CentOS - Dec 2016 - Help with httpd userdir recovery

On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>
> On 28/12/16 20:11, Robert Moskowitz wrote:
>>
>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:
>>> Robert Moskowitz wrote:
>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz <rgm
at htt-consult.com>
>>>>> wrote:
>>>>>> Which is why I wonder if there is some different config
for the C7.3
>>>>>> version
>>>>>> of apache.
>>>>>>
>>>>>> Or something with the C7-arm build...
>>>>> Can you check for SELinux warnings/errors in
/var/log/audit/audit.log?
>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>
>>>> So I tried an access.  What follows is the access_log entry,
the
>>>> error_log entry and the 3 entries in the audit.log:
>>>>
>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET
/~rgm/family/
>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11;
Fedora; Linux x86_64; rv:50.0)
>>>> Gecko/20100101 Firefox/50.0"
>>>>
>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275:
Can't open
>>>> directory for index: /home/rgm/public_html/family/
>>>>
>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read }
for
>>>> pid=2141 comm="httpd" name="family"
dev="sda3" ino=262199
>>>> scontext=system_u:system_r:httpd_t:s0
>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0
tclass=dir
>>>> permissive=0
>>>>
>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028
syscall=322
>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800
a3=0
>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48
euid=48 suid=48
>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="httpd"
>>>> exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>
>>>>
>>>> I will say that after enabling selinux on this image per the
>>>> instructions of the team doing the Centos7-arm builds, I got
the
>>>> following messages when I did things like 'setsebool -P
>>>> httpd_enable_homedirs on':
>>>>
>>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>>> [ 2273.052531] SELinux: the above unknown classes and
permissions will
>>>> be allowed
>>>>
>>>>
>>>> So something may well not be right with my SELinux.
>>>>
>>> Bang. I would suggest, at this point, that you might want to set
selinux
>>> into permissive mode, so you'll get the error messages from it,
and can
>>> work out fixes, but will let your system operate as you intend.
>>> setselinux 0
>>>
>>> Note that this is *temporary*, and will revert on reboot. To make
it
>>> permanent, you'd need to edit /etc/selinux/config.
>> Thanks, Mark, I was just getting around to that way of thinking.
>>
>> The command, at least on my Centos7-arm system is
>>
>> setenforce 0
>>
>> A presto it works.  So now to figure out what is wrong with SElinux on
>> this image.
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
> Have you got the setroubleshoot-server package installed?  For x86_64 it
> is part of the base repository, obviously arm may differ.  The package
> installs a "SELinux Troubleshooter" entry in the
Applications/Sundry
> menu, or it can be launched via:
No GUI in the base image.  And on arm, we tend to use Xfce.
> # /usr/bin/python -Es /usr/bin/sealert -s
no sealert bin file, so it is off to install it.
> It generates suggestions to fix SELinx issues.  Sometimes it is quite
> useful, on other occasions it just lists vast numbers of possibilities
> with little or no help.  On balance it is worth trying for when it does
> help.
I have never had it make useful suggestions to my on my notebook, but we 
will see...

so here is what happens after I install it:

# /usr/bin/python -Es /usr/bin/sealert -s
Opps, sealert hit an error!

Traceback (most recent call last):
   File "/usr/bin/sealert", line 651, in <module>
     import gtk
ImportError: No module named gtk

If it needs a GUI, then that won't work here.  Headless system.

Robert Moskowitz wrote:
>
>
> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>
>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>
>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:
>>>> Robert Moskowitz wrote:
>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>>>>> <rgm at htt-consult.com>
>>>>>> wrote:
>>>>>>> Which is why I wonder if there is some different
config for the
>>>>>>> C7.3
>>>>>>> version
>>>>>>> of apache.
>>>>>>>
>>>>>>> Or something with the C7-arm build...
>>>>>> Can you check for SELinux warnings/errors in
>>>>>> /var/log/audit/audit.log?
>>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>>
>>>>> So I tried an access.  What follows is the access_log
entry, the
>>>>> error_log entry and the 3 entries in the audit.log:
>>>>>
>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET
/~rgm/family/
>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0
(X11; Fedora; Linux x86_64;
>>>>> rv:50.0)
>>>>> Gecko/20100101 Firefox/50.0"
>>>>>
>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid
2141]
>>>>> (13)Permission denied: [client 192.168.160.12:56456]
AH01275: Can't
>>>>> open
>>>>> directory for index: /home/rgm/public_html/family/
>>>>>
>>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  {
read } for
>>>>> pid=2141 comm="httpd" name="family"
dev="sda3" ino=262199
>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0
tclass=dir
>>>>> permissive=0
>>>>>
>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028
syscall=322
>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458
a2=a4800 a3=0
>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48
euid=48
>>>>> suid=48
>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>>> comm="httpd"
>>>>> exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>
>>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>>
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>>
>>>>>
>>>>> I will say that after enabling selinux on this image per
the
>>>>> instructions of the team doing the Centos7-arm builds, I
got the
>>>>> following messages when I did things like 'setsebool -P
>>>>> httpd_enable_homedirs on':
>>>>>
>>>>> [ 2273.047017] SELinux:  Class binder not defined in
policy.
>>>>> [ 2273.052531] SELinux: the above unknown classes and
permissions
>>>>> will
>>>>> be allowed
>>>>>
>>>>>
>>>>> So something may well not be right with my SELinux.
>>>>>
>>>> Bang. I would suggest, at this point, that you might want to
set
>>>> selinux
>>>> into permissive mode, so you'll get the error messages from
it, and
>>>> can
>>>> work out fixes, but will let your system operate as you intend.
>>>> setselinux 0
>>>>
>>>> Note that this is *temporary*, and will revert on reboot. To
make it
>>>> permanent, you'd need to edit /etc/selinux/config.
>>> Thanks, Mark, I was just getting around to that way of thinking.
>>>
>>> The command, at least on my Centos7-arm system is
>>>
>>> setenforce 0
>>>
>>> A presto it works.  So now to figure out what is wrong with SElinux
on
>>> this image.
>>>
>>> _______________________________________________
>>> CentOS mailing list
>>> CentOS at centos.org
>>> https://lists.centos.org/mailman/listinfo/centos
>> Have you got the setroubleshoot-server package installed?  For x86_64
it
>> is part of the base repository, obviously arm may differ.  The package
>> installs a "SELinux Troubleshooter" entry in the
Applications/Sundry
>> menu, or it can be launched via:
>
> No GUI in the base image.  And on arm, we tend to use Xfce.
>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>
> no sealert bin file, so it is off to install it.
>
>> It generates suggestions to fix SELinx issues.  Sometimes it is quite
>> useful, on other occasions it just lists vast numbers of possibilities
>> with little or no help.  On balance it is worth trying for when it does
>> help.
>
> I have never had it make useful suggestions to my on my notebook, but we
> will see...
>
> so here is what happens after I install it:
>
> # /usr/bin/python -Es /usr/bin/sealert -s
> Opps, sealert hit an error!
>
> Traceback (most recent call last):
>    File "/usr/bin/sealert", line 651, in <module>
>      import gtk
> ImportError: No module named gtk
>
> If it needs a GUI, then that won't work here.  Headless system.
>
Nahh... you want to instal setroubleshoot.

       mark

On 28/12/16 21:24, m.roth at 5-cent.us wrote:
> Robert Moskowitz wrote:
>>
>>
>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>>
>>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>>
>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:
>>>>> Robert Moskowitz wrote:
>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>>>>>> <rgm at htt-consult.com>
>>>>>>> wrote:
>>>>>>>> Which is why I wonder if there is some
different config for the
>>>>>>>> C7.3
>>>>>>>> version
>>>>>>>> of apache.
>>>>>>>>
>>>>>>>> Or something with the C7-arm build...
>>>>>>> Can you check for SELinux warnings/errors in
>>>>>>> /var/log/audit/audit.log?
>>>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>>>
>>>>>> So I tried an access.  What follows is the access_log
entry, the
>>>>>> error_log entry and the 3 entries in the audit.log:
>>>>>>
>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500]
"GET /~rgm/family/
>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0
(X11; Fedora; Linux x86_64;
>>>>>> rv:50.0)
>>>>>> Gecko/20100101 Firefox/50.0"
>>>>>>
>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error]
[pid 2141]
>>>>>> (13)Permission denied: [client 192.168.160.12:56456]
AH01275: Can't
>>>>>> open
>>>>>> directory for index: /home/rgm/public_html/family/
>>>>>>
>>>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  {
read } for
>>>>>> pid=2141 comm="httpd" name="family"
dev="sda3" ino=262199
>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0
tclass=dir
>>>>>> permissive=0
>>>>>>
>>>>>> type=SYSCALL msg=audit(1482944350.289:339):
arch=40000028 syscall=322
>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458
a2=a4800 a3=0
>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48
gid=48 euid=48
>>>>>> suid=48
>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295
>>>>>> comm="httpd"
>>>>>> exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>
>>>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>>>
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>>>
>>>>>>
>>>>>> I will say that after enabling selinux on this image
per the
>>>>>> instructions of the team doing the Centos7-arm builds,
I got the
>>>>>> following messages when I did things like
'setsebool -P
>>>>>> httpd_enable_homedirs on':
>>>>>>
>>>>>> [ 2273.047017] SELinux:  Class binder not defined in
policy.
>>>>>> [ 2273.052531] SELinux: the above unknown classes and
permissions
>>>>>> will
>>>>>> be allowed
>>>>>>
>>>>>>
>>>>>> So something may well not be right with my SELinux.
>>>>>>
>>>>> Bang. I would suggest, at this point, that you might want
to set
>>>>> selinux
>>>>> into permissive mode, so you'll get the error messages
from it, and
>>>>> can
>>>>> work out fixes, but will let your system operate as you
intend.
>>>>> setselinux 0
>>>>>
>>>>> Note that this is *temporary*, and will revert on reboot.
To make it
>>>>> permanent, you'd need to edit /etc/selinux/config.
>>>> Thanks, Mark, I was just getting around to that way of
thinking.
>>>>
>>>> The command, at least on my Centos7-arm system is
>>>>
>>>> setenforce 0
>>>>
>>>> A presto it works.  So now to figure out what is wrong with
SElinux on
>>>> this image.
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>>> Have you got the setroubleshoot-server package installed?  For
x86_64 it
>>> is part of the base repository, obviously arm may differ.  The
package
>>> installs a "SELinux Troubleshooter" entry in the
Applications/Sundry
>>> menu, or it can be launched via:
>>
>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>
>> no sealert bin file, so it is off to install it.
>>
>>> It generates suggestions to fix SELinx issues.  Sometimes it is
quite
>>> useful, on other occasions it just lists vast numbers of
possibilities
>>> with little or no help.  On balance it is worth trying for when it
does
>>> help.
>>
>> I have never had it make useful suggestions to my on my notebook, but
we
>> will see...
>>
>> so here is what happens after I install it:
>>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>> Opps, sealert hit an error!
>>
>> Traceback (most recent call last):
>>    File "/usr/bin/sealert", line 651, in <module>
>>      import gtk
>> ImportError: No module named gtk
>>
>> If it needs a GUI, then that won't work here.  Headless system.
>>
> Nahh... you want to instal setroubleshoot.
> 
>        mark
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
> 
Sorry, missed the no GUI if it was mentioned earlier.  You _might_ get
away with ssh -Y from a workstation but you might end up wasting time.
No guarantees I'm afraid. :-) Martin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL:
<http://lists.centos.org/pipermail/centos/attachments/20161228/a562384d/attachment-0001.sig>

On 12/28/2016 04:24 PM, m.roth at 5-cent.us wrote:
> Robert Moskowitz wrote:
>>
>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:
>>>>> Robert Moskowitz wrote:
>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>>>>>> <rgm at htt-consult.com>
>>>>>>> wrote:
>>>>>>>> Which is why I wonder if there is some
different config for the
>>>>>>>> C7.3
>>>>>>>> version
>>>>>>>> of apache.
>>>>>>>>
>>>>>>>> Or something with the C7-arm build...
>>>>>>> Can you check for SELinux warnings/errors in
>>>>>>> /var/log/audit/audit.log?
>>>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>>>
>>>>>> So I tried an access.  What follows is the access_log
entry, the
>>>>>> error_log entry and the 3 entries in the audit.log:
>>>>>>
>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500]
"GET /~rgm/family/
>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0
(X11; Fedora; Linux x86_64;
>>>>>> rv:50.0)
>>>>>> Gecko/20100101 Firefox/50.0"
>>>>>>
>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error]
[pid 2141]
>>>>>> (13)Permission denied: [client 192.168.160.12:56456]
AH01275: Can't
>>>>>> open
>>>>>> directory for index: /home/rgm/public_html/family/
>>>>>>
>>>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  {
read } for
>>>>>> pid=2141 comm="httpd" name="family"
dev="sda3" ino=262199
>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0
tclass=dir
>>>>>> permissive=0
>>>>>>
>>>>>> type=SYSCALL msg=audit(1482944350.289:339):
arch=40000028 syscall=322
>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458
a2=a4800 a3=0
>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48
gid=48 euid=48
>>>>>> suid=48
>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295
>>>>>> comm="httpd"
>>>>>> exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>
>>>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>>>
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>>>
>>>>>>
>>>>>> I will say that after enabling selinux on this image
per the
>>>>>> instructions of the team doing the Centos7-arm builds,
I got the
>>>>>> following messages when I did things like
'setsebool -P
>>>>>> httpd_enable_homedirs on':
>>>>>>
>>>>>> [ 2273.047017] SELinux:  Class binder not defined in
policy.
>>>>>> [ 2273.052531] SELinux: the above unknown classes and
permissions
>>>>>> will
>>>>>> be allowed
>>>>>>
>>>>>>
>>>>>> So something may well not be right with my SELinux.
>>>>>>
>>>>> Bang. I would suggest, at this point, that you might want
to set
>>>>> selinux
>>>>> into permissive mode, so you'll get the error messages
from it, and
>>>>> can
>>>>> work out fixes, but will let your system operate as you
intend.
>>>>> setselinux 0
>>>>>
>>>>> Note that this is *temporary*, and will revert on reboot.
To make it
>>>>> permanent, you'd need to edit /etc/selinux/config.
>>>> Thanks, Mark, I was just getting around to that way of
thinking.
>>>>
>>>> The command, at least on my Centos7-arm system is
>>>>
>>>> setenforce 0
>>>>
>>>> A presto it works.  So now to figure out what is wrong with
SElinux on
>>>> this image.
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>>> Have you got the setroubleshoot-server package installed?  For
x86_64 it
>>> is part of the base repository, obviously arm may differ.  The
package
>>> installs a "SELinux Troubleshooter" entry in the
Applications/Sundry
>>> menu, or it can be launched via:
>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>> no sealert bin file, so it is off to install it.
>>
>>> It generates suggestions to fix SELinx issues.  Sometimes it is
quite
>>> useful, on other occasions it just lists vast numbers of
possibilities
>>> with little or no help.  On balance it is worth trying for when it
does
>>> help.
>> I have never had it make useful suggestions to my on my notebook, but
we
>> will see...
>>
>> so here is what happens after I install it:
>>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>> Opps, sealert hit an error!
>>
>> Traceback (most recent call last):
>>     File "/usr/bin/sealert", line 651, in <module>
>>       import gtk
>> ImportError: No module named gtk
>>
>> If it needs a GUI, then that won't work here.  Headless system.
>>
> Nahh... you want to instal setroubleshoot.
# yum install setroubleshoot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
No package setroubleshoot available.
Error: Nothing to do


:(

Finally worked on this some more (my dad, age 91, passed away later on 
the 28th, and only recently started catching up on a lot of work).

What I was missing was:


chcon -R -t httpd_sys_content_t ~rgm/public_html


I did not find this in any instruction on userdir, but fortunately I was 
pointed to this over on the Centos-arm list.

Something else to add to the cookbook....

thanks all for your help on this!

On 12/28/2016 04:24 PM, m.roth at 5-cent.us wrote:
> Robert Moskowitz wrote:
>>
>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:
>>>>> Robert Moskowitz wrote:
>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>>>>>> <rgm at htt-consult.com>
>>>>>>> wrote:
>>>>>>>> Which is why I wonder if there is some
different config for the
>>>>>>>> C7.3
>>>>>>>> version
>>>>>>>> of apache.
>>>>>>>>
>>>>>>>> Or something with the C7-arm build...
>>>>>>> Can you check for SELinux warnings/errors in
>>>>>>> /var/log/audit/audit.log?
>>>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>>>
>>>>>> So I tried an access.  What follows is the access_log
entry, the
>>>>>> error_log entry and the 3 entries in the audit.log:
>>>>>>
>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500]
"GET /~rgm/family/
>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0
(X11; Fedora; Linux x86_64;
>>>>>> rv:50.0)
>>>>>> Gecko/20100101 Firefox/50.0"
>>>>>>
>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error]
[pid 2141]
>>>>>> (13)Permission denied: [client 192.168.160.12:56456]
AH01275: Can't
>>>>>> open
>>>>>> directory for index: /home/rgm/public_html/family/
>>>>>>
>>>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  {
read } for
>>>>>> pid=2141 comm="httpd" name="family"
dev="sda3" ino=262199
>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0
tclass=dir
>>>>>> permissive=0
>>>>>>
>>>>>> type=SYSCALL msg=audit(1482944350.289:339):
arch=40000028 syscall=322
>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458
a2=a4800 a3=0
>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48
gid=48 euid=48
>>>>>> suid=48
>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none)
ses=4294967295
>>>>>> comm="httpd"
>>>>>> exe="/usr/sbin/httpd"
subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>
>>>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>>>
proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>>>
>>>>>>
>>>>>> I will say that after enabling selinux on this image
per the
>>>>>> instructions of the team doing the Centos7-arm builds,
I got the
>>>>>> following messages when I did things like
'setsebool -P
>>>>>> httpd_enable_homedirs on':
>>>>>>
>>>>>> [ 2273.047017] SELinux:  Class binder not defined in
policy.
>>>>>> [ 2273.052531] SELinux: the above unknown classes and
permissions
>>>>>> will
>>>>>> be allowed
>>>>>>
>>>>>>
>>>>>> So something may well not be right with my SELinux.
>>>>>>
>>>>> Bang. I would suggest, at this point, that you might want
to set
>>>>> selinux
>>>>> into permissive mode, so you'll get the error messages
from it, and
>>>>> can
>>>>> work out fixes, but will let your system operate as you
intend.
>>>>> setselinux 0
>>>>>
>>>>> Note that this is *temporary*, and will revert on reboot.
To make it
>>>>> permanent, you'd need to edit /etc/selinux/config.
>>>> Thanks, Mark, I was just getting around to that way of
thinking.
>>>>
>>>> The command, at least on my Centos7-arm system is
>>>>
>>>> setenforce 0
>>>>
>>>> A presto it works.  So now to figure out what is wrong with
SElinux on
>>>> this image.
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>>> Have you got the setroubleshoot-server package installed?  For
x86_64 it
>>> is part of the base repository, obviously arm may differ.  The
package
>>> installs a "SELinux Troubleshooter" entry in the
Applications/Sundry
>>> menu, or it can be launched via:
>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>> no sealert bin file, so it is off to install it.
>>
>>> It generates suggestions to fix SELinx issues.  Sometimes it is
quite
>>> useful, on other occasions it just lists vast numbers of
possibilities
>>> with little or no help.  On balance it is worth trying for when it
does
>>> help.
>> I have never had it make useful suggestions to my on my notebook, but
we
>> will see...
>>
>> so here is what happens after I install it:
>>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>> Opps, sealert hit an error!
>>
>> Traceback (most recent call last):
>>     File "/usr/bin/sealert", line 651, in <module>
>>       import gtk
>> ImportError: No module named gtk
>>
>> If it needs a GUI, then that won't work here.  Headless system.
>>
> Nahh... you want to instal setroubleshoot.
>
>         mark
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>