O SELinux está impedindo que o httpd crie acesso no arquivo

0

Sempre que eu faço o upload de um arquivo pelo meu navegador da Web para o meu servidor web, vejo as seguintes linhas em /var/log/messages

Nov  8 12:18:24 sn setroubleshoot: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx. For complete SELinux messages run: sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d
Nov  8 12:18:24 sn python: SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.#012#012*****  Plugin catchall (100. confidence) suggests   **************************#012#012If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'httpd' --raw | audit2allow -M my-httpd#012# semodule -i my-httpd.pp#012

Enquanto o formato é feio, corro sealert -l 335e7781-6a68-4ca6-827f-073f93829f2d e vejo

SELinux is preventing httpd from create access on the file temp_5be3f85348052_5be3f85347985.docx.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that httpd should be allowed create access on the temp_5be3f85348052_5be3f85347985.docx file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp


Additional Information:
Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:user_home_t:s0
Target Objects                temp_5be3f85348052_5be3f85347985.docx [ file ]
Source                        httpd
Source Path                   httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           httpd-2.4.6-80.el7.centos.1.x86_64
Target RPM Packages
Policy RPM                    selinux-policy-3.13.1-192.el7_5.6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     sn.somewhere.com
Platform                      Linux sn.somewhere.com 3.10.0-862.11.6.el7.x86_64 #1
                              SMP Tue Aug 14 21:49:04 UTC 2018 x86_64 x86_64
Alert Count                   2
First Seen                    2018-11-08 12:16:06 +0330
Last Seen                     2018-11-08 12:18:19 +0330
Local ID                      335e7781-6a68-4ca6-827f-073f93829f2d

Raw Audit Messages
type=AVC msg=audit(1541666899.294:27636): avc:  denied  { create } for  pid=25734 comm="httpd" name="temp_5be3f85348052_5be3f85347985.docx" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:user_home_t:s0 tclass=file


type=SYSCALL msg=audit(1541666899.294:27636): arch=x86_64 syscall=open success=no exit=EACCES a0=7ffc8a052400 a1=241 a2=1b6 a3=2823ea08d07abe97 items=0 ppid=13555 pid=25734 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)

Hash: httpd,httpd_t,user_home_t,file,create

Eu executo dois comandos e tudo parece normal:

# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i my-httpd.pp

# semodule -i my-httpd.pp
#

No entanto, mais uma vez e depois de fazer o upload do arquivo, vejo essas mensagens no log novamente e novamente.

Como consertar isso?

ATUALIZAÇÃO:

A lista de valores booleanos relacionados ao httpd é

# semanage boolean -l | grep httpd
httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_connect_mythtv       (off  ,  off)  Allow httpd to can connect mythtv
httpd_can_network_connect_db   (off  ,  off)  Allow httpd to can network connect db
httpd_use_gpg                  (off  ,  off)  Allow httpd to use gpg
httpd_dbus_sssd                (off  ,  off)  Allow httpd to dbus sssd
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
httpd_verify_dns               (off  ,  off)  Allow httpd to verify dns
httpd_dontaudit_search_dirs    (off  ,  off)  Allow httpd to dontaudit search dirs
httpd_use_cifs                 (off  ,  off)  Allow httpd to use cifs
httpd_manage_ipa               (off  ,  off)  Allow httpd to manage ipa
httpd_run_stickshift           (off  ,  off)  Allow httpd to run stickshift
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_dbus_avahi               (off  ,  off)  Allow httpd to dbus avahi
httpd_unified                  (on   ,   on)  Allow httpd to unified
httpd_mod_auth_pam             (off  ,  off)  Allow httpd to mod auth pam
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect
httpd_execmem                  (off  ,  off)  Allow httpd to execmem
httpd_use_fusefs               (off  ,  off)  Allow httpd to use fusefs
httpd_mod_auth_ntlm_winbind    (off  ,  off)  Allow httpd to mod auth ntlm winbind
httpd_use_sasl                 (off  ,  off)  Allow httpd to use sasl
httpd_tty_comm                 (off  ,  off)  Allow httpd to tty comm
httpd_sys_script_anon_write    (off  ,  off)  Allow httpd to sys script anon write
httpd_graceful_shutdown        (on   ,   on)  Allow httpd to graceful shutdown
httpd_can_connect_ftp          (on   ,   on)  Allow httpd to can connect ftp
httpd_run_ipa                  (off  ,  off)  Allow httpd to run ipa
httpd_read_user_content        (on   ,   on)  Allow httpd to read user content
httpd_use_nfs                  (off  ,  off)  Allow httpd to use nfs
httpd_can_connect_zabbix       (off  ,  off)  Allow httpd to can connect zabbix
httpd_tmp_exec                 (off  ,  off)  Allow httpd to tmp exec
httpd_run_preupgrade           (off  ,  off)  Allow httpd to run preupgrade
httpd_can_sendmail             (on   ,   on)  Allow httpd to can sendmail
httpd_builtin_scripting        (on   ,   on)  Allow httpd to builtin scripting
httpd_can_connect_ldap         (off  ,  off)  Allow httpd to can connect ldap
httpd_can_check_spam           (off  ,  off)  Allow httpd to can check spam
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
httpd_anon_write               (off  ,  off)  Allow httpd to anon write
httpd_serve_cobbler_files      (off  ,  off)  Allow httpd to serve cobbler files
httpd_ssi_exec                 (off  ,  off)  Allow httpd to ssi exec
httpd_use_openstack            (off  ,  off)  Allow httpd to use openstack
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to enable ftp server
httpd_setrlimit                (off  ,  off)  Allow httpd to setrlimit

UPDATE2:

O conteúdo de my-httpd.te é

# cat /home/snadmin/my-httpd.te

module my-httpd 1.0;

require {
        type httpd_t;
        type user_home_t;
        class dir { add_name create write };
        class file { create write };
}

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t user_home_t:dir { add_name create write };
allow httpd_t user_home_t:file create;

#!!!! This avc is allowed in the current policy
allow httpd_t user_home_t:file write;
    
por mahmood 08.11.2018 / 09:53

2 respostas

2

Seu problema é que o daemon http tenta criar um arquivo no diretório rotulado com contexto de conteúdo do usuário ( user_home_t ). Você tem certeza de que o contexto do arquivo está correto? Se você moveu o diretório do diretório pessoal do usuário para um diretório httpd, será necessário aplicar manualmente o contexto correto ao arquivo movido usando restorecon .

Se quiser permitir que o httpd grave em um arquivo no diretório inicial do usuário, você deve usar um subdiretório e rotulá-lo com o rótulo apropriado, como httpd_user_rw_content_t (que requer httpd_builtin_scripting ) ou public_content_rw_t (que requer allow_httpd_anon_write booleano).

Quanto ao motivo pelo qual a política audit2allow gerada não é eficaz, você precisa verificar quais regras foram geradas por ela.

    
por 08.11.2018 / 10:04
0

Você tentou ativar httpd_enable_homedirs seboole?

 setsebool -P httpd_enable_homedirs on
    
por 08.11.2018 / 10:30