告诉 SELinux 授予 Apache 对文档根目录外的 PHP 文件的执行访问权限

本文介绍了告诉 SELinux 授予 Apache 对文档根目录外的 PHP 文件的执行访问权限的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我有一个保存共享 PHP 脚本的目录(名称是任意的，但不是/var/、/usr/或任何 SELinux 具有特定设置的内容):
/whatever/scripts/

这些脚本可以由 cronjobs 执行，也可以由 Apache 或 Tomcat 执行，因此输出可以包含在网页中.

SELinux 拒绝许可:

type=AVC msg=audit(1363205612.276:476923): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1363205612.276:476923): arch=c000003e syscall=59 success=no exit=-13 a0=2431d10 a1=2431d70 a2=24301e0 a3=52uid=6pid 5954102000000000=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1363205612.277:476924): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file

type=SYSCALL msg=audit(1363205612.277:476924): arch=c000003e syscall=21 success=no exit=-13 a0=2431d10 a1=1 a2=0 a3=50 items=0 ppid=23105 auid6782=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 键=(空)

我知道有一个命令我可以用来告诉 SELinux 允许这样做，但它让我望而却步.

即使使目录和脚本所有者和组 apache 也不起作用，因此这不是典型的权限问题，而是 SELinux 特定的.

系统为 CentOS 6.3.

解决方案

我用这两个命令找到了解决方案:

semanage fcontext -a -t httpd_sys_script_exec_t '/whatever/scripts(/.*)?'

restorecon -R -v/whatever/scripts/

这允许 Apache 在该目录中执行 PHP 脚本，并在重新启动或系统范围内重新标记后保持不变.

I have a directory where shared PHP scripts are kept (the name is arbitrary, but it isn't /var/, /usr/, or anything that SELinux would have specific settings for):
/whatever/scripts/

These scripts can get executed by cronjobs, or may get executed by Apache or Tomcat so the output can be included in a web page.

SELinux is denying permission:

I know there is a command I can use to tell SELinux to allow this, but it's eluding me.

Even making the directory and script owner and group apache doesn't work, so it isn't a classic permissions problem, but SELinux specific.

The system is CentOS 6.3.

解决方案

I found the solution with these two commands:

That allows Apache to execute PHP scripts in that directory, and persists after a reboot, or system-wide relabeling.

这篇关于告诉 SELinux 授予 Apache 对文档根目录外的 PHP 文件的执行访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！