Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Greg Cornell 
On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:

On 12/28/2016 06:13 PM, Greg Cornell wrote:
> On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
>  wrote:
>
>
>
> On 12/28/2016 06:05 PM, J Martin Rushton wrote:
>> On 28/12/16 21:24, m.r...@5-cent.us wrote:
>>> Robert Moskowitz wrote:
>>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
>>>>> On 28/12/16 20:11, Robert Moskowitz wrote:
>>>>>> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>>>>>>> Robert Moskowitz wrote:
>>>>>>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
>>>>>>>>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
>>>>>>>>> 
>>>>>>>>> wrote:
>>>>>>>>>> Which is why I wonder if there is some different config for the
>>>>>>>>>> C7.3
>>>>>>>>>> version
>>>>>>>>>> of apache.
>>>>>>>>>>
>>>>>>>>>> Or something with the C7-arm build...
>>>>>>>>> Can you check for SELinux warnings/errors in
>>>>>>>>> /var/log/audit/audit.log?
>>>>>>>> Good advice.  As I suspect the problem is with SELinux.
>>>>>>>>
>>>>>>>> So I tried an access.  What follows is the access_log entry, the
>>>>>>>> error_log entry and the 3 entries in the audit.log:
>>>>>>>>
>>>>>>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>>>>>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>>>>>>>> rv:50.0)
>>>>>>>> Gecko/20100101 Firefox/50.0"
>>>>>>>>
>>>>>>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>>>>>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>>>>>>>> open
>>>>>>>> directory for index: /home/rgm/public_html/family/
>>>>>>>>
>>>>>>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>>>>>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>>>>>>> scontext=system_u:system_r:httpd_t:s0
>>>>>>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>>>>>>> permissive=0
>>>>>>>>
>>>>>>>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
>>>>>>>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
>>>>>>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>>>>>>>> suid=48
>>>>>>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>>>>>>> comm="httpd"
>>>>>>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>>>>>>
>>>>>>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>>>>>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>>>>>>
>>>>>>>>
>>>>>>>> I will say that after enabling selinux on this image per the
>>>>>>>> instructions of the team doing the Centos7-arm builds, I got the
>>>>>>>> following messages when I did things like 'setsebool -P
>>>>>>>> httpd_enable_homedirs on':
>>>>>>>>
>>>>>>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>>>>>>> [ 2273.052531] SELinux: the above unknown classes and permissions
>>>>>>>> will
>>>>>>>> be allowed
>>>>>>>>
>>>>>>>>
>>>>>>>> So something may well not be right with my SELinux.
>>>>>>>>
>>>>>>> Bang. I would suggest, at this point, that you might want to set
>>>>>>> selinux
>>>>>>> into permissive mode, so you'll get the error messages from it, and
>>>>>>> can
>>>>>>> work out fixes, but will let your system operate a

Re: [CentOS] Help with httpd userdir recovery

2016-12-28 Thread Greg Cornell 
On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" 
 wrote:



On 12/28/2016 06:05 PM, J Martin Rushton wrote:
>
> On 28/12/16 21:24, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:
>>>
>>> On 12/28/2016 03:32 PM, J Martin Rushton wrote:
 On 28/12/16 20:11, Robert Moskowitz wrote:
> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote:
>> Robert Moskowitz wrote:
>>> On 12/28/2016 05:11 AM, Todor Petkov wrote:
 On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz
 
 wrote:
> Which is why I wonder if there is some different config for the
> C7.3
> version
> of apache.
>
> Or something with the C7-arm build...
 Can you check for SELinux warnings/errors in
 /var/log/audit/audit.log?
>>> Good advice.  As I suspect the problem is with SELinux.
>>>
>>> So I tried an access.  What follows is the access_log entry, the
>>> error_log entry and the 3 entries in the audit.log:
>>>
>>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/
>>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64;
>>> rv:50.0)
>>> Gecko/20100101 Firefox/50.0"
>>>
>>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141]
>>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't
>>> open
>>> directory for index: /home/rgm/public_html/family/
>>>
>>> type=AVC msg=audit(1482944350.289:339): avc:  denied  { read } for
>>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199
>>> scontext=system_u:system_r:httpd_t:s0
>>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir
>>> permissive=0
>>>
>>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322
>>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0
>>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48
>>> suid=48
>>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>>> comm="httpd"
>>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
>>>
>>> type=PROCTITLE msg=audit(1482944350.289:339):
>>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44
>>>
>>>
>>> I will say that after enabling selinux on this image per the
>>> instructions of the team doing the Centos7-arm builds, I got the
>>> following messages when I did things like 'setsebool -P
>>> httpd_enable_homedirs on':
>>>
>>> [ 2273.047017] SELinux:  Class binder not defined in policy.
>>> [ 2273.052531] SELinux: the above unknown classes and permissions
>>> will
>>> be allowed
>>>
>>>
>>> So something may well not be right with my SELinux.
>>>
>> Bang. I would suggest, at this point, that you might want to set
>> selinux
>> into permissive mode, so you'll get the error messages from it, and
>> can
>> work out fixes, but will let your system operate as you intend.
>> setselinux 0
>>
>> Note that this is *temporary*, and will revert on reboot. To make it
>> permanent, you'd need to edit /etc/selinux/config.
> Thanks, Mark, I was just getting around to that way of thinking.
>
> The command, at least on my Centos7-arm system is
>
> setenforce 0
>
> A presto it works.  So now to figure out what is wrong with SElinux on
> this image.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> https://lists.centos.org/mailman/listinfo/centos
 Have you got the setroubleshoot-server package installed?  For x86_64 it
 is part of the base repository, obviously arm may differ.  The package
 installs a "SELinux Troubleshooter" entry in the Applications/Sundry
 menu, or it can be launched via:
>>> No GUI in the base image.  And on arm, we tend to use Xfce.
>>>
 # /usr/bin/python -Es /usr/bin/sealert -s
>>> no sealert bin file, so it is off to install it.
>>>
 It generates suggestions to fix SELinx issues.  Sometimes it is quite
 useful, on other occasions it just lists vast numbers of possibilities
 with little or no help.  On balance it is worth trying for when it does
 help.
>>> I have never had it make useful suggestions to my on my notebook, but we
>>> will see...
>>>
>>> so here is what happens after I install it:
>>>
>>> # /usr/bin/python -Es /usr/bin/sealert -s
>>> Opps, sealert hit an error!
>>>
>>> Traceback (most recent call last):
>>> File "/usr/bin/sealert", line 651, in 
>>>   import gtk
>>> ImportError: No module named gtk
>>>
>>> If it needs a GUI, then that won't work here.  Headless system.
>>>
>> Nahh... you want to instal setroubleshoot.
>>
>> mark
>>
>> ___
>> CentOS mailing list
>> CentOS@centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
> Sorry, missed the n