On 12/28/2016 06:33 PM, Greg Cornell wrote: > On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: > > On 12/28/2016 06:13 PM, Greg Cornell wrote: >> On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote: >> >> >> >> On 12/28/2016 06:05 PM, J Martin Rushton wrote: >>> On 28/12/16 21:24, m.roth at 5-cent.us wrote: >>>> Robert Moskowitz wrote: >>>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote: >>>>>> On 28/12/16 20:11, Robert Moskowitz wrote: >>>>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote: >>>>>>>> Robert Moskowitz wrote: >>>>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote: >>>>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz >>>>>>>>>> <rgm at htt-consult.com> >>>>>>>>>> wrote: >>>>>>>>>>> Which is why I wonder if there is some different config for the >>>>>>>>>>> C7.3 >>>>>>>>>>> version >>>>>>>>>>> of apache. >>>>>>>>>>> >>>>>>>>>>> Or something with the C7-arm build... >>>>>>>>>> Can you check for SELinux warnings/errors in >>>>>>>>>> /var/log/audit/audit.log? >>>>>>>>> Good advice. As I suspect the problem is with SELinux. >>>>>>>>> >>>>>>>>> So I tried an access. What follows is the access_log entry, the >>>>>>>>> error_log entry and the 3 entries in the audit.log: >>>>>>>>> >>>>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >>>>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; >>>>>>>>> rv:50.0) >>>>>>>>> Gecko/20100101 Firefox/50.0" >>>>>>>>> >>>>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >>>>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't >>>>>>>>> open >>>>>>>>> directory for index: /home/rgm/public_html/family/ >>>>>>>>> >>>>>>>>> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >>>>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >>>>>>>>> scontext=system_u:system_r:httpd_t:s0 >>>>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >>>>>>>>> permissive=0 >>>>>>>>> >>>>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322 >>>>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0 >>>>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 >>>>>>>>> suid=48 >>>>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 >>>>>>>>> comm="httpd" >>>>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >>>>>>>>> >>>>>>>>> type=PROCTITLE msg=audit(1482944350.289:339): >>>>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >>>>>>>>> >>>>>>>>> >>>>>>>>> I will say that after enabling selinux on this image per the >>>>>>>>> instructions of the team doing the Centos7-arm builds, I got the >>>>>>>>> following messages when I did things like 'setsebool -P >>>>>>>>> httpd_enable_homedirs on': >>>>>>>>> >>>>>>>>> [ 2273.047017] SELinux: Class binder not defined in policy. >>>>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions >>>>>>>>> will >>>>>>>>> be allowed >>>>>>>>> >>>>>>>>> >>>>>>>>> So something may well not be right with my SELinux. >>>>>>>>> >>>>>>>> Bang. I would suggest, at this point, that you might want to set >>>>>>>> selinux >>>>>>>> into permissive mode, so you'll get the error messages from it, and >>>>>>>> can >>>>>>>> work out fixes, but will let your system operate as you intend. >>>>>>>> setselinux 0 >>>>>>>> >>>>>>>> Note that this is *temporary*, and will revert on reboot. To make it >>>>>>>> permanent, you'd need to edit /etc/selinux/config. >>>>>>> Thanks, Mark, I was just getting around to that way of thinking. >>>>>>> >>>>>>> The command, at least on my Centos7-arm system is >>>>>>> >>>>>>> setenforce 0 >>>>>>> >>>>>>> A presto it works. So now to figure out what is wrong with SElinux on >>>>>>> this image. >>>>>>> >>>>>>> _______________________________________________ >>>>>>> CentOS mailing list >>>>>>> CentOS at centos.org >>>>>>> https://lists.centos.org/mailman/listinfo/centos >>>>>> Have you got the setroubleshoot-server package installed? For x86_64 it >>>>>> is part of the base repository, obviously arm may differ. The package >>>>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry >>>>>> menu, or it can be launched via: >>>>> No GUI in the base image. And on arm, we tend to use Xfce. >>>>> >>>>>> # /usr/bin/python -Es /usr/bin/sealert -s >>>>> no sealert bin file, so it is off to install it. >>>>> >>>>>> It generates suggestions to fix SELinx issues. Sometimes it is quite >>>>>> useful, on other occasions it just lists vast numbers of possibilities >>>>>> with little or no help. On balance it is worth trying for when it does >>>>>> help. >>>>> I have never had it make useful suggestions to my on my notebook, but we >>>>> will see... >>>>> >>>>> so here is what happens after I install it: >>>>> >>>>> # /usr/bin/python -Es /usr/bin/sealert -s >>>>> Opps, sealert hit an error! >>>>> >>>>> Traceback (most recent call last): >>>>> File "/usr/bin/sealert", line 651, in <module> >>>>> import gtk >>>>> ImportError: No module named gtk >>>>> >>>>> If it needs a GUI, then that won't work here. Headless system. >>>>> >>>> Nahh... you want to instal setroubleshoot. >>>> >>>> mark >>>> >>>> _______________________________________________ >>>> CentOS mailing list >>>> CentOS at centos.org >>>> https://lists.centos.org/mailman/listinfo/centos >>>> >>> Sorry, missed the no GUI if it was mentioned earlier. >> Never mentioned it. I have not checked to see what GUI has been ported >> to try and load something. I *DO* use Xfce with Fedora-arm systems. >> But I would have to hook this little server up to such. >> >>> You _might_ get away with ssh -Y from a workstation but you might end up wasting time. >>> No guarantees I'm afraid. :-) Martin >> Yeah, ssh -Y can be such fun with a headless system. >> >> >> _______________________________________________ >> CentOS mailing list >> CentOS at centos.org >> https://lists.centos.org/mailman/listinfo/centos >> >> Sorry, I’m a bit late to this thread so I don’t know if anyone has mentioned this already. What does >> >> $ getsebool httpd_enable_homedirs >> >> > # getsebool httpd_enable_homedirs > httpd_enable_homedirs --> on > > This was mentioned earlier. One thing I did not mention was when I ran > the set command, I also got back the following which I have gotten on > all selunix changes: > > # setsebool -P httpd_enable_homedirs on > [ 8192.799162] SELinux: Class binder not defined in policy. > [ 8192.804646] SELinux: the above unknown classes and permissions will > be allowed > > Other than some SELinux guru pointing me to things to do, I will > probably have to wait until the C7-arm builders chime in on the > centos-arm list. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > https://lists.centos.org/mailman/listinfo/centos > > I’m not sure but I think those two warnings mean that your kernel and selinux policy are out of sync. The first time was when I did the yum update after the basic image install, adding chronyd to keep time, and enabling seliunx. Then again when I changed ssh port and finally setting userdir. To test if it was the yum update would take setting up another image. Not too hard, but I am scheduled to go away for the weekend.