我有一个保存共享PHP脚本的目录(名称是任意的,但它不是/ var /,/ usr /,或SELinux具有特定设置的任何内容):
/不管/脚本/
这些脚本可以由cronjobs执行,也可以由Apache或Tomcat执行,因此输出可以包含在网页中。
SELinux拒绝许可:
type = AVC msg = audit(1363205612.276:476923):avc:拒绝{execute} for pid = 6855 comm =“sh”name =“script.php”dev = sda3 ino = 4325828 scontext = system_u:system_r:httpd_t:s0 tcontext = unconfined_u:object_r:etc_runtime_t:s0 tclass = file
type = SYSCALL msg = audit(1363205612.276:476923):arch = c000003e syscall = 59 success = no exit = -13 a0 = 2431d10 a1 = 2431d70 a2 = 24301e0 a3 = 50 items = 0 ppid = 23100 pid = 6855 auid = 4294967295 uid = 48 gid = 48 euid = 48 suid = 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty =(none)ses = 4294967295 comm =“sh”exe =“/ bin / bash”subj = system_u:system_r: httpd_t:s0 key =(null)
type = AVC msg = audit(1363205612.277:476924):avc:拒绝{execute} for pid = 6855 comm =“sh”name =“script.php”dev = sda3 ino = 4325828 scontext = system_u:system_r:httpd_t:s0 tcontext = unconfined_u:object_r:etc_runtime_t:s0 tclass = file
type = SYSCALL msg = audit(1363205612.277:476924):arch = c000003e syscall = 21 success = no exit = -13 a0 = 2431d10 a1 = 1 a2 = 0 a3 = 50 items = 0 ppid = 23100 pid = 6855 auid = 4294967295 uid = 48 gid = 48 euid = 48 suid = 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty =(none)ses = 4294967295 comm =“sh”exe =“/ bin / bash”subj = system_u:system_r: httpd_t:s0 key =(null)
我知道有一个命令我可以用来告诉SELinux允许这个,但是它让我不知所措。
即使创建目录和脚本所有者和组apache也不起作用,因此它不是典型的权限问题,而是SELinux特定的。
该系统是CentOS 6.3。
答案 0 :(得分:8)
我找到了这两个命令的解决方案:
semanage fcontext -a -t httpd_sys_script_exec_t'/whatever/scripts(/.*)?'
restorecon -R -v / whatever / scripts /
这允许Apache在该目录中执行PHP脚本,并在重新启动或系统范围内重新标记后持续存在。
答案 1 :(得分:0)
我将其与需要从PHP脚本和Apache运行的可执行程序一起使用
sudo chcon -v -t httpd_sys_script_exec_t my-executable