如何使用SELinux在CentOS上运行PhantomJS？

概述我正试图在我的CentOS 5机器上使用PhantomJS制作屏幕截图,但我不能让它与SE Linux一起工作.它在禁用SELinux的相同机器上工作,所以我真的怀疑SELinux对此负责. 这是我尝试过的(所有命令都以root身份运行),以及我得到的错误： $ls -Z /usr/local/phantomjs/phantomjs-1.6.2-linux-x86_64-dynamic/bin 我正试图在我的CentOS 5机器上使用PhantomJs制作屏幕截图,但我不能让它与SE Linux一起工作.它在禁用SElinux的相同机器上工作,所以我真的怀疑SElinux对此负责.

这是我尝试过的(所有命令都以root身份运行),以及我得到的错误：

$ls -Z /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin-rwxr-xr-x  myusername myusername system_u:object_r:bin_t          phantomJs

试过截图 – 失败了

$cat /var/log/messages | grep avcSep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.014:398): avc:  denIEd  { getattr } for  pID=6842 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=fileSep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.014:399): avc:  denIEd  { getattr } for  pID=6842 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=fileSep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.054:400): avc:  denIEd  { getattr } for  pID=6852 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=fileSep 13 12:21:18 myserver kernel: type=1400 audit(1347531678.054:401): avc:  denIEd  { getattr } for  pID=6852 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=fileSep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.866:402): avc:  denIEd  { getattr } for  pID=6864 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=fileSep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.867:403): avc:  denIEd  { getattr } for  pID=6864 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=fileSep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.920:404): avc:  denIEd  { getattr } for  pID=6874 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=fileSep 13 12:21:19 myserver kernel: type=1400 audit(1347531679.920:405): avc:  denIEd  { getattr } for  pID=6874 comm="sh" path="/sbin/ldconfig" dev=dm-0 ino=3097762 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:ldconfig_exec_t:s0 tclass=fileSep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.025:406): avc:  denIEd  { read } for  pID=6890 comm="phantomJs" name="3830d5c3ddfd5cd38a049b759396e72e-x86-64.cache-2" dev=dm-0 ino=2021753 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=fileSep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.035:407): avc:  denIEd  { write } for  pID=6890 comm="phantomJs" name="myusername" dev=dm-0 ino=619658 scontext=system_u:system_r:httpd_t:s0 tcontext=user_u:object_r:user_home_dir_t:s0 tclass=dirSep 13 12:21:27 myserver kernel: type=1400 audit(1347531687.061:408): avc:  denIEd  { read } for  pID=6890 comm="phantomJs" name="e3ead4b767b8819993a6fa3ae306afa9-x86-64.cache-2" dev=dm-0 ino=2021752 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=fileSep 13 12:21:28 myserver kernel: type=1400 audit(1347531688.720:410): avc:  denIEd  { execmem } for  pID=6890 comm="phantomJs" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

尝试将phantomJs的类型更改为httpd_sys_script_exec_t

$chcon -v -t httpd_sys_script_exec_t /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin/phantomJs$ls -Z /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin-rwxr-xr-x  myusername myusername system_u:object_r:httpd_sys_script_exec_t phantomJs

重新尝试截图 – 失败

$cat /var/log/messages | grep avcSep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.891:414): avc:  denIEd  { read } for  pID=6962 comm="phantomJs" path="eventpoll:[9737788]" dev=eventpollfs ino=9737788 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=fileSep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:415): avc:  denIEd  { write } for  pID=6962 comm="phantomJs" path=2F7661722F72756E2F777367692E363535352E302E312E6C6F636B202864656C6574656429 dev=dm-0 ino=2022252 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=fileSep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:416): avc:  denIEd  { write } for  pID=6962 comm="phantomJs" path=2F7661722F72756E2F777367692E363535352E302E322E6C6F636B202864656C6574656429 dev=dm-0 ino=2022255 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=fileSep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.892:417): avc:  denIEd  { write } for  pID=6962 comm="phantomJs" path=2F7661722F72756E2F777367692E363535352E302E332E6C6F636B202864656C6574656429 dev=dm-0 ino=2022257 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=fileSep 13 12:26:05 myserver kernel: type=1400 audit(1347531965.893:418): avc:  denIEd  { write } for  pID=6962 comm="phantomJs" path=2F7661722F72756E2F777367692E363535352E302E342E6C6F636B202864656C6574656429 dev=dm-0 ino=2022266 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file

