Apache-Httpd
由於 SELinux,httpd 無法寫入文件夾/文件
有誰知道允許 httpd 對 /home/user/html 進行寫訪問的 sebool 是什麼?當我禁用 SELinux 時
echo 0 > /selinux/enforce,我可以寫,所以我的問題肯定與 SELinux 有關。如果不打開一個大洞,我只是不知道哪個是正確的,而Google並沒有提供太多幫助。#[/home]ls -Z drwxr-x---. user apache unconfined_u:object_r:user_home_dir_t:s0 user #sestatus -b Policy booleans: abrt_anon_write off abrt_handle_event off allow_console_login on allow_cvs_read_shadow off allow_daemons_dump_core on allow_daemons_use_tcp_wrapper off allow_daemons_use_tty on allow_domain_fd_use on allow_execheap off allow_execmem on allow_execmod on allow_execstack on allow_ftpd_anon_write off allow_ftpd_full_access off allow_ftpd_use_cifs off allow_ftpd_use_nfs off allow_gssd_read_tmp on allow_guest_exec_content off allow_httpd_anon_write off allow_httpd_mod_auth_ntlm_winbind off allow_httpd_mod_auth_pam off allow_httpd_sys_script_anon_write off allow_java_execstack off allow_kerberos on allow_mount_anyfile on allow_mplayer_execstack off allow_nsplugin_execmem on allow_polyinstantiation off allow_postfix_local_write_mail_spool on allow_ptrace off allow_rsync_anon_write off allow_saslauthd_read_shadow off allow_smbd_anon_write off allow_ssh_keysign off allow_staff_exec_content on allow_sysadm_exec_content on allow_unconfined_nsplugin_transition off allow_user_exec_content on allow_user_mysql_connect off allow_user_postgresql_connect off allow_write_xshm off allow_xguest_exec_content off allow_xserver_execmem off allow_ypbind off allow_zebra_write_config on authlogin_radius off cdrecord_read_content off clamd_use_jit off cobbler_anon_write off cobbler_can_network_connect off cobbler_use_cifs off cobbler_use_nfs off condor_domain_can_network_connect off cron_can_relabel off dhcpc_exec_iptables off domain_kernel_load_modules off exim_can_connect_db off exim_manage_user_files off exim_read_user_files off fcron_crond off fenced_can_network_connect off fenced_can_ssh off ftp_home_dir on ftpd_connect_db off ftpd_use_passive_mode off git_cgit_read_gitosis_content off git_session_bind_all_unreserved_ports off git_system_enable_homedirs off git_system_use_cifs off git_system_use_nfs off global_ssp off gpg_agent_env_file off gpg_web_anon_write off httpd_builtin_scripting on httpd_can_check_spam off httpd_can_network_connect off httpd_can_network_connect_cobbler off httpd_can_network_connect_db on httpd_can_network_memcache off httpd_can_network_relay off httpd_can_sendmail on httpd_dbus_avahi on httpd_enable_cgi on httpd_enable_ftp_server off httpd_enable_homedirs on httpd_execmem off httpd_manage_ipa off httpd_read_user_content off httpd_setrlimit off httpd_ssi_exec off httpd_tmp_exec off httpd_tty_comm on httpd_unified on httpd_use_cifs off httpd_use_gpg off httpd_use_nfs off httpd_use_openstack off icecast_connect_any off init_upstart on irssi_use_full_network off logging_syslogd_can_sendmail off mmap_low_allowed off mozilla_read_content off mysql_connect_any off named_write_master_zones off ncftool_read_user_content off nscd_use_shm on nsplugin_can_network on openvpn_enable_homedirs on piranha_lvs_can_network_connect off pppd_can_insmod off pppd_for_user off privoxy_connect_any on puppet_manage_all_files off puppetmaster_use_db off qemu_full_network on qemu_use_cifs on qemu_use_comm off qemu_use_nfs on qemu_use_usb on racoon_read_shadow off rgmanager_can_network_connect off rsync_client off rsync_export_all_ro off rsync_use_cifs off rsync_use_nfs off samba_create_home_dirs off samba_domain_controller off samba_enable_home_dirs off samba_export_all_ro off samba_export_all_rw off samba_run_unconfined off samba_share_fusefs off samba_share_nfs off sanlock_use_nfs off sanlock_use_samba off secure_mode off secure_mode_insmod off secure_mode_policyload off sepgsql_enable_users_ddl on sepgsql_unconfined_dbadm on sge_domain_can_network_connect off sge_use_nfs off smartmon_3ware off spamassassin_can_network off spamd_enable_home_dirs on squid_connect_any on squid_use_tproxy off ssh_chroot_rw_homedirs off ssh_sysadm_login off telepathy_tcp_connect_generic_network_ports off tftp_anon_write off tor_bind_all_unreserved_ports off unconfined_login on unconfined_mmap_zero_ignore off unconfined_mozilla_plugin_transition off use_fusefs_home_dirs off use_lpd_server off use_nfs_home_dirs on use_samba_home_dirs off user_direct_dri on user_direct_mouse off user_ping on user_rw_noexattrfile on user_setrlimit on user_tcp_server off user_ttyfile_stat off varnishd_connect_any off vbetool_mmap_zero_ignore off virt_use_comm off virt_use_fusefs off virt_use_nfs off virt_use_samba off virt_use_sanlock off virt_use_sysfs on virt_use_usb on virt_use_xserver off webadm_manage_user_files off webadm_read_user_files off wine_mmap_zero_ignore off xdm_exec_bootloader off xdm_sysadm_login off xen_use_nfs off xguest_connect_network on xguest_mount_media on xguest_use_bluetooth on xserver_object_manager off
它們都沒有,至少不是單獨的。您必須給目錄結構一個上下文
httpd_sys_rw_content_t,或者給他們一個上下文public_content_rw_t和啟用allow_httpd_anon_write和/或allow_httpd_sys_script_anon_write如下:chcon -R -t httpd_sys_rw_content_t /path有關詳細資訊,請參見
httpd_selinux(8)手冊頁。
雖然最好
httpd_sys_rw_content_t在需要的地方標記文件和文件夾,但為了完整起見,我想我會提到你也可以將 seboolean 更改httpd_unified為 1 以使 SELinux 忽略這個特定的上下文要求,這仍然比禁用 SELinux 好得多網際網路上的許多人會建議。從手冊頁:
httpd 可以配置為不根據上下文區分文件控制項,即所有標記為 httpd 上下文的文件都可以讀/寫/執行。將此佈爾值設置為 false 允許您設置安全策略,以便一個 httpd 服務不會干擾另一個。
setebool -P httpd_unified 0