我使用PHP exec命令来发出lpr -P printer_name /var/www/html/somefile.pdf,但在RHEL系统更新(7.2到7.3)之后,selinux决定开始阻止这些请求。
selinux要打印的文件的权限:
ls -lZ /var/www/html/somefile.pdf
-rw-r-----. apache webdev system_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/somefile.pdf
审计日志中出现以下内容,对应于PHP中的上述exec命令:
time->Thu Nov 3 15:07:02 2016
type=PATH msg=audit(1478200022.446:5151): item=0Name ="/etc/cups/lpoptions" inode=134317708 dev=fd:03 mode=0100644Ouid =0 ogid=7 rdev=00:00 obj=system_u:object_r:cupsd_rw_etc_t: 0objtype =正常
type=CWD msg=audit(1478200022.446:5151): CWD ="/var/www/html"
type=SYSCALL msg=audit(1478200022.446:5151): arch=c000003e SYSCALL =2成功=是exit=5 a0=7fff26837c70 a1=0 a2=0 a3=9项=1 ppid=19397Pid =46644 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48Egid =48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="lpr"exe = "/usr/bin/lpr。Cups " subj=system_u:system_r:httpd_t: 0 key=(null)
type=AVC msg=audit(1478200022.446:5151): AVC: denied {open} forPid =46644 comm="lpr" path="/etc/cups/lpoptions" dev="dm-3"伊诺= 134317708 scontext = system_u: system_r: httpd_t: s0tcontext = system_u: object_r: cupsd_rw_etc_t: s0 tclass =文件
type=AVC msg=audit(1478200022.446:5151): AVC: denied {read} forPid =46644 comm="lpr" name="lpoptions" dev="dm-3" ino=134317708scontext = system_u: system_r: httpd_t: s0tcontext = system_u: object_r: cupsd_rw_etc_t: s0 tclass =文件
对wkhtmltopdf使用另一个exec命令得到类似的错误。
# getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> on
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> on
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
所有这些都是在yum将我的系统从RHEL 7.2更新到7.3之后立即开始的。
是什么导致了拒绝?
我最后安装了一些额外的seLinux工具来帮助解决问题:
yum install setroubleshoot setools
然后跑了
sealert -a /var/log/audit/audit.log
输出建议如下修改:
ausearch -c 'lpr' --raw | audit2allow -M my-lpr
semodule -i my-lpr.pp
ausearch -c 'wkhtmltopdf-amd' --raw | audit2allow -M my-wkhtmltopdfamd
semodule -i my-wkhtmltopdfamd.pp
发出这些命令,现在我可以再次从我的PHP应用程序打印。