Re: Help with httpd userdir recovery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces@xxxxxxxxxx on behalf of rgm@xxxxxxxxxxxxxxx> wrote:

On 12/28/2016 06:13 PM, Greg Cornell wrote:
> On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces@xxxxxxxxxx on behalf of rgm@xxxxxxxxxxxxxxx> wrote:
>
>
>
> On 12/28/2016 06:05 PM, J Martin Rushton wrote:
>> On 28/12/16 21:24, m.roth@xxxxxxxxx wrote:
>>> Robert Moskowitz wrote:
>>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>>>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>>>> On 12/28/2016 01:53 PM, m.roth@xxxxxxxxx wrote:
>>>>>>> Robert Moskowitz wrote:
>>>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>>>>>>>> <rgm@xxxxxxxxxxxxxxx>
>>>>>>>>> wrote:
>>>>>>>>>> Which is why I wonder if there is some different config for the
>>>>>>>>>> C7.3
>>>>>>>>>> version
>>>>>>>>>> of apache.
>>>>>>>>>>
>>>>>>>>>> Or something with the C7-arm build...
>>>>>>>>> Can you check for SELinux warnings/errors in
>>>>>>>>> /var/log/audit/audit.log?
>>>>>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>>>>>
>>>>>>>> So I tried an access.  What follows is the access_log entry, the
>>>>>>>> error_log entry and the 3 entries in the audit.log:
>>>>>>>>
>>>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>>>>>>>> rv:50.0)
>>>>>>>> Gecko/20100101 Firefox/50.0"
>>>>>>>>
>>>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>>>>>>>> open
>>>>>>>> directory for index: /home/rgm/public_html/family/
>>>>>>>>
>>>>>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>>>>>>> permissive=0
>>>>>>>>
>>>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322
>>>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0
>>>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>>>>>>>> suid=48
>>>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>>>>>> comm="httpd"
>>>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>
>>>>>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>>>>>
>>>>>>>>
>>>>>>>> I will say that after enabling selinux on this image per the
>>>>>>>> instructions of the team doing the Centos7-arm builds, I got the
>>>>>>>> following messages when I did things like 'setsebool -P
>>>>>>>> httpd_enable_homedirs on':
>>>>>>>>
>>>>>>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions
>>>>>>>> will
>>>>>>>> be allowed
>>>>>>>>
>>>>>>>>
>>>>>>>> So something may well not be right with my SELinux.
>>>>>>>>
>>>>>>> Bang. I would suggest, at this point, that you might want to set
>>>>>>> selinux
>>>>>>> into permissive mode, so you'll get the error messages from it, and
>>>>>>> can
>>>>>>> work out fixes, but will let your system operate as you intend.
>>>>>>> setselinux 0
>>>>>>>
>>>>>>> Note that this is *temporary*, and will revert on reboot. To make it
>>>>>>> permanent, you'd need to edit /etc/selinux/config.
>>>>>> Thanks, Mark, I was just getting around to that way of thinking.
>>>>>>
>>>>>> The command, at least on my Centos7-arm system is
>>>>>>
>>>>>> setenforce 0
>>>>>>
>>>>>> A presto it works.  So now to figure out what is wrong with SElinux on
>>>>>> this image.
>>>>>>
>>>>>> _______________________________________________
>>>>>> CentOS mailing list
>>>>>> CentOS@xxxxxxxxxx
>>>>>> https://lists.centos.org/mailman/listinfo/centos
>>>>> Have you got the setroubleshoot-server package installed?  For x86_64 it
>>>>> is part of the base repository, obviously arm may differ.  The package
>>>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
>>>>> menu, or it can be launched via:
>>>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>>>
>>>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>>> no sealert bin file, so it is off to install it.
>>>>
>>>>> It generates suggestions to fix SELinx issues.  Sometimes it is quite
>>>>> useful, on other occasions it just lists vast numbers of possibilities
>>>>> with little or no help.  On balance it is worth trying for when it does
>>>>> help.
>>>> I have never had it make useful suggestions to my on my notebook, but we
>>>> will see...
>>>>
>>>> so here is what happens after I install it:
>>>>
>>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>>> Opps, sealert hit an error!
>>>>
>>>> Traceback (most recent call last):
>>>>      File "/usr/bin/sealert", line 651, in <module>
>>>>        import gtk
>>>> ImportError: No module named gtk
>>>>
>>>> If it needs a GUI, then that won't work here.  Headless system.
>>>>
>>> Nahh... you want to instal setroubleshoot.
>>>
>>>          mark
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS@xxxxxxxxxx
>>> https://lists.centos.org/mailman/listinfo/centos
>>>
>> Sorry, missed the no GUI if it was mentioned earlier.
> Never mentioned it.  I have not checked to see what GUI has been ported
> to try and load something.  I *DO* use Xfce with Fedora-arm systems.
> But I would have to hook this little server up to such.
>
>> You _might_ get away with ssh -Y from a workstation but you might end up wasting time.
>> No guarantees I'm afraid. :-) Martin
> Yeah, ssh -Y can be such fun with a headless system.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS@xxxxxxxxxx
> https://lists.centos.org/mailman/listinfo/centos
>
> Sorry, I’m a bit late to this thread so I don’t know if anyone has mentioned this already.  What does
>
> $ getsebool httpd_enable_homedirs
>
>
# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on

This was mentioned earlier.  One thing I did not mention was when I ran 
the set command, I also got back the following which I have gotten on 
all selunix changes:

# setsebool -P httpd_enable_homedirs on
[ 8192.799162] SELinux:  Class binder not defined in policy.
[ 8192.804646] SELinux: the above unknown classes and permissions will 
be allowed

Other than some SELinux guru pointing me to things to do, I will 
probably have to wait until the C7-arm builders chime in on the 
centos-arm list.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

I’m not sure but I think those two warnings mean that your kernel and selinux policy are out of sync.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux