ionescu77.com webpage

Centos 7 SELinux utilitare audit2why audit2allow

Dec. 21, 2015, 4:50 p.m. centos selinux

Am o problema cand pornesc Phusion Passenger (in cazul de fata ca modul apache). Am o vaga banuiala ca este de la SELinux pe care ma incapatanez sa il tin activat.

# cam asta apare in /var/log/httpd/error_log
# in vim CTRL+G iti va oferi niste informatii interesante despre unde te afli in fisier
#

[Mon Dec 21 18:33:15.726075 2015] [mpm_prefork:notice] [pid 4575] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 Phusion_Passenger/5.0.22 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Mon Dec 21 18:33:15.726117 2015] [core:notice] [pid 4575] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
App 4649 stdout:
App 4649 stderr: error: cannot open Packages index using db5 - Permission denied (13)
App 4649 stderr: error: cannot open Packages database in /var/lib/rpm
App 4649 stderr: Traceback (most recent call last):
App 4649 stderr:   File "/usr/share/passenger/helper-scripts/wsgi-loader.py", line 325, in <module>
App 4649 stderr:     app_module = load_app()
App 4649 stderr:   File "/usr/share/passenger/helper-scripts/wsgi-loader.py", line 62, in load_app
App 4649 stderr:     return imp.load_source('passenger_wsgi', startup_file)
App 4649 stderr:   File "/var/www/myProjects/ionescu77/passenger_wsgi.py", line 8, in <module>
App 4649 stderr:     if sys.executable != INTERP: os.execl(INTERP, INTERP, *sys.argv)
App 4649 stderr:   File "/usr/lib64/python2.7/os.py", line 312, in execl
App 4649 stderr:     execv(file, args)
App 4649 stderr: OSError:
App 4649 stderr: [Errno 13] Permission denied
[ 2015-12-21 18:35:50.2075 4612/7f5e34c8f700 age/Cor/App/Implementation.cpp:304 ]: Could not spawn process for application /var/www/myProjects/ionescu77: An error occurred while starting the web application. It exited before signalling successful startup back to Phusion Passenger.

Dupa ce verific permisiunile UNIX de fisiere, SEL este de cele mai multe ori singura piedica (ls -lZ; optiunea -Z ne va afisa atributele SEL pentru fisiere si directoare; vezi si ps -Z).

Sa revenim. Log-ul de auditare al SEL este destul de criptic, asa ca vom folosi audit2why ca sa il facem mai lizibil:

type=USER_START msg=audit(1445357401.101:113841): pid=11734 uid=0 auid=0 ses=16179 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_REFR msg=audit(1445357401.102:113842): pid=11734 uid=0 auid=0 ses=16179 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1445357401.112:113843): pid=11734 uid=0 auid=0 ses=16179 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1445357401.113:113844): pid=11734 uid=0 auid=0 ses=16179 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1445358001.122:113845): pid=11995 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_localuser acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1445358001.122:113846): pid=11995 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
@
"/var/log/audit/audit.log" 23405L, 5850393C

Ca sa imi dau seama despre ce este vorba voi folosi audi2why

$ sudo cat /var/log/audit/audit.log | audit2why

    Allow access by executing:
    # setsebool -P httpd_run_stickshift 1
type=AVC msg=audit(1450715750.209:11299): avc:  denied  { fowner } for  pid=4659 comm="chmod" capability=3  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability

    Was caused by:
    The boolean httpd_run_stickshift was set incorrectly.
    Description:
    Allow httpd to run stickshift

    Allow access by executing:
    # setsebool -P httpd_run_stickshift 1
type=AVC msg=audit(1450715750.209:11300): avc:  denied  { fowner } for  pid=4659 comm="chmod" capability=3  scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=capability

    Was caused by:
    The boolean httpd_run_stickshift was set incorrectly.
    Description:
    Allow httpd to run stickshift

    Allow access by executing:
    # setsebool -P httpd_run_stickshift 1

$ sudo setsebool -P httpd_run_stickshift 1

So, assuming you have captured it into a file called "audit_tmp":

cat audit_tmp | audit2allow -D -M passenger

This will create a file called passenger.pp which you can apply using:

semodule -i passenger.pp

Doing this will unblock the first thing that was stopping passenger from loading - but be aware that there will probably be more so you will need to repeats the process again until it works.

