配置SELinux的访问,使Apache可以访问挂载目录 [英] Configure SELinux access so that Apache can access mounted directories
问题描述
我有一个安装目录从家里在/ var / www / html等/ ICT。允许用户权限是不错,但仍然可以通过Web浏览器,我得到403错误。
SELinux的,我怀疑不允许的文件和目录从其他地方来了。你能帮我补充了相关权限以便可以固定的。
从审计文件中的错误日志:
键入= AVC味精=审计(1395610534.041:179195):AVC:否认{搜索}的PID = 18370 COMM =的httpdNAME =上传开发= DM-0伊诺= 2506938 scontext = unconfined_u:system_r:httpd_t:S0 = tcontext unconfined_u:object_r:的user_home_t:S0 tclass = DIR
类型= SYSCALL味精=审计(1395610534.041:179195):ARCH = c000003e系统调用= 4的成功=没有退出= -13 A0 = 7ffb5f863bc8 A1 = 7fff80a374c0 A2 = A3 7fff80a374c0 = 0项= 0 = PPID 3075 PID = 18370 AUID = 0 UID = 48 GID = 48 EUID = 48 SUID = 48的fsuid = 48 EGID = 48 SGID = 48 FSGID = 48 TTY =(无)SES = 1 COMM =httpd的EXE =/ usr / sbin目录/的httpdSUBJ = unconfined_u: system_r:httpd_t:S0 =键(空)
类型= AVC味精=审计(1395610534.043:179196):AVC:否认{GETATTR}的PID = 18370 COMM =httpd的路径=的/ var / www / html等/ ICT / farengine开发= DM-0伊诺= 2506938 scontext = unconfined_u:system_r:httpd_t:S0 = tcontext unconfined_u:object_r:的user_home_t:S0 tclass = DIR
类型= SYSCALL味精=审计(1395610534.043:179196):ARCH = c000003e系统调用= 6 =成功没有退出= -13 A0 = 7ffb5f863cb0 A1 = 7fff80a374c0 A2 = 7fff80a374c0 A3 = 1项= 0 = PPID 3075 PID = 18370 AUID = 0 UID = 48 GID = 48 EUID = 48 SUID = 48的fsuid = 48 EGID = 48 SGID = 48 FSGID = 48 TTY =(无)SES = 1 COMM =httpd的EXE =/ usr / sbin目录/的httpdSUBJ = unconfined_u: system_r:httpd_t:S0 =键(空)
而不是简单地提供一个链接,但不能完全撕掉该链接的内容,这里是办下来了。
安装policycoreutils-蟒蛇包含semanage的,允许政策设置,让Apache来阅读,或者位于DocumentRoot以外的读/写区域。
百胜安装-y policycoreutils,蟒蛇
文章还提到拍摄包的麻烦,但我的机器无法找到它。
为只读是你的应用程序的一部分领域创建策略,DocumentRoot的外
semanage的fcontext -a -t httpd_sys_content_t/webapps(/.*)?
创建日志记录目录政策
semanage的fcontext -a -t httpd_log_t/webapps/logs(/.*)?
创建缓存目录政策
semanage的fcontext -a -t httpd_cache_t/webapps/cache(/.*)?
创建属于DocumentRoot的外部读/写方面的政策。
semanage的fcontext -a -t httpd_sys_rw_content_t/webapps/app1/public_html/uploads(/.*)?
应用策略与命令的restorecon
的restorecon -rv / webapps中
验证策略已应用于
LS -LZ / webapps中
这就是它概括地说。在<一个href=\"http://www.serverlab.ca/tutorials/linux/web-services/configuring-selinux-policies-for-apache-web-servers\">original文章是更好看不过来。
I have a mounted directory from home in /var/www/html/ict. Allow user permissions are fine but still through the web browser I get 403 error.
SELinux I suspect does not allow files and directories coming from other locations. Can you help me add the relevant permission so that this can fixed.
The error log from the audit file:
type=AVC msg=audit(1395610534.041:179195): avc: denied { search } for pid=18370 comm="httpd" name="upload" dev=dm-0 ino=2506938 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1395610534.041:179195): arch=c000003e syscall=4 success=no exit=-13 a0=7ffb5f863bc8 a1=7fff80a374c0 a2=7fff80a374c0 a3=0 items=0 ppid=3075 pid=18370 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1395610534.043:179196): avc: denied { getattr } for pid=18370 comm="httpd" path="/var/www/html/ict/farengine" dev=dm-0 ino=2506938 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=dir
type=SYSCALL msg=audit(1395610534.043:179196): arch=c000003e syscall=6 success=no exit=-13 a0=7ffb5f863cb0 a1=7fff80a374c0 a2=7fff80a374c0 a3=1 items=0 ppid=3075 pid=18370 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
Rather than simply provide a link, but not completely rip off the content of that link, here's the run down.
Install policycoreutils-python that contains SEMANAGE, to allow policy to be set up that will allow Apache to read, or read/write area outside of the DocumentRoot.
yum install -y policycoreutils-python
The article also mentioned a trouble shooting package, but my machine could not locate it.
Create policy for read only areas that are a part of your application, outside of the DocumentRoot
semanage fcontext -a -t httpd_sys_content_t "/webapps(/.*)?"
Create policy for logging directories
semanage fcontext -a -t httpd_log_t "/webapps/logs(/.*)?"
Create policy for cache directories
semanage fcontext -a -t httpd_cache_t "/webapps/cache(/.*)?"
Create policy for read/write areas that are outside of the DocumentRoot
semanage fcontext -a -t httpd_sys_rw_content_t "/webapps/app1/public_html/uploads(/.*)?"
Apply the policy with the restorecon command
restorecon -Rv /webapps
Verify policy has been applied
ls -lZ /webapps
That's it in a nutshell. The original article is nicer to read, however.
这篇关于配置SELinux的访问,使Apache可以访问挂载目录的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
