTP Server 可以访问该命令

可能的错误链接1 链接2

相关内容