On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: On 12/28/2016 06:05 PM, J Martin Rushton wrote:> > On 28/12/16 21:24, m.roth at 5-cent.us wrote: >> Robert Moskowitz wrote: >>> >>> On 12/28/2016 03:32 PM, J Martin Rushton wrote: >>>> On 28/12/16 20:11, Robert Moskowitz wrote: >>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote: >>>>>> Robert Moskowitz wrote: >>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote: >>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz >>>>>>>> <rgm at htt-consult.com> >>>>>>>> wrote: >>>>>>>>> Which is why I wonder if there is some different config for the >>>>>>>>> C7.3 >>>>>>>>> version >>>>>>>>> of apache. >>>>>>>>> >>>>>>>>> Or something with the C7-arm build... >>>>>>>> Can you check for SELinux warnings/errors in >>>>>>>> /var/log/audit/audit.log? >>>>>>> Good advice. As I suspect the problem is with SELinux. >>>>>>> >>>>>>> So I tried an access. What follows is the access_log entry, the >>>>>>> error_log entry and the 3 entries in the audit.log: >>>>>>> >>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; >>>>>>> rv:50.0) >>>>>>> Gecko/20100101 Firefox/50.0" >>>>>>> >>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't >>>>>>> open >>>>>>> directory for index: /home/rgm/public_html/family/ >>>>>>> >>>>>>> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >>>>>>> permissive=0 >>>>>>> >>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322 >>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0 >>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 >>>>>>> suid=48 >>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 >>>>>>> comm="httpd" >>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>> >>>>>>> type=PROCTITLE msg=audit(1482944350.289:339): >>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >>>>>>> >>>>>>> >>>>>>> I will say that after enabling selinux on this image per the >>>>>>> instructions of the team doing the Centos7-arm builds, I got the >>>>>>> following messages when I did things like 'setsebool -P >>>>>>> httpd_enable_homedirs on': >>>>>>> >>>>>>> [ 2273.047017] SELinux: Class binder not defined in policy. >>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions >>>>>>> will >>>>>>> be allowed >>>>>>> >>>>>>> >>>>>>> So something may well not be right with my SELinux. >>>>>>> >>>>>> Bang. I would suggest, at this point, that you might want to set >>>>>> selinux >>>>>> into permissive mode, so you'll get the error messages from it, and >>>>>> can >>>>>> work out fixes, but will let your system operate as you intend. >>>>>> setselinux 0 >>>>>> >>>>>> Note that this is *temporary*, and will revert on reboot. To make it >>>>>> permanent, you'd need to edit /etc/selinux/config. >>>>> Thanks, Mark, I was just getting around to that way of thinking. >>>>> >>>>> The command, at least on my Centos7-arm system is >>>>> >>>>> setenforce 0 >>>>> >>>>> A presto it works. So now to figure out what is wrong with SElinux on >>>>> this image. >>>>> >>>>> _______________________________________________ >>>>> CentOS mailing list >>>>> CentOS at centos.org >>>>> https://lists.centos.org/mailman/listinfo/centos >>>> Have you got the setroubleshoot-server package installed? For x86_64 it >>>> is part of the base repository, obviously arm may differ. The package >>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry >>>> menu, or it can be launched via: >>> No GUI in the base image. And on arm, we tend to use Xfce. >>> >>>> # /usr/bin/python -Es /usr/bin/sealert -s >>> no sealert bin file, so it is off to install it. >>> >>>> It generates suggestions to fix SELinx issues. Sometimes it is quite >>>> useful, on other occasions it just lists vast numbers of possibilities >>>> with little or no help. On balance it is worth trying for when it does >>>> help. >>> I have never had it make useful suggestions to my on my notebook, but we >>> will see... >>> >>> so here is what happens after I install it: >>> >>> # /usr/bin/python -Es /usr/bin/sealert -s >>> Opps, sealert hit an error! >>> >>> Traceback (most recent call last): >>> File "/usr/bin/sealert", line 651, in <module> >>> import gtk >>> ImportError: No module named gtk >>> >>> If it needs a GUI, then that won't work here. Headless system. >>> >> Nahh... you want to instal setroubleshoot. >> >> mark >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > Sorry, missed the no GUI if it was mentioned earlier.Never mentioned it. I have not checked to see what GUI has been ported to try and load something. I *DO* use Xfce with Fedora-arm systems. But I would have to hook this little server up to such.