[CentOS] Help with httpd userdir recovery

Robert Moskowitz rgm at htt-consult.com
Wed Dec 28 23:55:40 UTC 2016 


On 12/28/2016 06:33 PM, Greg Cornell wrote:
> On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote:
>
> On 12/28/2016 06:13 PM, Greg Cornell wrote:
>> On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" <centos-bounces at centos.org on behalf of rgm at htt-consult.com> wrote:
>>
>>
>>
>> On 12/28/2016 06:05 PM, J Martin Rushton wrote:
>>> On 28/12/16 21:24, m.roth at 5-cent.us wrote:
>>>> Robert Moskowitz wrote:
>>>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>>>>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>>>>> On 12/28/2016 01:53 PM, m.roth at 5-cent.us wrote:
>>>>>>>> Robert Moskowitz wrote:
>>>>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>>>>>>>>> <rgm at htt-consult.com>
>>>>>>>>>> wrote:
>>>>>>>>>>> Which is why I wonder if there is some different config for the
>>>>>>>>>>> C7.3
>>>>>>>>>>> version
>>>>>>>>>>> of apache.
>>>>>>>>>>>
>>>>>>>>>>> Or something with the C7-arm build...
>>>>>>>>>> Can you check for SELinux warnings/errors in
>>>>>>>>>> /var/log/audit/audit.log?
>>>>>>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>>>>>>
>>>>>>>>> So I tried an access.  What follows is the access_log entry, the
>>>>>>>>> error_log entry and the 3 entries in the audit.log:
>>>>>>>>>
>>>>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>>>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>>>>>>>>> rv:50.0)
>>>>>>>>> Gecko/20100101 Firefox/50.0"
>>>>>>>>>
>>>>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>>>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>>>>>>>>> open
>>>>>>>>> directory for index: /home/rgm/public_html/family/
>>>>>>>>>
>>>>>>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>>>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>>>>>>>> permissive=0
>>>>>>>>>
>>>>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=40000028 syscall=322
>>>>>>>>> per=800000 success=no exit=-13 a0=ffffff9c a1=80657458 a2=a4800 a3=0
>>>>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>>>>>>>>> suid=48
>>>>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>>>>>>> comm="httpd"
>>>>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>>
>>>>>>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I will say that after enabling selinux on this image per the
>>>>>>>>> instructions of the team doing the Centos7-arm builds, I got the
>>>>>>>>> following messages when I did things like 'setsebool -P
>>>>>>>>> httpd_enable_homedirs on':
>>>>>>>>>
>>>>>>>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>>>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions
>>>>>>>>> will
>>>>>>>>> be allowed
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> So something may well not be right with my SELinux.
>>>>>>>>>
>>>>>>>> Bang. I would suggest, at this point, that you might want to set
>>>>>>>> selinux
>>>>>>>> into permissive mode, so you'll get the error messages from it, and
>>>>>>>> can
>>>>>>>> work out fixes, but will let your system operate as you intend.
>>>>>>>> setselinux 0
>>>>>>>>
>>>>>>>> Note that this is *temporary*, and will revert on reboot. To make it
>>>>>>>> permanent, you'd need to edit /etc/selinux/config.
>>>>>>> Thanks, Mark, I was just getting around to that way of thinking.
>>>>>>>
>>>>>>> The command, at least on my Centos7-arm system is
>>>>>>>
>>>>>>> setenforce 0
>>>>>>>
>>>>>>> A presto it works.  So now to figure out what is wrong with SElinux on
>>>>>>> this image.
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> CentOS mailing list
>>>>>>> CentOS at centos.org
>>>>>>> https://lists.centos.org/mailman/listinfo/centos
>>>>>> Have you got the setroubleshoot-server package installed?  For x86_64 it
>>>>>> is part of the base repository, obviously arm may differ.  The package
>>>>>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry
>>>>>> menu, or it can be launched via:
>>>>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>>>>
>>>>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>>>> no sealert bin file, so it is off to install it.
>>>>>
>>>>>> It generates suggestions to fix SELinx issues.  Sometimes it is quite
>>>>>> useful, on other occasions it just lists vast numbers of possibilities
>>>>>> with little or no help.  On balance it is worth trying for when it does
>>>>>> help.
>>>>> I have never had it make useful suggestions to my on my notebook, but we
>>>>> will see...
>>>>>
>>>>> so here is what happens after I install it:
>>>>>
>>>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>>>> Opps, sealert hit an error!
>>>>>
>>>>> Traceback (most recent call last):
>>>>>       File "/usr/bin/sealert", line 651, in <module>
>>>>>         import gtk
>>>>> ImportError: No module named gtk
>>>>>
>>>>> If it needs a GUI, then that won't work here.  Headless system.
>>>>>
>>>> Nahh... you want to instal setroubleshoot.
>>>>
>>>>           mark
>>>>
>>>> _______________________________________________
>>>> CentOS mailing list
>>>> CentOS at centos.org
>>>> https://lists.centos.org/mailman/listinfo/centos
>>>>
>>> Sorry, missed the no GUI if it was mentioned earlier.
>> Never mentioned it.  I have not checked to see what GUI has been ported
>> to try and load something.  I *DO* use Xfce with Fedora-arm systems.
>> But I would have to hook this little server up to such.
>>
>>> You _might_ get away with ssh -Y from a workstation but you might end up wasting time.
>>> No guarantees I'm afraid. :-) Martin
>> Yeah, ssh -Y can be such fun with a headless system.
>>
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>> Sorry, I’m a bit late to this thread so I don’t know if anyone has mentioned this already.  What does
>>
>> $ getsebool httpd_enable_homedirs
>>
>>
> # getsebool httpd_enable_homedirs
> httpd_enable_homedirs --> on
>
> This was mentioned earlier.  One thing I did not mention was when I ran
> the set command, I also got back the following which I have gotten on
> all selunix changes:
>
> # setsebool -P httpd_enable_homedirs on
> [ 8192.799162] SELinux:  Class binder not defined in policy.
> [ 8192.804646] SELinux: the above unknown classes and permissions will
> be allowed
>
> Other than some SELinux guru pointing me to things to do, I will
> probably have to wait until the C7-arm builders chime in on the
> centos-arm list.
>
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>
> I’m not sure but I think those two warnings mean that your kernel and selinux policy are out of sync.

The first time was when I did the yum update after the basic image 
install, adding chronyd to keep time, and enabling seliunx.  Then again 
when I changed ssh port and finally setting userdir.

To test if it was the yum update would take setting up another image.  
Not too hard, but I am scheduled to go away for the weekend.

More information about the CentOS mailing list