I have a directory where shared PHP scripts are kept (the name is arbitrary, but it isn't /var/, /usr/, or anything that SELinux would have specific settings for):
/whatever/scripts/
These scripts can get executed by cronjobs, or may get executed by Apache or Tomcat so the output can be included in a web page.
SELinux is denying permission:
type=AVC msg=audit(1363205612.276:476923): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1363205612.276:476923): arch=c000003e syscall=59 success=no exit=-13 a0=2431d10 a1=2431d70 a2=24301e0 a3=50 items=0 ppid=23100 pid=6855 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1363205612.277:476924): avc: denied { execute } for pid=6855 comm="sh" name="script.php" dev=sda3 ino=4325828 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:etc_runtime_t:s0 tclass=file
type=SYSCALL msg=audit(1363205612.277:476924): arch=c000003e syscall=21 success=no exit=-13 a0=2431d10 a1=1 a2=0 a3=50 items=0 ppid=23100 pid=6855 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" subj=system_u:system_r:httpd_t:s0 key=(null)
I know there is a command I can use to tell SELinux to allow this, but it's eluding me.
Even making the directory and script owner and group apache doesn't work, so it isn't a classic permissions problem, but SELinux specific.
The system is CentOS 6.3.
I found the solution with these two commands:
semanage fcontext -a -t httpd_sys_script_exec_t '/whatever/scripts(/.*)?'
restorecon -R -v /whatever/scripts/
That allows Apache to execute PHP scripts in that directory, and persists after a reboot, or system-wide relabeling.
I use this with the executable programs I need to run from my PHP scripts and Apache
sudo chcon -v -t httpd_sys_script_exec_t my-executable
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With