Re: Help with httpd userdir recovery

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 12/28/2016 06:33 PM, Greg Cornell wrote:
On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces@xxxxxxxxxx on behalf of rgm@xxxxxxxxxxxxxxx> wrote:

On 12/28/2016 06:13 PM, Greg Cornell wrote:
On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces@xxxxxxxxxx on behalf of rgm@xxxxxxxxxxxxxxx> wrote:



On 12/28/2016 06:05 PM, J Martin Rushton wrote:
On 28/12/16 21:24, m.roth@xxxxxxxxx wrote:
Robert Moskowitz wrote:
On 12/28/2016 03:32 PM, J Martin Rushton wrote:
On 28/12/16 20:11, Robert Moskowitz wrote:
On 12/28/2016 01:53 PM, m.roth@xxxxxxxxx wrote:
Robert Moskowitz wrote:
On 12/28/2016 05:11 AM, Todor Petkov wrote:
On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
<rgm@xxxxxxxxxxxxxxx>
wrote:
Which is why I wonder if there is some different config for the
C7.3
version
of apache.

Or something with the C7-arm build...
Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?
Good advice.  As I suspect the problem is with SELinux.

So I tried an access.  What follows is the access_log entry, the
error_log entry and the 3 entries in the audit.log:

192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
rv:50.0)
Gecko/20100101 Firefox/50.0"

[Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
(13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
open
directory for index: /home/rgm/public_html/family/

type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
permissive=0

type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322
per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0
items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)

type=PROCTITLE msg=audit(1482944350.289:339):
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44


I will say that after enabling selinux on this image per the
instructions of the team doing the Centos7-arm builds, I got the
following messages when I did things like 'setsebool -P
httpd_enable_homedirs on':

[ 2273.047017] SELinux:  Class binder not defined in policy.
[ 2273.052531] SELinux: the above unknown classes and permissions
will
be allowed


So something may well not be right with my SELinux.

Bang. I would suggest, at this point, that you might want to set
selinux
into permissive mode, so you'll get the error messages from it, and
can
work out fixes, but will let your system operate as you intend.
setselinux 0

Note that this is *temporary*, and will revert on reboot. To make it
permanent, you'd need to edit /etc/selinux/config.
Thanks, Mark, I was just getting around to that way of thinking.

The command, at least on my Centos7-arm system is

setenforce 0

A presto it works.  So now to figure out what is wrong with SElinux on
this image.

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
Have you got the setroubleshoot-server package installed?  For x86_64 it
is part of the base repository, obviously arm may differ.  The package
installs a "SELinux Troubleshooter" entry in the Applications/Sundry
menu, or it can be launched via:
No GUI in the base image.  And on arm, we tend to use Xfce.

# /usr/bin/python -Es /usr/bin/sealert -s
no sealert bin file, so it is off to install it.

It generates suggestions to fix SELinx issues.  Sometimes it is quite
useful, on other occasions it just lists vast numbers of possibilities
with little or no help.  On balance it is worth trying for when it does
help.
I have never had it make useful suggestions to my on my notebook, but we
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
      File "/usr/bin/sealert", line 651, in <module>
        import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.

Nahh... you want to instal setroubleshoot.

          mark

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

Sorry, missed the no GUI if it was mentioned earlier.
Never mentioned it.  I have not checked to see what GUI has been ported
to try and load something.  I *DO* use Xfce with Fedora-arm systems.
But I would have to hook this little server up to such.

You _might_ get away with ssh -Y from a workstation but you might end up wasting time.
No guarantees I'm afraid. :-) Martin
Yeah, ssh -Y can be such fun with a headless system.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

Sorry, I’m a bit late to this thread so I don’t know if anyone has mentioned this already.  What does

$ getsebool httpd_enable_homedirs


# getsebool httpd_enable_homedirs
httpd_enable_homedirs --> on

This was mentioned earlier.  One thing I did not mention was when I ran
the set command, I also got back the following which I have gotten on
all selunix changes:

# setsebool -P httpd_enable_homedirs on
[ 8192.799162] SELinux:  Class binder not defined in policy.
[ 8192.804646] SELinux: the above unknown classes and permissions will
be allowed

Other than some SELinux guru pointing me to things to do, I will
probably have to wait until the C7-arm builders chime in on the
centos-arm list.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos

I’m not sure but I think those two warnings mean that your kernel and selinux policy are out of sync.

The first time was when I did the yum update after the basic image install, adding chronyd to keep time, and enabling seliunx. Then again when I changed ssh port and finally setting userdir.

To test if it was the yum update would take setting up another image. Not too hard, but I am scheduled to go away for the weekend.


_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux