On 12/28/2016 05:11 AM, Todor Petkov wrote:> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz <rgm at htt-consult.com> wrote: >> Which is why I wonder if there is some different config for the C7.3 version >> of apache. >> >> Or something with the C7-arm build... > Can you check for SELinux warnings/errors in /var/log/audit/audit.log?Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bob
Robert Moskowitz wrote:> On 12/28/2016 05:11 AM, Todor Petkov wrote: >> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz <rgm at htt-consult.com> >> wrote: >>> Which is why I wonder if there is some different config for the C7.3 >>> version >>> of apache. >>> >>> Or something with the C7-arm build... >> Can you check for SELinux warnings/errors in /var/log/audit/audit.log? > > Good advice. As I suspect the problem is with SELinux. > > So I tried an access. What follows is the access_log entry, the > error_log entry and the 3 entries in the audit.log: > > 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ > HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) > Gecko/20100101 Firefox/50.0" > > [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] > (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open > directory for index: /home/rgm/public_html/family/ > > type=AVC msg=audit(1482944350.289:339): avc: denied { read } for > pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 > scontext=system_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir > permissive=0 > > type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322 > per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0 > items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) > > type=PROCTITLE msg=audit(1482944350.289:339): > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > > I will say that after enabling selinux on this image per the > instructions of the team doing the Centos7-arm builds, I got the > following messages when I did things like 'setsebool -P > httpd_enable_homedirs on': > > [ 2273.047017] SELinux: Class binder not defined in policy. > [ 2273.052531] SELinux: the above unknown classes and permissions will > be allowed > > > So something may well not be right with my SELinux. >Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. mark mark
On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:> Robert Moskowitz wrote: >> On 12/28/2016 05:11 AM, Todor Petkov wrote: >>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz <rgm at htt-consult.com> >>> wrote: >>>> Which is why I wonder if there is some different config for the C7.3 >>>> version >>>> of apache. >>>> >>>> Or something with the C7-arm build... >>> Can you check for SELinux warnings/errors in /var/log/audit/audit.log? >> Good advice. As I suspect the problem is with SELinux. >> >> So I tried an access. What follows is the access_log entry, the >> error_log entry and the 3 entries in the audit.log: >> >> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) >> Gecko/20100101 Firefox/50.0" >> >> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open >> directory for index: /home/rgm/public_html/family/ >> >> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >> scontext=system_u:system_r:httpd_t:s0 >> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >> permissive=0 >> >> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322 >> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0 >> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 >> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" >> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >> >> type=PROCTITLE msg=audit(1482944350.289:339): >> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >> >> >> I will say that after enabling selinux on this image per the >> instructions of the team doing the Centos7-arm builds, I got the >> following messages when I did things like 'setsebool -P >> httpd_enable_homedirs on': >> >> [ 2273.047017] SELinux: Class binder not defined in policy. >> [ 2273.052531] SELinux: the above unknown classes and permissions will >> be allowed >> >> >> So something may well not be right with my SELinux. >> > Bang. I would suggest, at this point, that you might want to set selinux > into permissive mode, so you'll get the error messages from it, and can > work out fixes, but will let your system operate as you intend. > setselinux 0 > > Note that this is *temporary*, and will revert on reboot. To make it > permanent, you'd need to edit /etc/selinux/config.Thanks, Mark, I was just getting around to that way of thinking. The command, at least on my Centos7-arm system is setenforce 0 A presto it works. So now to figure out what is wrong with SElinux on this image.
> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0I ran into the same problem, I think. I ran "audit2why" and passed in the AVC. It suggested a pair of booleans I've never seen before. # audit2why type=AVC msg=audit(1483077583.703:1539671): avc: denied { read } for pid=11162 comm="httpd" name="courier-pythonfilter" dev="dm-0" ino=533228 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir Was caused by: One of the following booleans was set incorrectly. Description: Allow httpd to read user content Allow access by executing: # setsebool -P httpd_read_user_content 1 Description: Allow httpd to unified Allow access by executing: # setsebool -P httpd_unified 1 # setsebool -P httpd_read_user_content 1 ... and setting one of them fixed the problem. I don't see a bug filed for this. Can anyone else confirm that httpd_enable_homedirs doesn't work as it did before 7.3? I suspect it's not widely used and the bug may not have been noticed yet.
Interesting, but I can't do anything until around the 9th. On 12/30/2016 01:08 AM, Gordon Messmer wrote:>> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 > I ran into the same problem, I think. I ran "audit2why" and passed in > the AVC. It suggested a pair of booleans I've never seen before. > > # audit2why > type=AVC msg=audit(1483077583.703:1539671): avc: denied { read } for > pid=11162 comm="httpd" name="courier-pythonfilter" dev="dm-0" > ino=533228 scontext=system_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir > > Was caused by: > One of the following booleans was set incorrectly. > Description: > Allow httpd to read user content > > Allow access by executing: > # setsebool -P httpd_read_user_content 1 > Description: > Allow httpd to unified > > Allow access by executing: > # setsebool -P httpd_unified 1 > # setsebool -P httpd_read_user_content 1 > > ... and setting one of them fixed the problem. > > I don't see a bug filed for this. Can anyone else confirm that > httpd_enable_homedirs doesn't work as it did before 7.3? I suspect > it's not widely used and the bug may not have been noticed yet. > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos >