On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces@xxxxxxxxxx on behalf of rgm@xxxxxxxxxxxxxxx> wrote: On 12/28/2016 06:13 PM, Greg Cornell wrote: > On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces@xxxxxxxxxx on behalf of rgm@xxxxxxxxxxxxxxx> wrote: > > > > On 12/28/2016 06:05 PM, J Martin Rushton wrote: >> On 28/12/16 21:24, m.roth@xxxxxxxxx wrote: >>> Robert Moskowitz wrote: >>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote: >>>>> On 28/12/16 20:11, Robert Moskowitz wrote: >>>>>> On 12/28/2016 01:53 PM, m.roth@xxxxxxxxx wrote: >>>>>>> Robert Moskowitz wrote: >>>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote: >>>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz >>>>>>>>> <rgm@xxxxxxxxxxxxxxx> >>>>>>>>> wrote: >>>>>>>>>> Which is why I wonder if there is some different config for the >>>>>>>>>> C7.3 >>>>>>>>>> version >>>>>>>>>> of apache. >>>>>>>>>> >>>>>>>>>> Or something with the C7-arm build... >>>>>>>>> Can you check for SELinux warnings/errors in >>>>>>>>> /var/log/audit/audit.log? >>>>>>>> Good advice. As I suspect the problem is with SELinux. >>>>>>>> >>>>>>>> So I tried an access. What follows is the access_log entry, the >>>>>>>> error_log entry and the 3 entries in the audit.log: >>>>>>>> >>>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >>>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; >>>>>>>> rv:50.0) >>>>>>>> Gecko/20100101 Firefox/50.0" >>>>>>>> >>>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >>>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't >>>>>>>> open >>>>>>>> directory for index: /home/rgm/public_html/family/ >>>>>>>> >>>>>>>> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >>>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >>>>>>>> permissive=0 >>>>>>>> >>>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322 >>>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0 >>>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 >>>>>>>> suid=48 >>>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 >>>>>>>> comm="httpd" >>>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>>> >>>>>>>> type=PROCTITLE msg=audit(1482944350.289:339): >>>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >>>>>>>> >>>>>>>> >>>>>>>> I will say that after enabling selinux on this image per the >>>>>>>> instructions of the team doing the Centos7-arm builds, I got the >>>>>>>> following messages when I did things like 'setsebool -P >>>>>>>> httpd_enable_homedirs on': >>>>>>>> >>>>>>>> [ 2273.047017] SELinux: Class binder not defined in policy. >>>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions >>>>>>>> will >>>>>>>> be allowed >>>>>>>> >>>>>>>> >>>>>>>> So something may well not be right with my SELinux. >>>>>>>> >>>>>>> Bang. I would suggest, at this point, that you might want to set >>>>>>> selinux >>>>>>> into permissive mode, so you'll get the error messages from it, and >>>>>>> can >>>>>>> work out fixes, but will let your system operate as you intend. >>>>>>> setselinux 0 >>>>>>> >>>>>>> Note that this is *temporary*, and will revert on reboot. To make it >>>>>>> permanent, you'd need to edit /etc/selinux/config. >>>>>> Thanks, Mark, I was just getting around to that way of thinking. >>>>>> >>>>>> The command, at least on my Centos7-arm system is >>>>>> >>>>>> setenforce 0 >>>>>> >>>>>> A presto it works. So now to figure out what is wrong with SElinux on >>>>>> this image. >>>>>> >>>>>> _______________________________________________ >>>>>> CentOS mailing list >>>>>> CentOS@xxxxxxxxxx >>>>>> https://lists.centos.org/mailman/listinfo/centos >>>>> Have you got the setroubleshoot-server package installed? For x86_64 it >>>>> is part of the base repository, obviously arm may differ. The package >>>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry >>>>> menu, or it can be launched via: >>>> No GUI in the base image. And on arm, we tend to use Xfce. >>>> >>>>> # /usr/bin/python -Es /usr/bin/sealert -s >>>> no sealert bin file, so it is off to install it. >>>> >>>>> It generates suggestions to fix SELinx issues. Sometimes it is quite >>>>> useful, on other occasions it just lists vast numbers of possibilities >>>>> with little or no help. On balance it is worth trying for when it does >>>>> help. >>>> I have never had it make useful suggestions to my on my notebook, but we >>>> will see... >>>> >>>> so here is what happens after I install it: >>>> >>>> # /usr/bin/python -Es /usr/bin/sealert -s >>>> Opps, sealert hit an error! >>>> >>>> Traceback (most recent call last): >>>> File "/usr/bin/sealert", line 651, in <module> >>>> import gtk >>>> ImportError: No module named gtk >>>> >>>> If it needs a GUI, then that won't work here. Headless system. >>>> >>> Nahh... you want to instal setroubleshoot. >>> >>> mark >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS@xxxxxxxxxx >>> https://lists.centos.org/mailman/listinfo/centos >>> >> Sorry, missed the no GUI if it was mentioned earlier. > Never mentioned it. I have not checked to see what GUI has been ported > to try and load something. I *DO* use Xfce with Fedora-arm systems. > But I would have to hook this little server up to such. > >> You _might_ get away with ssh -Y from a workstation but you might end up wasting time. >> No guarantees I'm afraid. :-) Martin > Yeah, ssh -Y can be such fun with a headless system. > > > _______________________________________________ > CentOS mailing list > CentOS@xxxxxxxxxx > https://lists.centos.org/mailman/listinfo/centos > > Sorry, I’m a bit late to this thread so I don’t know if anyone has mentioned this already. What does > > $ getsebool httpd_enable_homedirs > > # getsebool httpd_enable_homedirs httpd_enable_homedirs --> on This was mentioned earlier. One thing I did not mention was when I ran the set command, I also got back the following which I have gotten on all selunix changes: # setsebool -P httpd_enable_homedirs on [ 8192.799162] SELinux: Class binder not defined in policy. [ 8192.804646] SELinux: the above unknown classes and permissions will be allowed Other than some SELinux guru pointing me to things to do, I will probably have to wait until the C7-arm builders chime in on the centos-arm list. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos I’m not sure but I think those two warnings mean that your kernel and selinux policy are out of sync. _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx https://lists.centos.org/mailman/listinfo/centos