告诉SELinux的给Apache的执行访问到PHP文件的外部文档根 [英] Tell SELinux to Give Apache Execute Access to PHP Files Outside Document Root

问题描述

我有共同的地方PHP脚本保存目录（名称是任意的，但它不是在/ var /是/ usr /，或任何对SELinux会对特定的设置）：

/不管/脚本/

这些脚本可以通过cronjobs得到执行，或使输出可以被包含在一个网页可能会被Apache或Tomcat执行。

SELinux的否认权限：

类型= AVC味精=审计（1363205612.276：476923）：AVC：拒绝执行{}的PID = 6855 COMM =SHNAME =script.php的开发= sda3的伊诺= 4325828 scontext = system_u：system_r：httpd_t：S0 tcontext = unconfined_u：object_r：etc_runtime_t：S0 = tclass />
类型= SYSCALL味精=审计（1363205612.276：476923）：ARCH = c000003e系统调用= 59 =成功没有退出= -13 A0 = 2431d10 A1 = 2431d70 A2 = 24301e0 A3 = 50项= 0 = PPID 23100 PID = 6855 = AUID UID 4294967295 = 48 GID = 48 EUID = 48 SUID = 48的fsuid = 48 EGID = 48 SGID = 48 FSGID = 48 TTY =（无）SES = 4294967295 COMM =sh的EXE =/斌/ bash的SUBJ = system_u：system_r： httpd_t：S0 =键（空）


类型= AVC味精=审计（1363205612.277：476924）：AVC：拒绝执行{}的PID = 6855 COMM =SHNAME =script.php的开发= sda3的伊诺= 4325828 scontext = system_u：system_r：httpd_t：S0 tcontext = unconfined_u：object_r：etc_runtime_t：S0 = tclass />
类型= SYSCALL味精=审计（1363205612.277：476924）：ARCH = c000003e系统调用= 21 =成功没有退出= -13 A0 = A1 2431d10 = 1 A2 = 0 A3 = 50项= 0 = PPID 23100 PID = 6855 = AUID UID 4294967295 = 48 GID = 48 EUID = 48 SUID = 48的fsuid = 48 EGID = 48 SGID = 48 FSGID = 48 TTY =（无）SES = 4294967295 COMM =sh的EXE =/斌/ bash的SUBJ = system_u：system_r： httpd_t：S0 =键（空）

我知道有一个命令，我可以用它来告诉SELinux的允许这一点，但它躲避我。

甚至使目录和脚本的所有者和组阿帕奇不起作用，所以它不是一个典型的权限问题，但具体的SELinux

该系统的CentOS 6.3。

解决方案

我发现这两个命令解决方法：

semanage的fcontext -a -t httpd_sys_script_exec_t/whatever/scripts(/.*）？
＆NBSP;

的restorecon -R -v /不管/脚本/

这使得阿帕奇在该目录中执行PHP脚本，并在重新启动后仍然存在，或系统范围内重新贴标签。

I have a directory where shared PHP scripts are kept (the name is arbitrary, but it isn't /var/, /usr/, or anything that SELinux would have specific settings for):
/whatever/scripts/

These scripts can get executed by cronjobs, or may get executed by Apache or Tomcat so the output can be included in a web page.

SELinux is denying permission:

type=AVC msg=audit(1363205612.276:476923): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1363205612.276:476923): arch=c000003e syscall=59 success=no exit=-13 a0=2431d10 a1=2431d70 a2=24301e0 a3=50 items=0 ppid=23100 pid=6855 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1363205612.277:476924): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1363205612.277:476924): arch=c000003e syscall=21 success=no exit=-13 a0=2431d10 a1=1 a2=0 a3=50 items=0 ppid=23100 pid=6855 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

I know there is a command I can use to tell SELinux to allow this, but it's eluding me.

Even making the directory and script owner and group apache doesn't work, so it isn't a classic permissions problem, but SELinux specific.

The system is CentOS 6.3.

解决方案

I found the solution with these two commands:

semanage fcontext -a -t httpd_sys_script_exec_t '/whatever/scripts(/.*)?'
 
restorecon -R -v /whatever/scripts/

That allows Apache to execute PHP scripts in that directory, and persists after a reboot, or system-wide relabeling.

这篇关于告诉SELinux的给Apache的执行访问到PHP文件的外部文档根的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！