> You _might_ get away with ssh -Y from a workstation but you might end up wasting time. > No guarantees I'm afraid. :-) MartinYeah, ssh -Y can be such fun with a headless system. _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos Sorry, I?m a bit late to this thread so I don?t know if anyone has mentioned this already. What does $ getsebool httpd_enable_homedirs tell you. If it says ?off? you probably want to do $ setsebool -P httpd_enable_homedirs on Greg
On 12/28/2016 06:13 PM, Greg Cornell wrote:> On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: > > > > On 12/28/2016 06:05 PM, J Martin Rushton wrote: >> On 28/12/16 21:24, m.roth at 5-cent.us wrote: >>> Robert Moskowitz wrote: >>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote: >>>>> On 28/12/16 20:11, Robert Moskowitz wrote: >>>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote: >>>>>>> Robert Moskowitz wrote: >>>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote: >>>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz >>>>>>>>> <rgm at htt-consult.com> >>>>>>>>> wrote: >>>>>>>>>> Which is why I wonder if there is some different config for the >>>>>>>>>> C7.3 >>>>>>>>>> version >>>>>>>>>> of apache. >>>>>>>>>> >>>>>>>>>> Or something with the C7-arm build... >>>>>>>>> Can you check for SELinux warnings/errors in >>>>>>>>> /var/log/audit/audit.log? >>>>>>>> Good advice. As I suspect the problem is with SELinux. >>>>>>>> >>>>>>>> So I tried an access. What follows is the access_log entry, the >>>>>>>> error_log entry and the 3 entries in the audit.log: >>>>>>>> >>>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >>>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; >>>>>>>> rv:50.0) >>>>>>>> Gecko/20100101 Firefox/50.0" >>>>>>>> >>>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >>>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't >>>>>>>> open >>>>>>>> directory for index: /home/rgm/public_html/family/ >>>>>>>> >>>>>>>> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >>>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >>>>>>>> permissive=0 >>>>>>>> >>>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322 >>>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0 >>>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 >>>>>>>> suid=48 >>>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 >>>>>>>> comm="httpd" >>>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>>> >>>>>>>> type=PROCTITLE msg=audit(1482944350.289:339): >>>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >>>>>>>> >>>>>>>> >>>>>>>> I will say that after enabling selinux on this image per the >>>>>>>> instructions of the team doing the Centos7-arm builds, I got the >>>>>>>> following messages when I did things like 'setsebool -P >>>>>>>> httpd_enable_homedirs on': >>>>>>>> >>>>>>>> [ 2273.047017] SELinux: Class binder not defined in policy. >>>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions >>>>>>>> will >>>>>>>> be allowed >>>>>>>> >>>>>>>> >>>>>>>> So something may well not be right with my SELinux. >>>>>>>> >>>>>>> Bang. I would suggest, at this point, that you might want to set >>>>>>> selinux >>>>>>> into permissive mode, so you'll get the error messages from it, and >>>>>>> can >>>>>>> work out fixes, but will let your system operate as you intend. >>>>>>> setselinux 0 >>>>>>> >>>>>>> Note that this is *temporary*, and will revert on reboot. To make it >>>>>>> permanent, you'd need to edit /etc/selinux/config. >>>>>> Thanks, Mark, I was just getting around to that way of thinking. >>>>>> >>>>>> The command, at least on my Centos7-arm system is >>>>>> >>>>>> setenforce 0 >>>>>> >>>>>> A presto it works. So now to figure out what is wrong with SElinux on >>>>>> this image. >>>>>> >>>>>> _______________________________________________ >>>>>> CentOS mailing list >>>>>> CentOS at centos.org >>>>>> https://lists.centos.org/mailman/listinfo/centos >>>>> Have you got the setroubleshoot-server package installed? For x86_64 it >>>>> is part of the base