O SELinux não permite o comando ps no PHP

Question

O SELinux não permite o comando ps no PHP

#1 resposta do (0 votos)

0

Eu uso este pedaço de código para verificar se o myservice está rodando em php. %código%. $ output está sempre vazio. Mas depois de executar exec("ps -A | grep -i myservicename | grep -v grep 2>&1", $output); funciona bem. Portanto, o SELinux está impedindo que o httpd execute esse comando. Também audit2why me dá a seguinte mensagem.

type=AVC msg=audit(1503739681.450:2905): avc:  denied  { search } for  pid=11273 comm="ps" name="11017" dev="proc" ino=97841 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

Como posso dizer ao SELinux para permitir que o httpd execute meu comando?

UPDATE

O resultado de setenforce 0 é:

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t NetworkManager_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t NetworkManager_t:dir getattr;
allow httpd_sys_script_t abrt_watch_log_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t abrt_watch_log_t:dir getattr;
allow httpd_sys_script_t auditd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t auditd_t:dir getattr;
allow httpd_sys_script_t crond_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t crond_t:dir getattr;
allow httpd_sys_script_t firewalld_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t firewalld_t:dir getattr;
allow httpd_sys_script_t fsdaemon_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t fsdaemon_t:dir getattr;
allow httpd_sys_script_t getty_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t getty_t:dir getattr;
allow httpd_sys_script_t httpd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t httpd_t:dir getattr;
allow httpd_sys_script_t init_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t init_t:dir getattr;
allow httpd_sys_script_t initrc_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t initrc_t:dir getattr;
allow httpd_sys_script_t irqbalance_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t irqbalance_t:dir getattr;
allow httpd_sys_script_t kernel_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t kernel_t:dir getattr;
allow httpd_sys_script_t lsmd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t lsmd_t:dir getattr;
allow httpd_sys_script_t lvm_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t lvm_t:dir getattr;
allow httpd_sys_script_t mysqld_safe_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t mysqld_safe_t:dir getattr;
allow httpd_sys_script_t mysqld_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t mysqld_t:dir getattr;
allow httpd_sys_script_t policykit_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t policykit_t:dir getattr;
allow httpd_sys_script_t postfix_master_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_master_t:dir getattr;
allow httpd_sys_script_t postfix_pickup_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_pickup_t:dir getattr;
allow httpd_sys_script_t postfix_qmgr_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_qmgr_t:dir getattr;
allow httpd_sys_script_t sshd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t sshd_t:dir getattr;
allow httpd_sys_script_t syslogd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t syslogd_t:dir getattr;
allow httpd_sys_script_t system_dbusd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t system_dbusd_t:dir getattr;
allow httpd_sys_script_t systemd_logind_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t systemd_logind_t:dir getattr;
allow httpd_sys_script_t tuned_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t tuned_t:dir getattr;
allow httpd_sys_script_t udev_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t udev_t:dir getattr;
allow httpd_sys_script_t unconfined_service_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t unconfined_service_t:dir getattr;
allow httpd_sys_script_t unconfined_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t unconfined_t:dir getattr;

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t etc_runtime_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow httpd_t mysqld_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t self:rawip_socket create;

#============= mysqld_safe_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_safe_t var_lib_t:lnk_file read;

#============= mysqld_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:dir { add_name remove_name write };

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:file { create rename unlink write };

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:sock_file { create unlink };

#!!!! This avc is allowed in the current policy
allow mysqld_t var_lib_t:lnk_file { getattr read };

SOLUÇÃO

Este comando resolveu meu problema.

audit2allow -a

OR

semanage permissive -a httpd_sys_script_t

Agora o httpd pode executar qualquer comando.

php selinux centos apache-httpd

por Beginner 26.08.2017 / 12:52

1 resposta

Tags php selinux centos apache-httpd

Websites encerram a resolução apt-get install não funciona [duplicado]

score 0 · Answer 1

Execute o comando audit2allow -a para visualizar a regra Tipo de aplicação que permite o acesso negado:

audit2allow -a

#============= certwatch_t ==============
allow certwatch_t var_t:dir write;

Para usar a regra exibida por audit2allow -a , execute o comando audit2allow -a -M mycertwatch como o usuário raiz do Linux para criar o módulo personalizado. A opção -M cria um arquivo de Imposição de Tipo (.te) com o nome especificado com -M , em seu diretório de trabalho atual:

audit2allow -a -M mycertwatch

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i mycertwatch.pp

~]# ls
mycertwatch.pp  mycertwatch.te

Além disso, audit2allow compila a regra Type Enforcement em um pacote de políticas (.pp). Para instalar o módulo, execute o comando semodule -i mycertwatch.pp como o usuário root do Linux.