On 02/03/2017 09:05 AM, Gordan Bobic wrote:
On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz <rgm@htt-consult.com mailto:rgm@htt-consult.com> wrote:
Gordon, One would think that, but there is something off with at least the CubieTruck build. I will check that all those rpms are installed (pretty sure they are), but when I set up a web server with personal directories, i got permission errors on listing the files, but no problem displaying individual files. Plus there are all these SELinux warnings I am getting that seem to indicate something is amiss. I am reaching the point of focusing on Fedora server for now. I had hopes of pushing Centos7-arm in a couple of business venues.Are you certain it is an SELinux problem, and if so, are parent directory labels correct? The symptoms you are describing seem more typically indicative of an Apache configuration problem. Do tail -f on /var/log/audit/audit.log and see what appears there. If there is a SELinux violation, it will show up in there.
OK. Here goes. I attached my web server drive to my CubieTruck; I had left this drive all ready to go into production. SELinux enforced and all that. When I started up the tail, a bunch of messages were sent to the console. I then attempted to access one of my directories:
http://medon.htt-consult.com/~rgm/cubieboard/
Note, that this is a public server, and you too could try this. For as long as I have the server running on this address.
I got:
Forbidden
You don't have permission to access /~rgm/cubieboard/ on this server.
and all of the tail messages are:
# tail -f on /var/log/audit/audit.log tail: cannot open 'on' for reading: No such file or directory ==> /var/log/audit/audit.log <== type=SERVICE_STOP msg=audit(69.095:94): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-readahead-done comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=USER_ACCT msg=audit(1486134062.358:95): pid=1760 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1486134062.363:96): pid=1760 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1486134062.363:97): pid=1760 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=2 res=1 type=USER_START msg=audit(1486134062.513:98): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1486134062.528:99): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1486134062.773:100): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1486134062.783:101): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=SERVICE_START msg=audit(1486134482.523:102): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1486134482.528:103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1486137172.395:104): avc: denied { read } for pid=1866 comm="httpd" name="cubieboard" dev="sda3" ino=262190 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1486137172.395:104): arch=40000028 syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=7f844440 a2=a4800 a3=0 items=0 ppid=624 pid=1866 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1486137172.395:104): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
I know from earlier testing, if I interactively change SELinux to permissive, the directory display works.
So what is next to try?
Bob