[Arm-dev] SOLVED - Re: Anyone running named on armv7 with selinux?

Sun Feb 5 04:49:59 UTC 2017
Robert Moskowitz <rgm at htt-consult.com>


On 02/03/2017 11:07 AM, Gordan Bobic wrote:
> Have you done:
> # setsebool -P httpd_enable_homedirs true
> ?

Yes.  That is in my notes to do.

> You may also need to do the following on each user's http exposed folder:
> # chcon -R -t httpd_sys_content_t ~<username>/public_html/
> /

No.  I did:

restorecon -Rv /home

I am getting the same behavior with Fedora 25 Server image, so this is 
either something really wrong with SELinux on the Cubie, or something 
has changed....

I just tried this and it now WORKS!!!!  Thanks Gordon.  This is NOT in 
anything I have read on userdir and Apache 2.4.

ARGH!!!!

> /
>
> /
>
> On Fri, Feb 3, 2017 at 3:59 PM, Robert Moskowitz <rgm at htt-consult.com 
> <mailto:rgm at htt-consult.com>> wrote:
>
>
>
>     On 02/03/2017 09:05 AM, Gordan Bobic wrote:
>>     On Fri, Feb 3, 2017 at 1:58 PM, Robert Moskowitz
>>     <rgm at htt-consult.com <mailto:rgm at htt-consult.com>> wrote:
>>
>>         Gordon,
>>
>>         One would think that, but there is something off with at
>>         least the CubieTruck build.  I will check that all those rpms
>>         are installed (pretty sure they are), but when I set up a web
>>         server with personal directories, i got permission errors on
>>         listing the files, but no problem displaying individual
>>         files.  Plus there are all these SELinux warnings I am
>>         getting that seem to indicate something is amiss.
>>
>>         I am reaching the point of focusing on Fedora server for
>>         now.  I had hopes of pushing Centos7-arm in a couple of
>>         business venues.
>>
>>
>>
>>
>>     Are you certain it is an SELinux problem, and if so, are parent
>>     directory labels correct?
>>     The symptoms you are describing seem more typically indicative of
>>     an Apache configuration problem.
>>     Do tail -f on /var/log/audit/audit.log and see what appears
>>     there. If there is a SELinux violation, it will show up in there.
>
>     OK.  Here goes.  I attached my web server drive to my CubieTruck;
>     I had left this drive all ready to go into production.  SELinux
>     enforced and all that.  When I started up the tail, a bunch of
>     messages were sent to the console.  I then attempted to access one
>     of my directories:
>
>     http://medon.htt-consult.com/~rgm/cubieboard/
>     <http://medon.htt-consult.com/%7Ergm/cubieboard/>
>
>     Note, that this is a public server, and you too could try this. 
>     For as long as I have the server running on this address.
>
>     I got:
>
>     Forbidden
>
>     You don't have permission to access /~rgm/cubieboard/ on this server.
>
>     and all of the tail messages are:
>
>     # tail -f on /var/log/audit/audit.log
>     tail: cannot open 'on' for reading: No such file or directory
>     ==> /var/log/audit/audit.log <==
>     type=SERVICE_STOP msg=audit(69.095:94): pid=1 uid=0
>     auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>     msg='unit=systemd-readahead-done comm="systemd"
>     exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>     res=success'
>     type=USER_ACCT msg=audit(1486134062.358:95): pid=1760 uid=0
>     auid=4294967295 ses=4294967295
>     subj=system_u:system_r:crond_t:s0-s0:c0.c1023
>     msg='op=PAM:accounting grantors=pam_access,pam_unix acct="root"
>     exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
>     type=CRED_ACQ msg=audit(1486134062.363:96): pid=1760 uid=0
>     auid=4294967295 ses=4294967295
>     subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
>     grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond"
>     hostname=? addr=? terminal=cron res=success'
>     type=LOGIN msg=audit(1486134062.363:97): pid=1760 uid=0
>     subj=system_u:system_r:crond_t:s0-s0:c0.c1023 old-auid=4294967295
>     auid=0 old-ses=4294967295 ses=2 res=1
>     type=USER_START msg=audit(1486134062.513:98): pid=1760 uid=0
>     auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
>     msg='op=PAM:session_open
>     grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd
>     acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
>     res=success'
>     type=CRED_REFR msg=audit(1486134062.528:99): pid=1760 uid=0 auid=0
>     ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
>     msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root"
>     exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
>     type=CRED_DISP msg=audit(1486134062.773:100): pid=1760 uid=0
>     auid=0 ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
>     msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root"
>     exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
>     type=USER_END msg=audit(1486134062.783:101): pid=1760 uid=0 auid=0
>     ses=2 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
>     msg='op=PAM:session_close
>     grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd
>     acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
>     res=success'
>     type=SERVICE_START msg=audit(1486134482.523:102): pid=1 uid=0
>     auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>     msg='unit=systemd-tmpfiles-clean comm="systemd"
>     exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>     res=success'
>     type=SERVICE_STOP msg=audit(1486134482.528:103): pid=1 uid=0
>     auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
>     msg='unit=systemd-tmpfiles-clean comm="systemd"
>     exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=?
>     res=success'
>     type=AVC msg=audit(1486137172.395:104): avc:  denied  { read }
>     for  pid=1866 comm="httpd" name="cubieboard" dev="sda3" ino=262190
>     scontext=system_u:system_r:httpd_t:s0
>     tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>     permissive=0
>     type=SYSCALL msg=audit(1486137172.395:104): arch=40000028
>     syscall=322 per=800000 success=no exit=-13 a0=ffffff9c a1=7f844440
>     a2=a4800 a3=0 items=0 ppid=624 pid=1866 auid=4294967295 uid=48
>     gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>     tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
>     subj=system_u:system_r:httpd_t:s0 key=(null)
>     type=PROCTITLE msg=audit(1486137172.395:104):
>     proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>
>
>     I know from earlier testing, if I interactively change SELinux to
>     permissive, the directory display works.
>
>     So what is next to try?
>
>     Bob
>
>
>     _______________________________________________
>     Arm-dev mailing list
>     Arm-dev at centos.org <mailto:Arm-dev at centos.org>
>     https://lists.centos.org/mailman/listinfo/arm-dev
>     <https://lists.centos.org/mailman/listinfo/arm-dev>
>
>
>
>
> _______________________________________________
> Arm-dev mailing list
> Arm-dev at centos.org
> https://lists.centos.org/mailman/listinfo/arm-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/arm-dev/attachments/20170204/c8270a6f/attachment-0006.html>