CentOS 5 컴퓨터에서 PhantomJS를 사용하여 스크린 샷을 만들려고하는데 SELinux와 함께 작동하도록 할 수 없습니다. SELinux가 비활성화 된 동일한 컴퓨터에서 작동하므로 SELinux 가이 책임이 있다고 생각합니다.
다음은 내가 시도한 것 (모든 명령이 루트로 실행 됨)과 내가 얻은 오류입니다.
$ ls -Z /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin
-rwxr-xr-x myusername myusername system_u:object_r:bin_t phantomjs
시도한 스크린 샷-실패
$ cat /var/log/messages | grep avc
Sep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.014:398): avc: denied { getattr } for pid=6842 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Sep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.014:399): avc: denied { getattr } for pid=6842 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Sep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.054:400): avc: denied { getattr } for pid=6852 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Sep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.054:401): avc: denied { getattr } for pid=6852 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Sep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.866:402): avc: denied { getattr } for pid=6864 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Sep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.867:403): avc: denied { getattr } for pid=6864 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Sep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.920:404): avc: denied { getattr } for pid=6874 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Sep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.920:405): avc: denied { getattr } for pid=6874 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=file
Sep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.025:406): avc: denied { read } for pid=6890 comm="phantomjs" name="3830d5c3ddfd5cd38a049b759396e72e-x86-64.cache-2" dev=dm-0 ino=2021753 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
Sep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.035:407): avc: denied { write } for pid=6890 comm="phantomjs" name="myusername" dev=dm-0 ino=619658 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dir
Sep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.061:408): avc: denied { read } for pid=6890 comm="phantomjs" name="e3ead4b767b8819993a6fa3ae306afa9-x86-64.cache-2" dev=dm-0 ino=2021752 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=file
Sep 13 12:21:28 myserver kernel: type=1400 audit(1347531688.720:410): avc: denied { execmem } for pid=6890 comm="phantomjs" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
phantomjs 유형을 httpd_sys_script_exec_t로 변경하려고했습니다.
$ chcon -v -t httpd_sys_script_exec_t /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs
$ ls -Z /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin
-rwxr-xr-x myusername myusername system_u:object_r:httpd_sys_script_exec_t phantomjs
다시 시도한 스크린 샷-실패
$ cat /var/log/messages | grep avc
Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.891:414): avc: denied { read } for pid=6962 comm="phantomjs" path="eventpoll:[9737788]" dev=eventpollfs ino=9737788 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=file
Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:415): avc: denied { write } for pid=6962 comm="phantomjs" path=2F7661722F72756E2F777367692E363535352E302E312E6C6F636B202864656C6574656429 dev=dm-0 ino=2022252 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:416): avc: denied { write } for pid=6962 comm="phantomjs" path=2F7661722F72756E2F777367692E363535352E302E322E6C6F636B202864656C6574656429 dev=dm-0 ino=2022255 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:417): avc: denied { write } for pid=6962 comm="phantomjs" path=2F7661722F72756E2F777367692E363535352E302E332E6C6F636B202864656C6574656429 dev=dm-0 ino=2022257 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
Sep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.893:418): avc: denied { write } for pid=6962 comm="phantomjs" path=2F7661722F72756E2F777367692E363535352E302E342E6C6F636B202864656C6574656429 dev=dm-0 ino=2022266 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
phantomjs 유형을 httpd_t로 변경하려고했습니다.
$ chcon -v -t httpd_t /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs
failed to change context of /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs to system_u:object_r:httpd_t
chcon: failed to change context of /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs to system_u:object_r:httpd_t: Permission denied
phantomjs 유형을 httpd_var_run_t로 변경하려고했습니다.
$ chcon -v -t httpd_var_run_t /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs
$ ls -Z /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin
-rwxr-xr-x myusername myusername system_u:object_r:httpd_var_run_t phantomjs
다시 시도한 스크린 샷-실패
$ cat /var/log/messages | grep avc
Sep 13 12:29:36 myserver kernel: type=1400 audit(1347532176.754:420): avc: denied { execute } for pid=7002 comm="httpd" name="phantomjs" dev=dm-0 ino=3032985 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file
phantomjs 유형을 httpd_sys_script_t로 변경하려고했습니다.
$ chcon -v -t httpd_sys_script_t /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs
failed to change context of /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs to system_u:object_r:httpd_sys_script_t
chcon: failed to change context of /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin/phantomjs to system_u:object_r:httpd_sys_script_t: Permission denied
SELinux 설정에 대한 추가 정보는 다음과 같습니다.
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
…
$ getsebool -a | grep http
allow_httpd_anon_write --> off
allow_httpd_bugzilla_script_anon_write --> off
allow_httpd_cvs_script_anon_write --> off
allow_httpd_mod_auth_pam --> off
allow_httpd_nagios_script_anon_write --> off
allow_httpd_prewikka_script_anon_write --> off
allow_httpd_squid_script_anon_write --> off
allow_httpd_sys_script_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_network_connect --> off
httpd_can_network_connect_db --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_disable_trans --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> on
httpd_execmem --> off
httpd_read_user_content --> off
httpd_rotatelogs_disable_trans --> off
httpd_setrlimit --> off
httpd_ssi_exec --> off
httpd_suexec_disable_trans --> off
httpd_tty_comm --> on
httpd_unified --> on
httpd_use_cifs --> off
httpd_use_nfs --> off
…
$ uname -r
2.6.18-308.1.1.el5
SELinux / httpd 경험이있는 사람은 내가하려는 일에 적합한 컨텍스트가 있는지 알고 있습니까? 아니면 총알을 물고 이것에 대한 사용자 지정 정책을 만들어야합니까?
답변
http://wiki.centos.org/HowTos/SELinux#7 의을 사용하여 사용자 지정 정책 모듈을 만드는 방법에 대한 스 니펫이 있습니다 allow2audit.
시도 해봐
setenforce 0
grep phantomjs /var/log/audit/audit.log | audit2allow -m httpd_phantomjs > httpd_phantomjs.te
cat httpd_phantomjs.te
설치
grep phantomjs /var/log/audit/audit.log | audit2allow -M httpd_phantomjs
semodule -i httpd_phantomjs.pp
ls /etc/selinux/targeted/modules/active/modules/ | grep httpd
그것을 테스트
setenforce 1
tail -f /var/log/audit/audit.log
이것은 테스트되지 않았으므로 필요에 따라 업데이트하십시오. 그것이 당신을 위해 작동하기를 바랍니다
답변
방금 같은 문제가 있었고 사용자 정의 정책을 만들지 않고도 Centos 7.4에서 팬텀을 작동시킬 수있었습니다. 내가 한 방법은 다음과 같습니다.
에 phantomjs 파일을 변경하여 업데이트 SELinux 정책 bin_t유형
semanage fcontext -a -t bin_t '/opt/phantomjs/bin/phantomjs'
selinux 정책에 새 유형을 추가 한 후 파일 권한을 업데이트해야합니다
sudo /sbin/restorecon -v /opt/phantomjs/bin/phantomjs
이제 부울을 설정하여 httpd 데몬이 리소스 제한을 변경하도록 허용해야합니다.
sudo setsebool -P httpd_setrlimit 1
그것이 도움이되기를 바랍니다 🙂