 |
 |
 |
 |
| Using Fedora General support for current versions. Ask questions about Fedora and it's software that do not belong in any other forum. |
24th January 2009, 04:34 PM
|
|
Registered User
|
|
Join Date: Nov 2008
Posts: 26
|
|
|
SELinux prevents install php mysql software on Apache
It just denies it, It tells me to run a command, I run it, and it keeps denying, I had to kill and restart the program, and echo it off and on JUST to INSTALL phpBB, how can I complete prevent it from worrying about /var/www/http?
|
24th January 2009, 05:04 PM
|
|
Registered User
|
|
Join Date: Sep 2008
Posts: 5
|
|
|
You could try:
cd /path/to/www/
restorecon -R -v '.'
Hope this will help!
Regards,
Andre
|
25th January 2009, 12:59 AM
|
|
Registered User
|
|
Join Date: Nov 2008
Posts: 26
|
|
Quote:
Originally Posted by andrelag
You could try:
cd /path/to/www/
restorecon -R -v '.'
Hope this will help!
Regards,
Andre
|
Results in complete failure:
12 reports with 0-3 counts each of: (when loading /phpbb/index.html, just loading up installed phpbb)
Quote:
Summary:
SELinux prevented httpd reading and writing access to http files.
Detailed Description:
SELinux prevented httpd reading and writing access to http files. Ordinarily
httpd is allowed full access to all files labeled with http file context. This
machine has a tightened security policy with the httpd_unified turned off, this
requires explicit labeling of all files. If a file is a cgi script it needs to
be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is
read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable
content. it needs to be labeled httpd_TYPE_script_rw_t or
httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts.
Please refer to the man page "man httpd_selinux" or FAQ
(http://fedora.redhat.com/docs/selinux-apache-fc3) "TYPE" refers to one of
"sys", "user" or "staff" or potentially other script types.
Allowing Access:
Changing the "httpd_unified" boolean to true will allow this access: "setsebool
-P httpd_unified=1"
Fix Command:
setsebool -P httpd_unified=1
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:object_r:httpd_sys_content_t:s0
Target Objects ./sql_021151d1a377d62dbfaa89a4d1acc716.php [ file
]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host fedora.pgatewaypc
Source RPM Packages httpd-2.2.10-2
Target RPM Packages
Policy RPM selinux-policy-3.5.13-38.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name httpd_unified
Host Name fedora.pgatewaypc
Platform Linux fedora.pgatewaypc 2.6.27.9-159.fc10.x86_64
#1 SMP Tue Dec 16 14:47:52 EST 2008 x86_64 x86_64
Alert Count 0
First Seen Sat 24 Jan 2009 02:56:29 PM EST
Last Seen Sat 24 Jan 2009 02:56:29 PM EST
Local ID 138b1dd9-b561-4a2b-85be-108c6b1d0003
Line Numbers
Raw Audit Messages
node=fedora.pgatewaypc type=AVC msg=audit(1232826989.601:29): avc: denied { write } for pid=2723 comm="httpd" name="sql_021151d1a377d62dbfaa89a4d1acc716.php" dev=dm-0 ino=346316 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_sys_content_t:s0 tclass=file
node=fedora.pgatewaypc type=SYSCALL msg=audit(1232826989.601:29): arch=c000003e syscall=2 success=no exit=-13 a0=7fc4fbc5d4c8 a1=241 a2=1b6 a3=702e363137636361 items=0 ppid=2681 pid=2723 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
|
|
25th January 2009, 01:38 AM
|
|
Registered User
|
|
Join Date: Nov 2008
Posts: 26
|
|
Quote:
Originally Posted by PCessna
Results in complete failure:
12 reports with 0-3 counts each of: (when loading /phpbb/index.html, just loading up installed phpbb)
|
Sorry to spam / bump, But can I please be told how to either remove SELinux polices COMPLETELY from a location (var/www/html) or just remove mysql, php, and apache from SElinux altogether, My server is almost never accessed by anyone, and I've been deciding just to disable SELinux, since I did find with Ubuntu without it.
|
25th January 2009, 05:36 AM
|
|
Registered User
|
|
Join Date: Sep 2008
Posts: 5
|
|
You could try audit2allow.
http://docs.fedoraproject.org/selinu...dit2allow.html
Quote:
|
From the audit2allow(1) manual page: "audit2allow - generate SELinux policy allow rules from logs of denied operations"
|
Regards,
Andre
|
25th January 2009, 07:13 AM
|
 |
Administrator
|
|
Join Date: Dec 2004
Location: Canada
Age: 22
Posts: 9,224
|
|
|
If you'd like, run the SELinux configuration tool from the Administration menu (or "system-config-selinux" from the CLI) and then set the current mode to permissive. This will keep SELinux monitoring your system, however it won't prevent programs from going along their regular courses. This way, you can build up a log of the "denied" messages and use audit2allow to tell SELinux to allow the actions that you've collected in the logs.
Firewing1
|
26th January 2009, 01:18 AM
|
|
Registered User
|
|
Join Date: Nov 2008
Posts: 26
|
|
Quote:
Originally Posted by Firewing1
If you'd like, run the SELinux configuration tool from the Administration menu (or "system-config-selinux" from the CLI) and then set the current mode to permissive. This will keep SELinux monitoring your system, however it won't prevent programs from going along their regular courses. This way, you can build up a log of the "denied" messages and use audit2allow to tell SELinux to allow the actions that you've collected in the logs.
Firewing1
|
thanks but audit to allow makes no sense of how to use, help!
|
26th January 2009, 01:53 AM
|
|
Registered User
|
|
Join Date: Nov 2008
Posts: 26
|
|
|
Problem Solved:
Run command:
audit2allow -w -a
then:
audit2allow -a
|
| Thread Tools |
Search this Thread |
|
|
|
| Display Modes |
 Linear Mode
|
Posting Rules
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
HTML code is Off
|
|
|
Current GMT-time: 15:05 (Saturday, 18-05-2013)
|
|
 |
 |
 |
 |
|
|
