系统更新后无法从PHP打印(使用exec通过php)

时间:2016-11-03 19:21:21

标签: php selinux cups

我已使用PHP exec命令发出lpr -P printer_name /var/www/html/somefile.pdf但在RHEL系统更新(7.2到7.3)之后,selinux已决定开始阻止这些请求。

要发送到打印文件的selinux权限:

ls -lZ /var/www/html/somefile.pdf
-rw-r-----. apache webdev system_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/somefile.pdf

审计日志中出现以下内容,与PHP上面的exec命令对应:

  

time-> Thu Nov 3 15:07:02 2016

     

type = PATH msg = audit(1478200022.446:5151):item = 0   名称="在/ etc /杯/ lp选项" inode = 134317708 dev = fd:03 mode = 0100644   ouid = 0 ogid = 7 rdev = 00:00 obj = system_u:object_r:cupsd_rw_etc_t:s0   OBJTYPE = NORMAL

     

type = CWD msg = audit(1478200022.446:5151):cwd =" / var / www / html"

     

type = SYSCALL msg = audit(1478200022.446:5151):arch = c000003e syscall = 2   success = yes exit = 5 a0 = 7fff26837c70 a1 = 0 a2 = 0 a3 = 9 items = 1 ppid = 19397   pid = 46644 auid = 4294967295 uid = 48 gid = 48 euid = 48 suid = 48 fsuid = 48   egid = 48 sgid = 48 fsgid = 48 tty =(none)ses = 4294967295 comm =" lpr"   EXE =" /usr/bin/lpr.cups" subj = system_u:system_r:httpd_t:s0 key =(null)

     

type = AVC msg = audit(1478200022.446:5151):avc:拒绝{open} for   pid = 46644 comm =" lpr"路径=#&34;在/ etc /杯/ lp选项" dev的=" DM-3"   ino = 134317708 scontext = system_u:system_r:httpd_t:s0   tcontext = system_u:object_r:cupsd_rw_etc_t:s0 tclass = file

     

type = AVC msg = audit(1478200022.446:5151):avc:denied {read} for   pid = 46644 comm =" lpr"命名=" lp选项" dev的=" DM-3"伊诺= 134317708   scontext = system_u:system_r:httpd_t:S0   tcontext = system_u:object_r:cupsd_rw_etc_t:s0 tclass = file

使用exec的其他wkhtmltopdf命令获取类似错误。

这是当前的selinux配置:

# getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> on
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> on
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off

所有这一切都是在yum将我的系统从RHEL 7.2更新到7.3之后立即开始的。

导致拒绝的原因是什么?

1 个答案:

答案 0 :(得分:1)

我最终在help troubleshoot安装了一些额外的seLinux工具:

yum install setroubleshoot setools

然后跑

sealert -a /var/log/audit/audit.log

输出建议进行以下修改:

ausearch -c 'lpr' --raw | audit2allow -M my-lpr
semodule -i my-lpr.pp
ausearch -c 'wkhtmltopdf-amd' --raw | audit2allow -M my-wkhtmltopdfamd
semodule -i my-wkhtmltopdfamd.pp

发布这些命令,我​​现在可以再次从我的PHP应用程序打印。

相关问题
最新问题