我在Debian挤压系统上设置了SE
Linux,该系统运行Joomla网站. Joomla
PHP代码希望对某些缓存目录具有写访问权.
/ var / log / messages文件包含以下条目:
Dec 31 10:26:16 s0022 kernel: [ 2116.423199] type=1400 audit(1356945976.634:14831): avc: denied { write } for pid=1886 comm="apache2" name="_system" dev=xvda3 ino=790893 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_t:s0 tclass=dir Dec 31 10:26:16 s0022 kernel: [ 2116.447613] type=1400 audit(1356945976.658:14837): avc: denied { write } for pid=1886 comm="apache2" name="mod_mainmenu" dev=xvda3 ino=791346 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_t:s0 tclass=dir
与inode值对应的目录可由apache2写入(作为wwwrun运行).缓存文件是在SELinux关闭时创建的,但在激活时不会创建.然而,这些目录的路径与Debian Squeeze的默认DocumentRoot不同.
# ls -ldZ cache cache/_system cache/mod_mainmenu drwxrwxr-x. 5 wwwrun www unconfined_u:object_r:httpd_t:s0 4096 Dec 29 23:13 cache drwxrwxr-x. 2 wwwrun www unconfined_u:object_r:httpd_t:s0 4096 Dec 30 19:31 cache/mod_mainmenu drwxrwxr-x. 2 wwwrun www unconfined_u:object_r:httpd_t:s0 4096 Dec 30 19:31 cache/_system
我也试过启用写相关的布尔标志,但这也没有帮助:
# getsebool -a | grep httpd allow_httpd_anon_write --> on allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> on allow_httpd_user_script_anon_write --> on httpd_builtin_scripting --> off httpd_can_network_connect --> off httpd_can_network_connect_db --> on httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_enable_cgi --> off httpd_enable_ftp_server --> off httpd_enable_homedirs --> on httpd_ssi_exec --> off httpd_tty_comm --> off httpd_unified --> off httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off
我已经使用audit2allow来创建可加载模块以启用其他守护进程的写访问(例如对于rotatelog),但我不认为这是在这种情况下的方法. httpd的模块已经存在,如果可以避免,我不想以任何方式触摸它.
我只是想找到一种方法让apache2 / PHP / Joomla在我特定的DocumentRoot中的特定目录中写入,而不授予对其他任何内容的写入权限.请指教.