允許 httpd 在 /usr/bin/ 中執行 bash 腳本

將系統從 CentOS6 遷移到 RHEL7，SELinux 執行 Enforced。php腳本呼叫以在/usr/bin/processdata.sh幕後生成一些數據。這在舊系統上執行良好，但在execSELinux 設置為啟用時 php 呼叫阻塞。

這是 sh 權限

-rwxrwx--x. root root unconfined_u:object_r:bin_t:s0   /usr/bin/process_data.sh

在呼叫 php 頁面的同時會看到此審計錯誤：

ausearch -l -i | grep httpd

type=SYSCALL msg=audit(02/27/2016 14:07:52.662:23480) : arch=x86_64 syscall=socket success=no exit=-97(Address family not supported by protocol) a0=inet6 a1=SOCK_DGRAM a2= ip a3=0x672e76656473626e items=0 ppid=15686 pid=3852 auid=unset uid=apache gid=apache euid=apache suid=apache fsuid=apache egid=apache sgid=apache fsgid=apache tty=(none) ses=unset comm= httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(02/27/2016 14:07:52.662:23480) : avc: denied { module_request }對於 pid=3852 comm=httpd kmod=“net-pf-10” scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

這是我目前的 httpd 布爾值：

httpd_can_network_relay        (off  ,  off)  Allow httpd to can network relay
httpd_can_connect_mythtv       (off  ,  off)  Allow httpd to can connect mythtv
httpd_can_network_connect_db   (off  ,  off)  Allow httpd to can network connect db
httpd_use_gpg                  (off  ,  off)  Allow httpd to use gpg
httpd_dbus_sssd                (off  ,  off)  Allow httpd to dbus sssd
httpd_enable_cgi               (on   ,   on)  Allow httpd to enable cgi
httpd_verify_dns               (off  ,  off)  Allow httpd to verify dns
httpd_dontaudit_search_dirs    (off  ,  off)  Allow httpd to dontaudit search dirs
httpd_anon_write               (off  ,  off)  Allow httpd to anon write
httpd_use_cifs                 (off  ,  off)  Allow httpd to use cifs
httpd_enable_homedirs          (off  ,  off)  Allow httpd to enable homedirs
httpd_unified                  (off  ,  off)  Allow httpd to unified
httpd_mod_auth_pam             (off  ,  off)  Allow httpd to mod auth pam
httpd_run_stickshift           (off  ,  off)  Allow httpd to run stickshift
httpd_use_fusefs               (off  ,  off)  Allow httpd to use fusefs
httpd_can_connect_ldap         (off  ,  off)  Allow httpd to can connect ldap
httpd_can_network_connect      (on   ,   on)  Allow httpd to can network connect
httpd_mod_auth_ntlm_winbind    (off  ,  off)  Allow httpd to mod auth ntlm winbind
httpd_tty_comm                 (off  ,  off)  Allow httpd to tty comm
httpd_sys_script_anon_write    (off  ,  off)  Allow httpd to sys script anon write
httpd_graceful_shutdown        (on   ,   on)  Allow httpd to graceful shutdown
httpd_can_connect_ftp          (off  ,  off)  Allow httpd to can connect ftp
httpd_run_ipa                  (off  ,  off)  Allow httpd to run ipa
httpd_read_user_content        (off  ,  off)  Allow httpd to read user content
httpd_use_nfs                  (off  ,  off)  Allow httpd to use nfs
httpd_can_connect_zabbix       (off  ,  off)  Allow httpd to can connect zabbix
httpd_tmp_exec                 (off  ,  off)  Allow httpd to tmp exec
httpd_run_preupgrade           (off  ,  off)  Allow httpd to run preupgrade
httpd_manage_ipa               (off  ,  off)  Allow httpd to manage ipa
httpd_can_sendmail             (on   ,   on)  Allow httpd to can sendmail
httpd_builtin_scripting        (on   ,   on)  Allow httpd to builtin scripting
httpd_dbus_avahi               (off  ,  off)  Allow httpd to dbus avahi
httpd_can_check_spam           (off  ,  off)  Allow httpd to can check spam
httpd_can_network_memcache     (off  ,  off)  Allow httpd to can network memcache
httpd_can_network_connect_cobbler (off  ,  off)  Allow httpd to can network connect cobbler
httpd_use_sasl                 (off  ,  off)  Allow httpd to use sasl
httpd_serve_cobbler_files      (off  ,  off)  Allow httpd to serve cobbler files
httpd_execmem                  (off  ,  off)  Allow httpd to execmem
httpd_ssi_exec                 (off  ,  off)  Allow httpd to ssi exec
httpd_use_openstack            (off  ,  off)  Allow httpd to use openstack
httpd_enable_ftp_server        (off  ,  off)  Allow httpd to enable ftp server
httpd_setrlimit                (off  ,  off)  Allow httpd to setrlimit

我的 selinux 配置中有什麼我沒有看到的東西嗎？

我的 selinux 配置中有什麼我沒有看到的東西嗎？

您向我們展示的 SELinux 配置看起來很“正常”，但這並不是說它不需要調整以滿足您的特定工作負載。

我在這裡要做的是將 SELinux 置於許可模式（setenforce 0），然後使 auditd 啟動一個新的日誌文件（kill -USR1< PID of auditd >。然後繼續您的正常業務。SELinux 將生成消息以供以後分析。

當您在許可模式下執行“一段時間”後，您可以使用標準工具來調查 SELinux 消息。

該audit2why實用程序可以闡明記錄的消息，還可以就如何操作提供建議，例如，它可以說明您發布的片段。

avc: denied { module_request } for pid=3852 comm=httpd kmod="net-pf-10" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system

       Was caused by:
       The boolean domain_kernel_load_modules was set incorrectly.
       Description:
       Allow all domains to have the kernel load modules

       Allow access by executing:
       # setsebool -P domain_kernel_load_modules 1

由於您目前在強制模式下執行，因此只有第一次拒絕會被記錄，如果您要修復這個問題，您可能會發現更多，這就是您應該暫時在許可模式下執行的原因，所有拒絕都會被記錄下來。

有時audit2why不是很有幫助。在這些情況下，更深入地了解 SELinux 可能會有所幫助。例如，您可以執行審核日誌audit2allow並生成可以應用的本地策略semodule。不過，這應該經過仔細審核，因為您可以提供比您需要的更多的東西。

引用自：https://serverfault.com/questions/760322