PDA

View Full Version : SELinux prevents install php mysql software on Apache



PCessna
24th January 2009, 05:34 PM
It just denies it, It tells me to run a command, I run it, and it keeps denying, I had to kill and restart the program, and echo it off and on JUST to INSTALL phpBB, how can I complete prevent it from worrying about /var/www/http?

andrelag
24th January 2009, 06:04 PM
You could try:

cd /path/to/www/
restorecon -R -v '.'

Hope this will help!

Regards,
Andre

PCessna
25th January 2009, 01:59 AM
You could try:

cd /path/to/www/
restorecon -R -v '.'

Hope this will help!

Regards,
Andre

Results in complete failure:

12 reports with 0-3 counts each of: (when loading /phpbb/index.html, just loading up installed phpbb)


Summary:

SELinux prevented httpd reading and writing access to http files.

Detailed Description:

SELinux prevented httpd reading and writing access to http files. Ordinarily
httpd is allowed full access to all files labeled with http file context. This
machine has a tightened security policy with the httpd_unified turned off, this
requires explicit labeling of all files. If a file is a cgi script it needs to
be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is
read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable
content. it needs to be labeled httpd_TYPE_script_rw_t or
httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts.
Please refer to the man page "man httpd_selinux" or FAQ
(http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one of
"sys", "user" or "staff" or potentially other script types.

Allowing Access:

Changing the "httpd_unified" boolean to true will allow this access: "setsebool
-P httpd_unified=1"

Fix Command:

setsebool -P httpd_unified=1

Additional Information:

Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:httpd_sys_content_t:s0
Target Objects ./sql_021151d1a377d62dbfaa89a4d1acc716.php [ file
]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host fedora.pgatewaypc
Source RPM Packages httpd-2.2.10-2
Target RPM Packages
Policy RPM selinux-policy-3.5.13-38.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_unified
Host Name fedora.pgatewaypc
Platform Linux fedora.pgatewaypc 2.6.27.9-159.fc10.x86_64
#1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64
Alert Count 0
First Seen Sat 24 Jan 2009 02:56:29 PM EST
Last Seen Sat 24 Jan 2009 02:56:29 PM EST
Local ID 138b1dd9-b561-4a2b-85be-108c6b1d0003
Line Numbers

Raw Audit Messages

node=fedora.pgatewaypc type=AVC msg=audit(1232826989.601:29): avc: denied { write } for pid=2723 comm="httpd" name="sql_021151d1a377d62dbfaa89a4d1acc716.php" dev=dm-0 ino=346316 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file

node=fedora.pgatewaypc type=SYSCALL msg=audit(1232826989.601:29): arch=c000003e syscall=2 success=no exit=-13 a0=7fc4fbc5d4c8 a1=241 a2=1b6 a3=702e363137636361 items=0 ppid=2681 pid=2723 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

PCessna
25th January 2009, 02:38 AM
Results in complete failure:

12 reports with 0-3 counts each of: (when loading /phpbb/index.html, just loading up installed phpbb)

Sorry to spam / bump, But can I please be told how to either remove SELinux polices COMPLETELY from a location (var/www/html) or just remove mysql, php, and apache from SElinux altogether, My server is almost never accessed by anyone, and I've been deciding just to disable SELinux, since I did find with Ubuntu without it.

andrelag
25th January 2009, 06:36 AM
You could try audit2allow.
http://docs.fedoraproject.org/selinux-user-guide/f10/en-US/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html

From the audit2allow(1) manual page: "audit2allow - generate SELinux policy allow rules from logs of denied operations"

Regards,
Andre

Firewing1
25th January 2009, 08:13 AM
If you'd like, run the SELinux configuration tool from the Administration menu (or "system-config-selinux" from the CLI) and then set the current mode to permissive. This will keep SELinux monitoring your system, however it won't prevent programs from going along their regular courses. This way, you can build up a log of the "denied" messages and use audit2allow to tell SELinux to allow the actions that you've collected in the logs.
Firewing1

PCessna
26th January 2009, 02:18 AM
If you'd like, run the SELinux configuration tool from the Administration menu (or "system-config-selinux" from the CLI) and then set the current mode to permissive. This will keep SELinux monitoring your system, however it won't prevent programs from going along their regular courses. This way, you can build up a log of the "denied" messages and use audit2allow to tell SELinux to allow the actions that you've collected in the logs.
Firewing1

thanks but audit to allow makes no sense of how to use, help!

PCessna
26th January 2009, 02:53 AM
Problem Solved:

Run command:

audit2allow -w -a

then:

audit2allow -a