I'm leaning PHP, CSS, Javascript and brushing up on HTML.
The test system runs Tikanga-clone and has selinux in enforcing mode.
Since The Boss (the bloke who controls my pay packet) wants to be able
make minor configurations to the firewall, this seemed a suitable task.
I have arrived at the point where I want to run a small script to copy a
file to /etc/shorewall/rules.theboss and restart shorewall.
Here's the PHP fragment:
passthru ("/usr/bin/sudo /usr/local/sbin/UpdateTorrentFirewallRules " .
$tmpfname);
(Note the dot serving as a concatenation operator)
Easy peasy, you'd think, and so it is if I turn selinux off.
I have made a dozen or more iterations of run the script and then these
commands:
ausearch -m avc | audit2allow -M local;semodule -i local.pp
Some of the difficulties, for those following behind:
PHP seems to discard stderr from the script. Its content is not in
httpd's error log for the virtual host where it should be, and it
doesn't appear in the document returned to my browser. I discovered some
of the errors with this command:
strace -v -o /tmp/trace -f -s 9999 $(ps xa| awk '/http[d]/{printf
"-p %s ",$1}')
In reading the trace I found useful error messages (such as permission
denied), some but not all caused by selinux.
Anyway, I've rid myself of all the selinux messages I can find in
/var/log/messages and /var/log/audit/audit.log and almost that I can
find in shorewall (it sends valuable messages to /dev/null too) using
strace.
I'm up to this:
10155 <... wait4 resumed> [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], 0,
NULL) = 10156
10155 --- SIGCHLD (Child exited) @ 0 (0) ---
10155 socket(PF_INET, SOCK_RAW, IPPROTO_RAW) = 3
10155 getsockopt(3, SOL_IP, 0x40 /* IP_??? */, 0xbfc48e14, 0xbfc48e08) =
-1 EPERM (Operation not permitted)
10155 close(3) = 0
10155 write(2, "iptables v1.3.5: ", 17) = 17
10155 write(2, "can't initialize iptables table `nat': Permission denied
(you must be root)", 75) = 75
10155 write(2, "\n", 1) = 1
10155 exit_group(1) = ?
At this point iptables had just run modprobe - boy, did that create lots
of errors - and I've no idea what it wants to do now.
The getsockopt error is not in my man page, I guess it's a fairly new
error caused by selinux.
In case someone missed it, we're running as root at this point through
the use of selinux.
If, being logged in as root I use sudo to change to user=apache, it
works fine.
Being puzzled as I am, I gave apache a four-letter password (not that
one, and not that one either, we're polite here) and a workable shell
and logged in remotely as apache. <Rolls eyes> The script works that way
too.
I'm absolutely flummoxed. Does anyone have any ideas?
I think I'm going to disable selinux for the few seconds this takes to
run, and this might well be the long-term practical solution. A lot of
the selinux messages were connected to kernel modules, and I rather
think they will resurface next kernel.
--
Cheers
John
-- spambait
[email protected] [email protected]
-- Advice
http://webfoot.com/advice/email.top.php
http://www.catb.org/~esr/faqs/smart-questions.html
http://support.microsoft.com/kb/555375
You cannot reply off-list:-)
_______________________________________________
rhelv5-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/rhelv5-list