repository, obviously arm may differ. The package >>>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry >>>>> menu, or it can be launched via: >>>> No GUI in the base image. And on arm, we tend to use Xfce. >>>> >>>>> # /usr/bin/python -Es /usr/bin/sealert -s >>>> no sealert bin file, so it is off to install it. >>>> >>>>> It generates suggestions to fix SELinx issues. Sometimes it is quite >>>>> useful, on other occasions it just lists vast numbers of possibilities >>>>> with little or no help. On balance it is worth trying for when it does >>>>> help. >>>> I have never had it make useful suggestions to my on my notebook, but we >>>> will see... >>>> >>>> so here is what happens after I install it: >>>> >>>> # /usr/bin/python -Es /usr/bin/sealert -s >>>> Opps, sealert hit an error! >>>> >>>> Traceback (most recent call last): >>>> File "/usr/bin/sealert", line 651, in <module> >>>> import gtk >>>> ImportError: No module named gtk >>>> >>>> If it needs a GUI, then that won't work here. Headless system. >>>> >>> Nahh... you want to instal setroubleshoot. >>> >>> mark >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >>> >> Sorry, missed the no GUI if it was mentioned earlier. > Never mentioned it. I have not checked to see what GUI has been ported > to try and load something. I *DO* use Xfce with Fedora-arm systems. > But I would have to hook this little server up to such. > >> You _might_ get away with ssh -Y from a workstation but you might end up wasting time. >> No guarantees I'm afraid. :-) Martin > Yeah, ssh -Y can be such fun with a headless system. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > Sorry, I?m a bit late to this thread so I don?t know if anyone has mentioned this already. What does > > $ getsebool httpd_enable_homedirs > ># getsebool httpd_enable_homedirs httpd_enable_homedirs --> on This was mentioned earlier. One thing I did not mention was when I ran the set command, I also got back the following which I have gotten on all selunix changes: # setsebool -P httpd_enable_homedirs on [ 8192.799162] SELinux: Class binder not defined in policy. [ 8192.804646] SELinux: the above unknown classes and permissions will be allowed Other than some SELinux guru pointing me to things to do, I will probably have to wait until the C7-arm builders chime in on the centos-arm list.
On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: On 12/28/2016 06:13 PM, Greg Cornell wrote:> On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: > > > > On 12/28/2016 06:05 PM, J Martin Rushton wrote: >> On 28/12/16 21:24, m.roth at 5-cent.us wrote: >>> Robert Moskowitz wrote: >>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote: >>>>> On 28/12/16 20:11, Robert Moskowitz wrote: >>>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote: >>>>>>> Robert Moskowitz wrote: >>>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote: >>>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz >>>>>>>>> <rgm at htt-consult.com> >>>>>>>>> wrote: >>>>>>>>>> Which is why I wonder if there is some different config for the >>>>>>>>>> C7.3 >>>>>>>>>> version >>>>>>>>>> of apache. >>>>>>>>>> >>>>>>>>>> Or something with the C7-arm build... >>>>>>>>> Can you check for SELinux warnings/errors in >>>>>>>>> /var/log/audit/audit.log? >>>>>>>> Good advice. As I suspect the problem is with SELinux. >>>>>>>> >>>>>>>> So I tried an access. What follows is the access_log entry, the >>>>>>>> error_log entry and the 3 entries in the audit.log: >>>>>>>> >>>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >>>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; >>>>>>>> rv:50.0) >>>>>>>> Gecko/20100101 Firefox/50.0" >>>>>>>> >>>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >>>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't >>>>>>>> open >>>>>>>> directory for index: /home/rgm/public_html/family/ >>>>>>>> >>>>>>>> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >>>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >>>>>>>> permissive=0 >>>>>>>> >>>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322 >>>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0 >>>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 >>>>>>>> suid=48 >>>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 >>>>>>>> comm="httpd" >>>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>>> >>>>>>>> type=PROCTITLE msg=audit(1482944350.289:339): >>>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >>>>>>>> >>>>>>>> >>>>>>>> I will say that after enabling selinux on this image per the >>>>>>>> instructions of the team doing the Centos7-arm builds, I got the >>>>>>>> following messages when I did things like 'setsebool -P >>>>>>>> httpd_enable_homedirs on': >>>>>>>> >>>>>>>> [ 2273.047017] SELinux: Class binder not defined in policy. >>>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions >>>>>>>> will >>>>>>>> be allowed >>>>>>>> >>>>>>>> >>>>>>>> So something may well not be right with my SELinux. >>>>>>>> >>>>>>> Bang. I would suggest, at this point, that you might want to set >>>>>>> selinux >>>>>>> into permissive mode, so you'll get the error messages from it, and >>>>>>> can >>>>>>> work out fixes, but will let your system operate as you intend. >>>>>>> setselinux 0 >>>>>>> >>>>>>> Note that this is *temporary*, and will revert on reboot. To make it >>>>>>> permanent, you'd need to edit /etc/selinux/config. >>>>>> Thanks, Mark, I was just getting around to that way of thinking. >>>>>> >>>>>> The command, at least on my Centos7-arm system is >>>>>> >>>>>> setenforce 0 >>>>>> >>>>>> A presto it works. So now to figure out what is wrong with SElinux on >>>>>> this image. >>>>>> >>>>>> _______________________________________________ >>>>>> CentOS mailing list >>>>>> CentOS at centos.org >>>>>> https://lists.centos.org/mailman/listinfo/centos >>>>> Have you got the setroubleshoot-server package installed? For x86_64 it >>>>> is part of the base repository, obviously arm may differ. The package >>>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry >>>>> menu, or it can be launched via: >>>> No GUI in the base image. And on arm, we tend to use Xfce. >>>> >>>>> # /usr/bin/python -Es /usr/bin/sealert -s >>>> no sealert bin file, so it is off to install it. >>>> >>>>> It generates suggestions to fix SELinx issues. Sometimes it is quite >>>>> useful, on other occasions it just lists vast numbers of possibilities >>>>> with little or no help. On balance it is worth trying for when it does >>>>> help. >>>> I have never had it make useful suggestions to my on my notebook, but we >>>> will see... >>>> >>>> so here is what happens after I install it: >>>> >>>> # /usr/bin/python -Es /usr/bin/sealert -s >>>> Opps, sealert hit an error! >>>> >>>> Traceback (most recent call last): >>>> File "/usr/bin/sealert", line 651, in <module> >>>> import gtk >>>> ImportError: No module named gtk >>>> >>>> If it needs a GUI, then that won't work here. Headless system. >>>> >>> Nahh... you want to instal setroubleshoot. >>> >>> mark >>> >>> _______________________________________________ >>> CentOS mailing list >>> CentOS at centos.org >>> https://lists.centos.org/mailman/listinfo/centos >>> >> Sorry, missed the no GUI if it was mentioned earlier. > Never mentioned it. I have not checked to see what GUI has been ported > to try and load something. I *DO* use Xfce with Fedora-arm systems. > But I would have to hook this little server up to such. > >> You _might_ get away with ssh -Y from a workstation but you might end up wasting time. >> No guarantees I'm afraid. :-) Martin > Yeah, ssh -Y can be such fun with a headless system. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > Sorry, I?m a bit late to this thread so I don?t know if anyone has mentioned this already. What does > > $ getsebool httpd_enable_homedirs > ># getsebool httpd_enable_homedirs httpd_enable_homedirs --> on This was mentioned earlier. One thing I did not mention was when I ran the set command, I also got back the following which I have gotten on all selunix changes: # setsebool -P httpd_enable_homedirs on [ 8192.799162] SELinux: Class binder not defined in policy. [ 8192.804646] SELinux: the above unknown classes and permissions will be allowed Other than some SELinux guru pointing me to things to do, I will probably have to wait until the C7-arm builders chime in on the centos-arm list. _______________________________________________ CentOS mailing list CentOS at centos.org https://lists.centos.org/mailman/listinfo/centos I?m not sure but I think those two warnings mean that your kernel and selinux policy are out of sync.