如何使用SELinux在CentOS上运行PhantomJS?

前端之家收集整理的这篇文章主要介绍了如何使用SELinux在CentOS上运行PhantomJS?前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。
我正试图在我的CentOS 5机器上使用PhantomJS制作屏幕截图,但我不能让它与SE Linux一起工作.它在禁用SELinux的相同机器上工作,所以我真的怀疑SELinux对此负责.

这是我尝试过的(所有命令都以root身份运行),以及我得到的错误

  1. $ls -Z /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin
  2.  
  3. -rwxr-xr-x myusername myusername system_u:object_r:bin_t phantomjs

试过截图 – 失败了

  1. $cat /var/log/messages | grep avc
  2.  
  3. Sep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.014:398): avc: denied { getattr } for pid=6842 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
  4. Sep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.014:399): avc: denied { getattr } for pid=6842 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
  5. Sep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.054:400): avc: denied { getattr } for pid=6852 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
  6. Sep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.054:401): avc: denied { getattr } for pid=6852 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
  7. Sep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.866:402): avc: denied { getattr } for pid=6864 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
  8. Sep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.867:403): avc: denied { getattr } for pid=6864 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
  9. Sep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.920:404): avc: denied { getattr } for pid=6874 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
  10. Sep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.920:405): avc: denied { getattr } for pid=6874 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
  11. Sep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.025:406): avc: denied { read } for pid=6890 comm="phantomjs" name="3830d5c3ddfd5cd38a049b759396e72e-x86-64.cache-2" dev=dm-0 ino=2021753 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
  12. Sep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.035:407): avc: denied { write } for pid=6890 comm="phantomjs" name="myusername" dev=dm-0 ino=619658 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
  13. Sep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.061:408): avc: denied { read } for pid=6890 comm="phantomjs" name="e3ead4b767b8819993a6fa3ae306afa9-x86-64.cache-2" dev=dm-0 ino=2021752 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
  14. Sep 13 12:21:28 myserver kernel: type=1400 audit(1347531688.720:410): avc: denied { execmem } for pid=6890 comm="phantomjs" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

尝试将phantomjs的类型更改为httpd_sys_script_exec_t

  1. $chcon -v -t httpd_sys_script_exec_t /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs
  2.  
  3. $ls -Z /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin
  4.  
  5. -rwxr-xr-x myusername myusername system_u:object_r:httpd_sys_script_exec_t phantomjs

重新尝试截图 – 失败

  1. $cat /var/log/messages | grep avc
  2.  
  3. Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.891:414): avc: denied { read } for pid=6962 comm="phantomjs" path="eventpoll:[9737788]" dev=eventpollfs ino=9737788 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file
  4. Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:415): avc: denied { write } for pid=6962 comm="phantomjs" path=2F7661722F72756E2F777367692E363535352E302E312E6C6F636B202864656C6574656429 dev=dm-0 ino=2022252 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
  5. Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:416): avc: denied { write } for pid=6962 comm="phantomjs" path=2F7661722F72756E2F777367692E363535352E302E322E6C6F636B202864656C6574656429 dev=dm-0 ino=2022255 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
  6. Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:417): avc: denied { write } for pid=6962 comm="phantomjs" path=2F7661722F72756E2F777367692E363535352E302E332E6C6F636B202864656C6574656429 dev=dm-0 ino=2022257 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
  7. Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.893:418): avc: denied { write } for pid=6962 comm="phantomjs" path=2F7661722F72756E2F777367692E363535352E302E342E6C6F636B202864656C6574656429 dev=dm-0 ino=2022266 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file

尝试将phantomjs的类型更改为httpd_t

  1. $chcon -v -t httpd_t /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs
  2.  
  3. Failed to change context of /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs to system_u:object_r:httpd_t
  4. chcon: Failed to change context of /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs to system_u:object_r:httpd_t: Permission denied

尝试将phantomjs的类型更改为httpd_var_run_t

  1. $chcon -v -t httpd_var_run_t /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs
  2.  
  3. $ls -Z /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin
  4.  
  5. -rwxr-xr-x myusername myusername system_u:object_r:httpd_var_run_t phantomjs

重新尝试截图 – 失败

  1. $cat /var/log/messages | grep avc
  2.  
  3. Sep 13 12:29:36 myserver kernel: type=1400 audit(1347532176.754:420): avc: denied { execute } for pid=7002 comm="httpd" name="phantomjs" dev=dm-0 ino=3032985 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file

尝试将phantomjs的类型更改为httpd_sys_script_t

  1. $chcon -v -t httpd_sys_script_t /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs
  2.  
  3. Failed to change context of /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs to system_u:object_r:httpd_sys_script_t
  4. chcon: Failed to change context of /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs to system_u:object_r:httpd_sys_script_t: Permission denied

以下是有关SELinux设置的更多信息:

  1. $sestatus
  2.  
  3. SELinux status: enabled
  4. SELinuxfs mount: /selinux
  5. Current mode: enforcing
  6. Mode from config file: enforcing
  7. Policy version: 21
  8. Policy from config file: targeted

  1. $getsebool -a | grep http
  2.  
  3. allow_httpd_anon_write --> off
  4. allow_httpd_bugzilla_script_anon_write --> off
  5. allow_httpd_cvs_script_anon_write --> off
  6. allow_httpd_mod_auth_pam --> off
  7. allow_httpd_nagios_script_anon_write --> off
  8. allow_httpd_prewikka_script_anon_write --> off
  9. allow_httpd_squid_script_anon_write --> off
  10. allow_httpd_sys_script_anon_write --> off
  11. httpd_builtin_scripting --> on
  12. httpd_can_network_connect --> off
  13. httpd_can_network_connect_db --> off
  14. httpd_can_network_relay --> off
  15. httpd_can_sendmail --> on
  16. httpd_disable_trans --> off
  17. httpd_enable_cgi --> on
  18. httpd_enable_ftp_server --> off
  19. httpd_enable_homedirs --> on
  20. httpd_execmem --> off
  21. httpd_read_user_content --> off
  22. httpd_rotatelogs_disable_trans --> off
  23. httpd_setrlimit --> off
  24. httpd_ssi_exec --> off
  25. httpd_suexec_disable_trans --> off
  26. httpd_tty_comm --> on
  27. httpd_unified --> on
  28. httpd_use_cifs --> off
  29. httpd_use_nfs --> off

  1. $uname -r
  2.  
  3. 2.6.18-308.1.1.el5

有没有SELinux / httpd经验的人知道是否有一个与我正在尝试做的事情相匹配的上下文?或者也许我应该咬紧牙关并为此制定一些自定义政策?

解决方法

以下是 http://wiki.centos.org/HowTos/SELinux#7关于如何使用allow2audit创建自定义策略模块的一些片段.

试试吧

  1. setenforce 0
  2. grep phantomjs /var/log/audit/audit.log | audit2allow -m httpd_phantomjs > httpd_phantomjs.te
  3. cat httpd_phantomjs.te

安装它

  1. grep phantomjs /var/log/audit/audit.log | audit2allow -M httpd_phantomjs
  2. semodule -i httpd_phantomjs.pp
  3. ls /etc/selinux/targeted/modules/active/modules/ | grep httpd

测试一下

  1. setenforce 1
  2. tail -f /var/log/audit/audit.log

这是未经测试的,因此请根据需要进行更新.希望这对你有用

猜你在找的Linux相关文章