On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz rgm@htt-consult.com wrote:
Gordon,
One would think that, but there is something off with at least the CubieTruck build. I will check that all those rpms are installed (pretty sure they are), but when I set up a web server with personal directories, i got permission errors on listing the files, but no problem displaying individual files. Plus there are all these SELinux warnings I am getting that seem to indicate something is amiss.
I am reaching the point of focusing on Fedora server for now. I had hopes of pushing Centos7-arm in a couple of business venues.
Are you certain it is an SELinux problem, and if so, are parent directory labels correct? The symptoms you are describing seem more typically indicative of an Apache configuration problem. Do tail -f on /var/log/audit/audit.log and see what appears there. If there is a SELinux violation, it will show up in there.
On 02/03/2017 09:05 AM, Gordan Bobic wrote:
On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz <rgm@htt-consult.com mailto:rgm@htt-consult.com> wrote:
Gordon, One would think that, but there is something off with at least the CubieTruck build. I will check that all those rpms are installed (pretty sure they are), but when I set up a web server with personal directories, i got permission errors on listing the files, but no problem displaying individual files. Plus there are all these SELinux warnings I am getting that seem to indicate something is amiss. I am reaching the point of focusing on Fedora server for now. I had hopes of pushing Centos7-arm in a couple of business venues.Are you certain it is an SELinux problem, and if so, are parent directory labels correct? The symptoms you are describing seem more typically indicative of an Apache configuration problem. Do tail -f on /var/log/audit/audit.log and see what appears there. If there is a SELinux violation, it will show up in there.
I will switch drives back to the http drive, from my current dns setup work to try that.
Meanwhile, on this new drive I just tested to insure that the selinux-policy and -targeted were installed. Seems that there is an update (I have not run yum update on this install test yet) and got the following. You can see that there is something wrong in SELinux land. What is "Class binder not defined in policy." and why is it not defined:
# yum install selinux-policy selinux-policy-targeted Loaded plugins: fastestmirror base | 3.6 kB 00:00 centos-kernel | 2.9 kB 00:00 extras | 2.9 kB 00:00 updates | 2.9 kB 00:00 Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package selinux-policy.noarch 0:3.13.1-102.el7 will be updated ---> Package selinux-policy.noarch 0:3.13.1-102.el7.7 will be an update ---> Package selinux-policy-targeted.noarch 0:3.13.1-102.el7 will be updated ---> Package selinux-policy-targeted.noarch 0:3.13.1-102.el7.7 will be an update --> Finished Dependency Resolution
Dependencies Resolved
================================================================================ Package Arch Version Repository Size ================================================================================ Updating: selinux-policy noarch 3.13.1-102.el7.7 updates 412 k selinux-policy-targeted noarch 3.13.1-102.el7.7 updates 6.4 M
Transaction Summary ================================================================================ Upgrade 2 Packages
Total download size: 6.8 M Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/2): selinux-policy-3.13.1-102.el7.7.noarch.rpm | 412 kB 00:06 (2/2): selinux-policy-targeted-3.13.1-102.el7.7.noarch.rpm | 6.4 MB 00:09 -------------------------------------------------------------------------------- Total 719 kB/s | 6.8 MB 00:09 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : selinux-policy-3.13.1-102.el7.7.noarch 1/4 Updating : selinux-policy-targeted-3.13.1-102.el7.7.noarch 2/4 [58759.850413] SELinux: Class binder not defined in policy. [58759.855917] SELinux: the above unknown classes and permissions will be allowed Cleanup : selinux-policy-targeted-3.13.1-102.el7.noarch 3/4 Cleanup : selinux-policy-3.13.1-102.el7.noarch 4/4 Verifying : selinux-policy-3.13.1-102.el7.7.noarch 1/4 Verifying : selinux-policy-targeted-3.13.1-102.el7.7.noarch 2/4 Verifying : selinux-policy-targeted-3.13.1-102.el7.noarch 3/4 Verifying : selinux-policy-3.13.1-102.el7.noarch 4/4
Updated: selinux-policy.noarch 0:3.13.1-102.el7.7 selinux-policy-targeted.noarch 0:3.13.1-102.el7.7
Complete!
