Question

我有一个用perl编写并运行Apache和Fedora 18的Web应用程序。当创建一个事件时，我想安排一个linux at命令在事件结束时运行。 at命令将运行一个脚本来执行某些事件任务。

我在创建事件脚本中运行它：

$ENV{"PATH"} = "/usr/bin";
my $output = `echo "/var/local/project/event_end.pl -event_id 67" | at 2:41 pm`;

当这个脚本运行时，我会在/var/log/httpd/error_log

中得到这个

[Thu May 23 15:00:04.621903 2013] [cgi:error] [pid 13918] [client xxxxx:52537] AH01215: cannot set euid: Operation not permitted, referer: http://xxxxx/cgi-bin/events/current/create.pl?id=4

，这在/var/log/messages

中

May 23 15:00:04 xxxxx setroubleshoot: SELinux is preventing /usr/bin/at from using the setgid capability. For complete SELinux messages. run sealert -l cf16775c-a113-4477-957c-0bd8c0da447b

运行sealert -l cf16775c-a113-4477-957c-0bd8c0da447b给出此输出：

SELinux is preventing /usr/bin/at from using the setgid capability.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that at should have the setgid capability by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep at /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                system_u:system_r:httpd_sys_script_t:s0
Target Context                system_u:system_r:httpd_sys_script_t:s0
Target Objects                 [ capability ]
Source                        at
Source Path                   /usr/bin/at
Port                          <Unknown>
Host                          xxxxxx
Source RPM Packages           at-3.1.13-10.fc18.x86_64
Target RPM Packages           
Policy RPM                    selinux-policy-3.11.1-95.fc18.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     xxxxxxx
Platform                      Linux xxxxxxxx
                          3.9.2-200.fc18.x86_64 #1 SMP Mon May 13 13:59:47
                          UTC 2013 x86_64 x86_64
Alert Count                   15
First Seen                    2013-05-23 10:52:40 CDT
Last Seen                     2013-05-23 15:00:04 CDT
Local ID                      xxxxxx

Raw Audit Messages
type=AVC msg=audit(1369339204.620:293): avc:  denied  { setgid } for  pid=23073 comm="at" capability=6  scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=capability


type=SYSCALL msg=audit(1369339204.620:293): arch=x86_64 syscall=setregid success=no exit=EPERM a0=0 a1=0 a2=30 a3=0 items=0 ppid=1 pid=23073 auid=4294967295 uid=0 gid=48 euid=0 suid=0 fsuid=0 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=at exe=/usr/bin/at subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)

Hash: at,httpd_sys_script_t,httpd_sys_script_t,capability,setgid

audit2allow

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability setgid;

audit2allow -R
require {
type httpd_sys_script_t;
class capability setgid;
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t self:capability setgid;

除非绝对必要，否则我不想改变我的SELinux政策。任何人都有任何关于如何允许apache在perl脚本中执行at命令的想法？

SELinux阻止/ usr / bin / at使用setgid功能

0 个答案: