On my CentOS virtual machine, SELinux is in enforcing mode, and I got some issues running a PHP application.

Here what I see in “audit.log” file :

[root@itop ~]# grep AVC /var/log/audit/audit.log
type=AVC msg=audit(1473261464.310:412): avc:  denied  { write } for  pid=4452 comm="httpd" name="light-grey.css" dev="dm-0" ino=51533660 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
type=AVC msg=audit(1473261464.321:413): avc:  denied  { write } for  pid=4452 comm="httpd" name="backups" dev="dm-0" ino=702557 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=AVC msg=audit(1473262291.729:415): avc:  denied  { write } for  pid=4390 comm="httpd" name="light-grey.css" dev="dm-0" ino=51533660 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
type=USER_AVC msg=audit(1473262366.354:424): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=3)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1474888351.341:356): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received policyload notice (seqno=2)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=AVC msg=audit(1474987348.571:403): avc:  denied  { write } for  pid=29181 comm="httpd" name="light-grey.css" dev="dm-0" ino=51533660 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file

I can use “audit2allow” audi tool to get it more readable :

[root@itop ~]# audit2allow -w -a
type=AVC msg=audit(1473261464.310:412): avc:  denied  { write } for  pid=4452 comm="httpd" name="light-grey.css" dev="dm-0" ino=51533660 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
        Was caused by:
        The boolean httpd_unified was set incorrectly.
        Description:
        Allow httpd to unified

        Allow access by executing:
        # setsebool -P httpd_unified 1
type=AVC msg=audit(1473261464.321:413): avc:  denied  { write } for  pid=4452 comm="httpd" name="backups" dev="dm-0" ino=702557 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
        Was caused by:
        The boolean httpd_unified was set incorrectly.
        Description:
        Allow httpd to unified

        Allow access by executing:
        # setsebool -P httpd_unified 1
type=AVC msg=audit(1473262291.729:415): avc:  denied  { write } for  pid=4390 comm="httpd" name="light-grey.css" dev="dm-0" ino=51533660 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
        Was caused by:
        The boolean httpd_unified was set incorrectly.
        Description:
        Allow httpd to unified

        Allow access by executing:
        # setsebool -P httpd_unified 1
type=AVC msg=audit(1474987348.571:403): avc:  denied  { write } for  pid=29181 comm="httpd" name="light-grey.css" dev="dm-0" ino=51533660 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=file
        Was caused by:
        The boolean httpd_unified was set incorrectly.
        Description:
        Allow httpd to unified

        Allow access by executing:
        # setsebool -P httpd_unified 1

I have 2 option to fix this issue

The lazy option

As suggested, we can set this boolean :

[root@itop ~]# setsebool -P httpd_unified 1

This is persistent on a reboot :

[root@itop ~]# uptime
 11:28:20 up 0 min, 1 user, load average: 0.63, 0.19, 0.07
[root@itop ~]# semanage boolean -l | grep httpd_unified
httpd_unified (on , on) Allow httpd to unified

The good job

Keep this boolean off :

[root@itop ~]# setsebool -P httpd_unified 0

Apache root directory is currently read only…

Record the read/write appropriate file context for this directory and enclosed files and subdirectories :

[root@itop ~]# semanage fcontext -a -t httpd_sys_rw_content_t "/var/www/html/iTop(/.*)?"

This operation has stored information in “/etc/selinux/targeted/contexts/files/file_contexts.local” configuration file :

[root@itop ~]# cat /etc/selinux/targeted/contexts/files/file_contexts.local
# This file is auto-generated by libsemanage
# Do not edit directly.

/var/www/html/iTop(/.*)?    system_u:object_r:httpd_sys_rw_content_t:s0

We can apply this file context recursively to this directory :

[root@itop ~]# restorecon -v -r /var/www/html/iTop

 

PDF24    Send article as PDF   

Leave a Reply

Your email address will not be published. Required fields are marked *


*