I am not sure what exactly that class binder error is referring to, but I'm sure i've seen it on x86-64 as well, and from what I can tell it is safe to ignore
On Fri, Feb 3, 2017 at 2:33 PM, Robert Moskowitz rgm@htt-consult.com wrote:
On 02/03/2017 09:05 AM, Gordan Bobic wrote:
On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz rgm@htt-consult.com wrote:
Gordon,
One would think that, but there is something off with at least the CubieTruck build. I will check that all those rpms are installed (pretty sure they are), but when I set up a web server with personal directories, i got permission errors on listing the files, but no problem displaying individual files. Plus there are all these SELinux warnings I am getting that seem to indicate something is amiss.
I am reaching the point of focusing on Fedora server for now. I had hopes of pushing Centos7-arm in a couple of business venues.
Are you certain it is an SELinux problem, and if so, are parent directory labels correct? The symptoms you are describing seem more typically indicative of an Apache configuration problem. Do tail -f on /var/log/audit/audit.log and see what appears there. If there is a SELinux violation, it will show up in there.
I will switch drives back to the http drive, from my current dns setup work to try that.
Meanwhile, on this new drive I just tested to insure that the selinux-policy and -targeted were installed. Seems that there is an update (I have not run yum update on this install test yet) and got the following. You can see that there is something wrong in SELinux land. What is "Class binder not defined in policy." and why is it not defined:
# yum install selinux-policy selinux-policy-targeted Loaded plugins: fastestmirror base | 3.6 kB 00:00 centos-kernel | 2.9 kB 00:00 extras | 2.9 kB 00:00 updates | 2.9 kB 00:00 Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package selinux-policy.noarch 0:3.13.1-102.el7 will be updated ---> Package selinux-policy.noarch 0:3.13.1-102.el7.7 will be an update ---> Package selinux-policy-targeted.noarch 0:3.13.1-102.el7 will be updated ---> Package selinux-policy-targeted.noarch 0:3.13.1-102.el7.7 will be an update --> Finished Dependency Resolution
Dependencies Resolved
============================================================
Package Arch Version Repository Size ============================================================ ==================== Updating: selinux-policy noarch 3.13.1-102.el7.7 updates 412 k selinux-policy-targeted noarch 3.13.1-102.el7.7 updates 6.4 M
Transaction Summary
==================== Upgrade 2 Packages
Total download size: 6.8 M Is this ok [y/d/N]: y Downloading packages: Delta RPMs disabled because /usr/bin/applydeltarpm not installed. (1/2): selinux-policy-3.13.1-102.el7.7.noarch.rpm | 412 kB 00:06 (2/2): selinux-policy-targeted-3.13.1-102.el7.7.noarch.rpm | 6.4 MB 00:09
Total 719 kB/s | 6.8 MB 00:09 Running transaction check Running transaction test Transaction test succeeded Running transaction Updating : selinux-policy-3.13.1-102.el7.7.noarch 1/4 Updating : selinux-policy-targeted-3.13.1-102.el7.7.noarch 2/4 [58759.850413] SELinux: Class binder not defined in policy. [58759.855917] SELinux: the above unknown classes and permissions will be allowed Cleanup : selinux-policy-targeted-3.13.1-102.el7.noarch 3/4 Cleanup : selinux-policy-3.13.1-102.el7.noarch 4/4 Verifying : selinux-policy-3.13.1-102.el7.7.noarch 1/4 Verifying : selinux-policy-targeted-3.13.1-102.el7.7.noarch 2/4 Verifying : selinux-policy-targeted-3.13.1-102.el7.noarch 3/4 Verifying : selinux-policy-3.13.1-102.el7.noarch 4/4
Updated: selinux-policy.noarch 0:3.13.1-102.el7.7
selinux-policy-targeted.noarch 0:3.13.1-102.el7.7
Complete!
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
On 02/03/2017 09:05 AM, Gordan Bobic wrote:
On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz <rgm@htt-consult.com mailto:rgm@htt-consult.com> wrote:
Gordon, One would think that, but there is something off with at least the CubieTruck build. I will check that all those rpms are installed (pretty sure they are), but when I set up a web server with personal directories, i got permission errors on listing the files, but no problem displaying individual files. Plus there are all these SELinux warnings I am getting that seem to indicate something is amiss. I am reaching the point of focusing on Fedora server for now. I had hopes of pushing Centos7-arm in a couple of business venues.Are you certain it is an SELinux problem, and if so, are parent directory labels correct? The symptoms you are describing seem more typically indicative of an Apache configuration problem. Do tail -f on /var/log/audit/audit.log and see what appears there. If there is a SELinux violation, it will show up in there.
OK. Here goes. I attached my web server drive to my CubieTruck; I had left this drive all ready to go into production. SELinux enforced and all that. When I started up the tail, a bunch of messages were sent to the console. I then attempted to access one of my directories:
http://medon.htt-consult.com/~rgm/cubieboard/
Note, that this is a public server, and you too could try this. For as long as I have the server running on this address.
I got:
Forbidden
You don't have permission to access /~rgm/cubieboard/ on this server.
and all of the tail messages are:
# tail -f on /var/log/audit/audit.log tail: cannot open 'on' for reading: No such file or directory ==> /var/log/audit/audit.log <== type=SERVICE_STOP msg=audit(69.095:94): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-readahead-done comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=USER_ACCT msg=audit(1486134062.358:95): pid=1760 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1486134062.363:96): pid=1760 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1486134062.363:97): pid=1760 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=2 res=1 type=USER_START msg=audit(1486134062.513:98): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1486134062.528:99): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1486134062.773:100): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1486134062.783:101): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=SERVICE_START msg=audit(1486134482.523:102): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1486134482.528:103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1486137172.395:104): avc: denied { read } for pid=1866 comm="httpd" name="cubieboard" dev="sda3" ino=262190 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1486137172.395:104): arch=40000028 syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=7f844440 a2=a4800 a3=0 items=0 ppid=624 pid=1866 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1486137172.395:104): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
I know from earlier testing, if I interactively change SELinux to permissive, the directory display works.
So what is next to try?
Bob
Have you done: # setsebool -P httpd_enable_homedirs true ?
You may also need to do the following on each user's http exposed folder: # chcon -R -t httpd_sys_content_t ~<username>/public_html
On Fri, Feb 3, 2017 at 3:59 PM, Robert Moskowitz rgm@htt-consult.com wrote:
On 02/03/2017 09:05 AM, Gordan Bobic wrote:
On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz rgm@htt-consult.com wrote:
Gordon,
One would think that, but there is something off with at least the CubieTruck build. I will check that all those rpms are installed (pretty sure they are), but when I set up a web server with personal directories, i got permission errors on listing the files, but no problem displaying individual files. Plus there are all these SELinux warnings I am getting that seem to indicate something is amiss.
I am reaching the point of focusing on Fedora server for now. I had hopes of pushing Centos7-arm in a couple of business venues.
Are you certain it is an SELinux problem, and if so, are parent directory labels correct? The symptoms you are describing seem more typically indicative of an Apache configuration problem. Do tail -f on /var/log/audit/audit.log and see what appears there. If there is a SELinux violation, it will show up in there.
OK. Here goes. I attached my web server drive to my CubieTruck; I had left this drive all ready to go into production. SELinux enforced and all that. When I started up the tail, a bunch of messages were sent to the console. I then attempted to access one of my directories:
http://medon.htt-consult.com/~rgm/cubieboard/
Note, that this is a public server, and you too could try this. For as long as I have the server running on this address.
I got:
Forbidden
You don't have permission to access /~rgm/cubieboard/ on this server.
and all of the tail messages are:
# tail -f on /var/log/audit/audit.log tail: cannot open 'on' for reading: No such file or directory ==> /var/log/audit/audit.log <== type=SERVICE_STOP msg=audit(69.095:94): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-readahead-done comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=USER_ACCT msg=audit(1486134062.358:95): pid=1760 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1486134062.363:96): pid=1760 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1486134062.363:97): pid=1760 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=2 res=1 type=USER_START msg=audit(1486134062.513:98): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1486134062.528:99): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1486134062.773:100): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1486134062.783:101): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=SERVICE_START msg=audit(1486134482.523:102): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1486134482.528:103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1486137172.395:104): avc: denied { read } for pid=1866 comm="httpd" name="cubieboard" dev="sda3" ino=262190 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1486137172.395:104): arch=40000028 syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=7f844440 a2=a4800 a3=0 items=0 ppid=624 pid=1866 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1486137172.395:104): proctitle= 2F7573722F7362696E2F6874747064002D44464F524547524F554E44
I know from earlier testing, if I interactively change SELinux to permissive, the directory display works.
So what is next to try?
Bob
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
On 02/03/2017 11:07 AM, Gordan Bobic wrote:
Have you done: # setsebool -P httpd_enable_homedirs true ?
Yes. That is in my notes to do.
You may also need to do the following on each user's http exposed folder: # chcon -R -t httpd_sys_content_t ~<username>/public_html/ /
No. I did:
restorecon -Rv /home
I am getting the same behavior with Fedora 25 Server image, so this is either something really wrong with SELinux on the Cubie, or something has changed....
I just tried this and it now WORKS!!!! Thanks Gordon. This is NOT in anything I have read on userdir and Apache 2.4.
ARGH!!!!
/
/
On Fri, Feb 3, 2017 at 3:59 PM, Robert Moskowitz <rgm@htt-consult.com mailto:rgm@htt-consult.com> wrote:
On 02/03/2017 09:05 AM, Gordan Bobic wrote:On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz <rgm@htt-consult.com <mailto:rgm@htt-consult.com>> wrote: Gordon, One would think that, but there is something off with at least the CubieTruck build. I will check that all those rpms are installed (pretty sure they are), but when I set up a web server with personal directories, i got permission errors on listing the files, but no problem displaying individual files. Plus there are all these SELinux warnings I am getting that seem to indicate something is amiss. I am reaching the point of focusing on Fedora server for now. I had hopes of pushing Centos7-arm in a couple of business venues. Are you certain it is an SELinux problem, and if so, are parent directory labels correct? The symptoms you are describing seem more typically indicative of an Apache configuration problem. Do tail -f on /var/log/audit/audit.log and see what appears there. If there is a SELinux violation, it will show up in there.OK. Here goes. I attached my web server drive to my CubieTruck; I had left this drive all ready to go into production. SELinux enforced and all that. When I started up the tail, a bunch of messages were sent to the console. I then attempted to access one of my directories: http://medon.htt-consult.com/~rgm/cubieboard/ <http://medon.htt-consult.com/%7Ergm/cubieboard/> Note, that this is a public server, and you too could try this. For as long as I have the server running on this address. I got: Forbidden You don't have permission to access /~rgm/cubieboard/ on this server. and all of the tail messages are: # tail -f on /var/log/audit/audit.log tail: cannot open 'on' for reading: No such file or directory ==> /var/log/audit/audit.log <== type=SERVICE_STOP msg=audit(69.095:94): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-readahead-done comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=USER_ACCT msg=audit(1486134062.358:95): pid=1760 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_ACQ msg=audit(1486134062.363:96): pid=1760 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=LOGIN msg=audit(1486134062.363:97): pid=1760 uid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295 auid=0 old-ses=4294967295 ses=2 res=1 type=USER_START msg=audit(1486134062.513:98): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_REFR msg=audit(1486134062.528:99): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=CRED_DISP msg=audit(1486134062.773:100): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=USER_END msg=audit(1486134062.783:101): pid=1760 uid=0 auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success' type=SERVICE_START msg=audit(1486134482.523:102): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=SERVICE_STOP msg=audit(1486134482.528:103): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-tmpfiles-clean comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success' type=AVC msg=audit(1486137172.395:104): avc: denied { read } for pid=1866 comm="httpd" name="cubieboard" dev="sda3" ino=262190 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1486137172.395:104): arch=40000028 syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=7f844440 a2=a4800 a3=0 items=0 ppid=624 pid=1866 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1486137172.395:104): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I know from earlier testing, if I interactively change SELinux to permissive, the directory display works. So what is next to try? Bob _______________________________________________ Arm-dev mailing list Arm-dev@centos.org <mailto:Arm-dev@centos.org> https://lists.centos.org/mailman/listinfo/arm-dev <https://lists.centos.org/mailman/listinfo/arm-dev>
Arm-dev mailing list Arm-dev@centos.org https://lists.centos.org/mailman/listinfo/arm-dev
On Sun, Feb 5, 2017 at 4:49 AM, Robert Moskowitz rgm@htt-consult.com wrote:
On 02/03/2017 11:07 AM, Gordan Bobic wrote:
Have you done: # setsebool -P httpd_enable_homedirs true ?
Yes. That is in my notes to do.
You may also need to do the following on each user's http exposed folder: # chcon -R -t httpd_sys_content_t ~<username>/public_html
No. I did:
restorecon -Rv /home
There is a fundamental difference between the two. You need to label the httpd exported subtree specifically with the httpd_sys_content_t label. What restorecon will do is restore the default label which is user_home_dir_t.
I am getting the same behavior with Fedora 25 Server image, so this is either something really wrong with SELinux on the Cubie, or something has changed....
I think that rules out a software problem.
I just tried this and it now WORKS!!!! Thanks Gordon. This is NOT in anything I have read on userdir and Apache 2.4.
Glad I could help.
-
Gordan Bobic -
Robert Moskowitz