O sa restartam apache si verficam daca phusion passenger reuseste sa porneasca:

$ systemctl restart httpd.service

$ sudo tail -50 /var/log/httpd/error_log

[ 2015-12-21 18:58:36.3864 6124/7fa5b44ad880 age/Wat/WatchdogMain.cpp:1276 ]: Starting Passenger watchdog...
[ 2015-12-21 18:58:36.3954 6127/7f13f4ff7880 age/Cor/CoreMain.cpp:957 ]: Starting Passenger core...
[ 2015-12-21 18:58:36.3955 6127/7f13f4ff7880 age/Cor/CoreMain.cpp:234 ]: Passenger core running in multi-application mode.
[ 2015-12-21 18:58:36.3975 6127/7f13f4ff7880 age/Cor/CoreMain.cpp:707 ]: Passenger core online, PID 6127
[ 2015-12-21 18:58:36.4048 6132/7fd6c35ae880 age/Ust/UstRouterMain.cpp:504 ]: Starting Passenger UstRouter...
[ 2015-12-21 18:58:36.4057 6132/7fd6c35ae880 age/Ust/UstRouterMain.cpp:317 ]: Passenger UstRouter online, PID 6132
[Mon Dec 21 18:58:36.411744 2015] [mpm_prefork:notice] [pid 6091] AH00163: Apache/2.4.6 (CentOS) OpenSSL/1.0.1e-fips mod_fcgid/2.3.9 Phusion_Passenger/5.0.22 mod_wsgi/3.4 Python/2.7.5 configured -- resuming normal operations
[Mon Dec 21 18:58:36.411800 2015] [core:notice] [pid 6091] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'

More problems:

[root@spaceport ~]# ls -ltrZ /var/www/myProjects/ionescu77/src/ionescu77Project/settings/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 settings.pyc
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 razvansky.py~
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 test.py~
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 razvansky.pyc
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 __init__.py
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 base.py
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 razvansky.py
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 __init__.pyc
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 base.pyc
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 test.pyc
-rw-rw-r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 test.py
[root@spaceport ~]# yum list | grep semanage
libsemanage.x86_64                      2.1.10-18.el7                  @base
libsemanage-python.x86_64               2.1.10-18.el7                  @base
libsemanage.i686                        2.1.10-18.el7                  base
libsemanage-devel.i686                  2.1.10-18.el7                  base
libsemanage-devel.x86_64                2.1.10-18.el7                  base
libsemanage-static.i686                 2.1.10-18.el7                  base
libsemanage-static.x86_64               2.1.10-18.el7                  base
[root@spaceport ~]# which semanage
/sbin/semanage
[root@spaceport ~]# chcon -R -u system_u -t httpd_sys_content_t /var/www/myProjects/ionescu77/src/ionescu77Project/settings/test.py*
[root@spaceport ~]# ls -ltrZ /var/www/myProjects/ionescu77/src/ionescu77Project/settings/
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 settings.pyc
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 razvansky.py~
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 test.py~
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 razvansky.pyc
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 __init__.py
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 base.py
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 razvansky.py
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 __init__.pyc
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 base.pyc
-rw-r--r--. root root system_u:object_r:httpd_sys_content_t:s0 test.pyc
-rw-rw-r--. root root system_u:object_r:httpd_sys_content_t:s0 test.py

root@spaceport httpd]# restorecon -R -v /var/lib/rpm

# yum update

Updated:
  mod_passenger.x86_64 0:5.0.23-8.el7                                               passenger.x86_64 0:5.0.23-8.el7

Works now.

Cateva linku-uri de citit: