Selinux Policy Allow custom shell script
Selinux Policy Allow custom shell script
Sir,
I have typed one phython script and i want to use it in my php script via exec.
If that is the case, how do i make changes in audit. so selinux will allow me to run it.
the script is in /usr/local/bin
Thanks
I have typed one phython script and i want to use it in my php script via exec.
If that is the case, how do i make changes in audit. so selinux will allow me to run it.
the script is in /usr/local/bin
Thanks
Re: Selinux Policy Allow custom shell script
Code: Select all
setenforce 0
Re: Selinux Policy Allow custom shell script
Could you show output of log audit when You try run script with selinux enable ?
/var/log/audit/audit.log
/var/log/audit/audit.log
Re: Selinux Policy Allow custom shell script
I am not getting any output when i run that script sir.
nothing comes in audit
/usr/local/bin/
ls -lZ
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 script
Code: Select all
tail -f audit.log
/usr/local/bin/
ls -lZ
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_content_t:s0 script
Re: Selinux Policy Allow custom shell script
I think he means with selinux running, execute your script & post the output of:
grep -i avc /var/log/audit/audit.log
grep -i avc /var/log/audit/audit.log
Re: Selinux Policy Allow custom shell script
Code: Select all
type=AVC msg=audit(1471764481.690:7480): avc: denied { open } for pid=11448 comm="logrotate" path="/etc/logrotate.d/lfd" dev="sda2" ino=135003505 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1471764484.512:7481): avc: denied { open } for pid=11464 comm="mandb" path="/usr/local/man/man1/csf.1" dev="sda2" ino=686783 scontext=system_u:system_r:mandb_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=AVC msg=audit(1471851661.548:8053): avc: denied { open } for pid=30910 comm="logrotate" path="/etc/logrotate.d/lfd" dev="sda2" ino=135003505 scontext=system_u:system_r:logrotate_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_tmp_t:s0 tclass=file
type=USER_AVC msg=audit(1471857504.127:8214): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1471857504.127:8215): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1471863661.998:8267): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=0) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1471863661.998:8268): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: received setenforce notice (enforcing=1) exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Re: Selinux Policy Allow custom shell script
turn selinux to enforce mode, next run script, next read last 10 line form audit log
Re: Selinux Policy Allow custom shell script
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
Re: Selinux Policy Allow custom shell script
Selinux is already in enforcing mode. Nothing comes in audit
Re: Selinux Policy Allow custom shell script
run :
# semodule -DB
try logging issue again,
after procedure back to normal state:
# semodule -B
# semodule -DB
try logging issue again,
after procedure back to normal state:
# semodule -B