1

I am using CentOS 6.6 I trying to call service command in PHP code 

exec("sudo -u kouser bash  ./1.bash 2>&1",$output,$code);

1.bash

#!/bin/bash
sudo service httpd graceful

The output of execution 

httpd: unrecognized service

When I stopped SElinux the execution success. I want to execution my code without stopping SELinux however I don't want to use audit2allow; it will solve the issue but without me understanding why. when I used audit2why it didn't give me any more information.

tail /var/log/messages

May 16 11:21:34 Server6 setroubleshoot: SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd. For complete SELinux messages. run sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051

sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051

SELinux is preventing /bin/bash from getattr access on the file /etc/rc.d/init.d/httpd.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that bash should be allowed getattr access on the httpd file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep service /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp


Additional Information:
Source Context                unconfined_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_initrc_exec_t:s0
Target Objects                /etc/rc.d/init.d/httpd [ file ]
Source                        service
Source Path                   /bin/bash
Port                          <Unknown>
Host                          ERP-Server
Source RPM Packages           bash-4.1.2-40.el6.x86_64
Target RPM Packages           httpd-2.2.15-53.el6.centos.x86_64
Policy RPM                    selinux-policy-3.7.19-292.el6.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     ERP-Server
Platform                      Linux ERP-Server 2.6.32-504.3.3.el6.x86_64 #1 SMP
                              Wed Dec 17 01:55:02 UTC 2014 x86_64 x86_64
Alert Count                   22
First Seen                    Mon 23 May 2016 11:06:03 AM EEST
Last Seen                     Tue 07 Jun 2016 11:36:47 AM EEST
Local ID                      91c2c1ed-cb12-4d36-a655-c91d63827a16

Raw Audit Messages
type=AVC msg=audit(1465288607.625:383): avc:  denied  { getattr } for  pid=14705 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918236 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file


type=SYSCALL msg=audit(1465288607.625:383): arch=x86_64 syscall=stat success=no exit=EACCES a0=19ab9b0 a1=7fffc22e8060 a2=7fffc22e8060 a3=8 items=0 ppid=14704 pid=14705 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=2 comm=service exe=/bin/bash subj=unconfined_u:system_r:httpd_t:s0 key=(null)

Hash: service,httpd_t,httpd_initrc_exec_t,file,getattr

audit2allow

#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;

audit2allow -R

#============= httpd_t ==============
allow httpd_t httpd_initrc_exec_t:file getattr;

tail /var/log/audit/audit.log

type=CRED_DISP msg=audit(1463317995.800:917): user pid=5427 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_CMD msg=audit(1463317995.806:918): user pid=5434 uid=512 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='cwd="/var/www/html/1.php" cmd=7365727669636520687474706420677261636566756C terminal=? res=success'
type=CRED_ACQ msg=audit(1463317995.807:919): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_START msg=audit(1463317995.807:920): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_open acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1463317995.818:921): avc:  denied  { getattr } for  pid=5435 comm="service" path="/etc/rc.d/init.d/httpd" dev=dm-0 ino=918237 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_initrc_exec_t:s0 tclass=file
type=SYSCALL msg=audit(1463317995.818:921): arch=c000003e syscall=4 success=no exit=-13 a0=1f37b20 a1=7fff10f16500 a2=7fff10f16500 a3=8 items=0 ppid=5434 pid=5435 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=1 comm="service" exe="/bin/bash" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=USER_END msg=audit(1463317995.819:922): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.819:923): user pid=5434 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1463317995.820:924): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:session_close acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
type=CRED_DISP msg=audit(1463317995.820:925): user pid=5388 uid=0 auid=0 ses=1 subj=unconfined_u:system_r:httpd_t:s0 msg='op=PAM:setcred acct="kouser" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Improve this question
8
  • have you tried running run sealert command which you got from /var/log/messages Commented May 17, 2016 at 8:44
  • yes I tried it but didn't give me any more information Commented May 17, 2016 at 9:26
  • 1
    edit the question with the received output run sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051 Commented May 17, 2016 at 9:29
  • check the update please Commented May 17, 2016 at 9:42
  • 1
    That's it were is the Additional Information: section that will show all the required information of your OS a packages. Commented May 17, 2016 at 9:49

1 Answer 1

Reset to default
0

sealert -l 92a5910b-1bfe-4b98-a2de-d773cce85051 will describe the exact cause, in the summary section you'll find the file name & the selinux context

for fixing the issue execute the below command.

chcon -t selinux_context 'file_name'

A suggested command to allow access and resolve the denial. it gives the command to change the file1 type to public_content_t, which is accessible to the Apache HTTP Server

Possible bug Link1 Link2

Improve this answer
3
  • I do this command but still not working type=AVC msg=audit(1463478036.369:232): avc: denied { execute } for pid=2072 comm="env" name="httpd" dev=dm-0 ino=918237 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:public_content_t:s0 tclass=file Commented May 17, 2016 at 9:43
  • have you updated the system packages. Commented May 17, 2016 at 9:53
  • it is up to date Commented May 17, 2016 at 9:56

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.