问题描述

我们的服务器上有Fedora 25和apache.
我想这样做，以便我们网站上的php脚本可以更改crontab设置.

There are Fedora 25 and apache on our server.
I want to do so that the php script on our web site can change crontab settings.

我创建了以下测试php脚本:

I created the following test php script:

<?php
system("echo '*/2 * * * * date > /var/www/logs/testlog.txt' | crontab - 2>&1");

但是它没有用.我收到消息:

But it did not work. I got the message:

我看着 sealert -a/var/log/audit/audit.log 的输出并发现:

好的.听起来好像apache不允许对/var/spool/cron 进行写访问，因为该目录没有 httpd_sys_rw_content_t标签.所以我执行了命令: chcon -v -R -t httpd_sys_rw_content_t/var/spool/cron

Okay. It sounds like apache is not allowed the write access to /var/spool/cron because that directory has not the httpd_sys_rw_content_t label.So I executed the command:chcon -v -R -t httpd_sys_rw_content_t /var/spool/cron

我的php脚本开始起作用.crontab -l命令给出正常输出.
但是出现了新问题.:( cron任务未执行.

My php script begun to work. The crontab -l command gave normal output.
But the new problem appeared. :( The cron tasks was not executed.

在/var/log/cron中，我看到了错误:

In the /var/log/cron I saw the error:

Mar 23 18:05:01 mh203-95 crond[1653]: (apache) Unauthorized SELinux context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 file_context=system_u:object_r:httpd_sys_rw_content_t:s0 (/var/spool/cron/apache)
Mar 23 18:05:01 mh203-95 crond[1653]: (apache) FAILED (loading cron table)

经过大量研究……我发现/var/spool/cron必须具有 user_cron_spool_t 标签.所以我执行了: chcon -v -R -t user_cron_spool_t/var/spool/cron .

After many time of research... I found that the /var/spool/cron must have the user_cron_spool_t label. So I executed: chcon -v -R -t user_cron_spool_t /var/spool/cron.

cron任务开始起作用.但是我的php脚本无法再次使用.与开始时一样的问题.

The cron tasks begun to works. But my php script did not work again. The same problem as at the beginning.

sealert建议使用以下命令:
ausearch -c'crontab'-原始|audit2allow -M my-crontab
semodule -X 300 -i my-crontab.pp
但这没有帮助.

sealert suggested the commands like:
ausearch -c 'crontab' --raw | audit2allow -M my-crontab
semodule -X 300 -i my-crontab.pp
But it did not help.

我想念什么?该如何解决呢?我可以以某种方式为/var/spool/cron目录组合两个标签 user_cron_spool_t 和 httpd_sys_rw_content_t 吗?

What am I missing?How to solve the problem?Can I somehow combine two labels user_cron_spool_t and httpd_sys_rw_content_t for /var/spool/cron directory?

推荐答案

我已经解决了问题.

原因是这样的:sealert在所有建议的命令中生成相同的政治名称my-crontab.新政改写了旧政.
只需稍微更改此名称即可.

The reason was in this: sealert generates the same politic name my-crontab in all suggested commands. The new politic overwrote the old.
It is just needed to change this name slightly.

所以我执行了:

ausearch -c'crontab'--raw |audit2allow -M my-crontab
semodule -X 300 -i my-crontab.pp

ausearch -c 'crontab' --raw | audit2allow -M my-crontab
semodule -X 300 -i my-crontab.pp

ausearch -c'crontab'--raw |audit2allow -M my-crontab2
semodule -X 300 -i my-crontab2.pp

ausearch -c 'crontab' --raw | audit2allow -M my-crontab2
semodule -X 300 -i my-crontab2.pp

ausearch -c'crontab'--raw |audit2allow -M my-crontab3
semodule -X 300 -i my-crontab3.pp
...

ausearch -c 'crontab' --raw | audit2allow -M my-crontab3
semodule -X 300 -i my-crontab3.pp
...

在执行每个ausearch之前……我执行过:
echo -n">/var/log/audit/audit.log
我的PHP脚本.
sealert -a/var/log/audit/audit.log

Before every ausearch ... I executed:
echo -n "" > /var/log/audit/audit.log
My php script.
sealert -a /var/log/audit/audit.log

这篇关于Selinux阻止php的crontab命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！