尝试将phantomJs的类型更改为httpd_t

$chcon -v -t httpd_t /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin/phantomJsFailed to change context of /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin/phantomJs to system_u:object_r:httpd_tchcon: Failed to change context of /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin/phantomJs to system_u:object_r:httpd_t: Permission denIEd

尝试将phantomJs的类型更改为httpd_var_run_t

$chcon -v -t httpd_var_run_t /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin/phantomJs$ls -Z /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin-rwxr-xr-x  myusername myusername system_u:object_r:httpd_var_run_t phantomJs

重新尝试截图 – 失败

$cat /var/log/messages | grep avcSep 13 12:29:36 myserver kernel: type=1400 audit(1347532176.754:420): avc:  denIEd  { execute } for  pID=7002 comm="httpd" name="phantomJs" dev=dm-0 ino=3032985 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_var_run_t:s0 tclass=file

尝试将phantomJs的类型更改为httpd_sys_script_t

$chcon -v -t httpd_sys_script_t /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin/phantomJsFailed to change context of /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin/phantomJs to system_u:object_r:httpd_sys_script_tchcon: Failed to change context of /usr/local/phantomJs/phantomJs-1.6.2-linux-x86_64-dynamic/bin/phantomJs to system_u:object_r:httpd_sys_script_t: Permission denIEd

以下是有关SElinux设置的更多信息：

$sestatusSElinux status:                 enabledSElinuxfs mount:                /selinuxCurrent mode:                   enforcingMode from config file:          enforcingPolicy version:                 21Policy from config file:        targeted

…

$getsebool -a | grep httpallow_httpd_anon_write --> offallow_httpd_BUGzilla_script_anon_write --> offallow_httpd_cvs_script_anon_write --> offallow_httpd_mod_auth_pam --> offallow_httpd_nagios_script_anon_write --> offallow_httpd_prewikka_script_anon_write --> offallow_httpd_squID_script_anon_write --> offallow_httpd_sys_script_anon_write --> offhttpd_builtin_scripting --> onhttpd_can_network_connect --> offhttpd_can_network_connect_db --> offhttpd_can_network_relay --> offhttpd_can_sendmail --> onhttpd_disable_trans --> offhttpd_enable_cgi --> onhttpd_enable_ftp_server --> offhttpd_enable_homedirs --> onhttpd_execmem --> offhttpd_read_user_content --> offhttpd_rotatelogs_disable_trans --> offhttpd_setrlimit --> offhttpd_ssi_exec --> offhttpd_suexec_disable_trans --> offhttpd_tty_comm --> onhttpd_unifIEd --> onhttpd_use_cifs --> offhttpd_use_nfs --> off

…

$uname -r2.6.18-308.1.1.el5

有没有SElinux / httpd经验的人知道是否有一个与我正在尝试做的事情相匹配的上下文？或者也许我应该咬紧牙关并为此制定一些自定义政策？

解决方法 以下是 http://wiki.centos.org/HowTos/SELinux#7关于如何使用allow2audit创建自定义策略模块的一些片段.

试试吧

setenforce 0grep phantomJs /var/log/audit/audit.log | audit2allow -m httpd_phantomJs > httpd_phantomJs.tecat httpd_phantomJs.te

安装它

grep phantomJs /var/log/audit/audit.log | audit2allow -M httpd_phantomJssemodule -i httpd_phantomJs.ppls /etc/selinux/targeted/modules/active/modules/ | grep httpd

测试一下

setenforce 1tail -f /var/log/audit/audit.log

这是未经测试的,因此请根据需要进行更新.希望这对你有用

总结

以上是内存溢出为你收集整理的如何使用SELinux在CentOS上运行PhantomJS？全部内容，希望文章能够帮你解决如何使用SELinux在CentOS上运行PhantomJS？所遇到的程序开发问题。

如果觉得内存溢出网站内容还不错，欢迎将内存溢出网站推荐给程序员好友。