Selinux
即使設置了正確的安全上下文和布爾值,Apache 2.4 也無法讀取使用者內容
我在 /data/test_user 有一個使用者的主目錄。我正在使用索引來允許通過帶有 Apache 2.4 的 Web 瀏覽器瀏覽此目錄。但是,突然之間,我遇到了一個看不到任何內容的問題。請注意,我可以看到該目錄,並且可以輸入它,但是當我這樣做時,沒有顯示任何內容(即使文件系統中有)。具體來說,裡面有一個名為
testfile
該目錄具有以下標籤:
unconfined_u:object_r:user_home_dir_t:s0 test_user
/home/test_user/testfile
標籤和權限:-rw-r--r--. test_user remote-users unconfined_u:object_r:user_home_dir_t:s0 testfile
此外,我設置了以下布爾值:
httpd_can_network_relay (off , off) Allow httpd to can network relay httpd_can_connect_mythtv (off , off) Allow httpd to can connect mythtv httpd_can_network_connect_db (off , off) Allow httpd to can network connect db httpd_use_gpg (off , off) Allow httpd to use gpg httpd_dbus_sssd (off , off) Allow httpd to dbus sssd httpd_enable_cgi (on , on) Allow httpd to enable cgi httpd_verify_dns (off , off) Allow httpd to verify dns httpd_dontaudit_search_dirs (off , off) Allow httpd to dontaudit search dirs httpd_use_cifs (off , off) Allow httpd to use cifs httpd_manage_ipa (off , off) Allow httpd to manage ipa httpd_run_stickshift (off , off) Allow httpd to run stickshift httpd_enable_homedirs (off , off) Allow httpd to enable homedirs httpd_dbus_avahi (off , off) Allow httpd to dbus avahi httpd_unified (off , off) Allow httpd to unified httpd_mod_auth_pam (off , off) Allow httpd to mod auth pam httpd_can_network_connect (off , off) Allow httpd to can network connect httpd_execmem (off , off) Allow httpd to execmem httpd_use_fusefs (off , off) Allow httpd to use fusefs httpd_mod_auth_ntlm_winbind (off , off) Allow httpd to mod auth ntlm winbind httpd_use_sasl (off , off) Allow httpd to use sasl httpd_tty_comm (off , off) Allow httpd to tty comm httpd_sys_script_anon_write (off , off) Allow httpd to sys script anon write httpd_graceful_shutdown (on , on) Allow httpd to graceful shutdown httpd_can_connect_ftp (off , off) Allow httpd to can connect ftp httpd_run_ipa (off , off) Allow httpd to run ipa httpd_read_user_content (on , on) Allow httpd to read user content httpd_use_nfs (off , off) Allow httpd to use nfs httpd_can_connect_zabbix (off , off) Allow httpd to can connect zabbix httpd_tmp_exec (off , off) Allow httpd to tmp exec httpd_run_preupgrade (off , off) Allow httpd to run preupgrade httpd_can_sendmail (off , off) Allow httpd to can sendmail httpd_builtin_scripting (on , on) Allow httpd to builtin scripting httpd_can_connect_ldap (off , off) Allow httpd to can connect ldap httpd_can_check_spam (off , off) Allow httpd to can check spam httpd_can_network_memcache (off , off) Allow httpd to can network memcache httpd_can_network_connect_cobbler (off , off) Allow httpd to can network connect cobbler httpd_anon_write (off , off) Allow httpd to anon write httpd_serve_cobbler_files (off , off) Allow httpd to serve cobbler files httpd_ssi_exec (off , off) Allow httpd to ssi exec httpd_use_openstack (off , off) Allow httpd to use openstack httpd_enable_ftp_server (off , off) Allow httpd to enable ftp server httpd_setrlimit (off , off) Allow httpd to setrlimit
SELinux 警報:
SELinux is preventing /usr/sbin/httpd from getattr access on the file /data/test_user/testfile. ***** Plugin restorecon (99.5 confidence) suggests ************************ If you want to fix the label. /data/test_user/testfile default label should be default_t. Then you can run restorecon. Do # /sbin/restorecon -v /data/test_user/testfile ***** Plugin catchall (1.49 confidence) suggests ************************** If you believe that httpd should be allowed getattr access on the testfile file by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # ausearch -c 'httpd' --raw | audit2allow -M my-httpd # semodule -i my-httpd.pp Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects /data/test_user/testfile [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host <redacted> Source RPM Packages httpd-2.4.6-45.el7.x86_64 Target RPM Packages Policy RPM selinux-policy-3.13.1-102.el7_3.15.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name <redacted> Platform Linux 3.10.0-514.10.2.el7.x86_64 #1 SMP Mon Feb 20 02:37:52 EST 2017 x86_64 x86_64 Alert Count 16 First Seen 2017-03-16 22:36:36 UTC Last Seen 2017-03-22 19:10:23 UTC Local ID a6ae731b-71aa-446f-9be7-445e3656ef06 Raw Audit Messages type=AVC msg=audit(1490209823.491:352): avc: denied { getattr } for pid=2508 comm="httpd" path="/data/test_user/testfile" dev="dm-0" ino=2122369 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file type=SYSCALL msg=audit(1490209823.491:352): arch=x86_64 syscall=lstat success=no exit=EACCES a0=7ffe31303d60 a1=7ffe31303c70 a2=7ffe31303c70 a3=6d69762e726f6c items=0 ppid=2503 pid=2508 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) Hash: httpd,httpd_t,user_home_dir_t,file,getattr
我還擁有 /data/ 中的所有內容,並具有以下預設上下文:
/data(/.*)? all files system_u:object_r:user_home_dir_t:s0
我在這裡想念什麼?這是以前的工作。
快速瀏覽一下,
sesearch --allow -s httpd_t -b httpd_read_user_content | grep user_home_dir_t
實際上 SELinux 工作正常:allow httpd_t user_home_dir_t : lnk_file { read getattr } ; allow httpd_t user_home_dir_t : dir { getattr search open } ; allow httpd_t user_home_dir_t : dir { ioctl read getattr lock search open } ; allow httpd_t user_home_dir_t : dir { getattr search open } ;
這裡的重要因素是我希望讀取目錄中的文件,而不僅僅是目錄。但是,如果我們將上下文更改為
user_home_t
它允許 apache 讀取目錄中的文件,如解釋sesearch --allow -s httpd_t -b httpd_read_user_content | grep user_home_t
allow httpd_t user_home_type : dir { getattr search open } ; allow httpd_t user_home_type : dir { ioctl read getattr lock search open } ; allow httpd_t user_home_type : dir { getattr search open } ; allow httpd_t user_home_type : file { ioctl read getattr lock open } ;
這裡感興趣的特定行是
file
在最後,表明 apache 可以讓 ioctl 讀取 getattr 鎖定並打開具有此上下文的文件。user_home_t
使用允許我毫無問題地查看索引列表中的文件來標記目錄。