[CentOS] Help with httpd userdir recovery

Wed Dec 28 23:06:49 UTC 2016

On 12/28/2016 04:24 PM, m.roth at 5-cent.us wrote:
> Robert Moskowitz wrote:
>>
>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:
>>>>> Robert Moskowitz wrote:
>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>>>>>> <rgm at htt-consult.com>
>>>>>>> wrote:
>>>>>>>> Which is why I wonder if there is some different config for the
>>>>>>>> C7.3
>>>>>>>> version
>>>>>>>> of apache.
>>>>>>>>
>>>>>>>> Or something with the C7-arm build...
>>>>>>> Can you check for SELinux warnings/errors in
>>>>>>> /var/log/audit/audit.log?
>>>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>>>
>>>>>> So I tried an access.  What follows is the access_log entry, the
>>>>>> error_log entry and the 3 entries in the audit.log:
>>>>>>
>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>>>>>> rv:50.0)
>>>>>> Gecko/20100101 Firefox/50.0"
>>>>>>
>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>>>>>> open
>>>>>> directory for index: /home/rgm/public_html/family/
>>>>>>
>>>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>>>>> permissive=0
>>>>>>
>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322
>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0
>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>>>>>> suid=48
>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>>>> comm="httpd"
>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>
>>>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>>>
>>>>>>
>>>>>> I will say that after enabling selinux on this image per the
>>>>>> instructions of the team doing the Centos7-arm builds, I got the
>>>>>> following messages when I did things like 'setsebool -P
>>>>>> httpd_enable_homedirs on':
>>>>>>
>>>>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions
>>>>>> will
>>>>>> be allowed
>>>>>>
>>>>>>
>>>>>> So something may well not be right with my SELinux.
>>>>>>
>>>>> Bang. I would suggest, at this point, that you might want to set
>>>>> selinux
>>>>> into permissive mode, so you'll get the error messages from it, and
>>>>> can
>>>>> work out fixes, but will let your system operate as you intend.
>>>>> setselinux 0
>>>>>
>>>>> Note that this is *temporary*, and will revert on reboot. To make it
>>>>> permanent, you'd need to edit /etc/selinux/config.
>>>> Thanks, Mark, I was just getting around to that way of thinking.
>>>>
>>>> The command, at least on my Centos7-arm system is
>>>>
>>>> setenforce 0
>>>>
>>>> A presto it works.  So now to figure out what is wrong with SElinux on
>>>> this image.
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>>> Have you got the setroubleshoot-server package installed?  For x86_64 it
>>> is part of the base repository, obviously arm may differ.  The package
>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
>>> menu, or it can be launched via:
>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>> no sealert bin file, so it is off to install it.
>>
>>> It generates suggestions to fix SELinx issues.  Sometimes it is quite
>>> useful, on other occasions it just lists vast numbers of possibilities
>>> with little or no help.  On balance it is worth trying for when it does
>>> help.
>> I have never had it make useful suggestions to my on my notebook, but we
>> will see...
>>
>> so here is what happens after I install it:
>>
>> # /usr/bin/python -Es /usr/bin/sealert -s
>> Opps, sealert hit an error!
>>
>> Traceback (most recent call last):
>>     File "/usr/bin/sealert", line 651, in <module>
>>       import gtk
>> ImportError: No module named gtk
>>
>> If it needs a GUI, then that won't work here.  Headless system.
>>
> Nahh... you want to instal setroubleshoot.

# yum install setroubleshoot
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
No package setroubleshoot available.
Error: Nothing to do

:(