Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 06:33 PM, Greg Cornell wrote: On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz"wrote: On 12/28/2016 06:13 PM, Greg Cornell wrote: On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" wrote: On 12/28/2016 06:05 PM, J Martin Rushton wrote: On 28/12/16 21:24, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 03:32 PM, J Martin Rushton wrote: On 28/12/16 20:11, Robert Moskowitz wrote: On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz wrote: Which is why I wonder if there is some different config for the C7.3 version of apache. Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. Thanks, Mark, I was just getting around to that way of thinking. The command, at least on my Centos7-arm system is setenforce 0 A presto it works. So now to figure out what is wrong with SElinux on this image. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Have you got the setroubleshoot-server package installed? For x86_64 it is part of the base repository, obviously arm may differ. The package installs a "SELinux Troubleshooter" entry in the Applications/Sundry menu, or it can be launched via: No GUI in the base image. And on arm, we tend to use Xfce. # /usr/bin/python -Es /usr/bin/sealert -s no sealert bin file, so it is off to install it. It generates suggestions to fix SELinx issues. Sometimes it is quite useful, on other occasions it just lists vast numbers of possibilities with little or no help. On balance it is worth trying for when it does help. I have never had it make useful suggestions to my on my notebook, but we will see... so here is what happens after I install it: # /usr/bin/python -Es /usr/bin/sealert -s Opps, sealert hit an error! Traceback (most recent call last): File "/usr/bin/sealert", line 651, in import gtk ImportError: No module named gtk If it needs a GUI, then that won't work here. Headless system. Nahh... you want to instal setroubleshoot. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Sorry, missed the no GUI if it was mentioned earlier. Never mentioned it. I have not checked to see what GUI has been ported to try and load something. I *DO* use Xfce with Fedora-arm systems. But I would have to hook this little server up to such. You _might_ get away with ssh -Y from a workstation but you might end up wasting time. No guarantees I'm afraid. :-) Martin Yeah, ssh -Y can be such fun with a headless system.
Re: [CentOS] Help with httpd userdir recovery
On 12/28/16, 3:28 PM, "CentOS on behalf of Robert Moskowitz"wrote: On 12/28/2016 06:13 PM, Greg Cornell wrote: > On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz" > wrote: > > > > On 12/28/2016 06:05 PM, J Martin Rushton wrote: >> On 28/12/16 21:24, m.r...@5-cent.us wrote: >>> Robert Moskowitz wrote: On 12/28/2016 03:32 PM, J Martin Rushton wrote: > On 28/12/16 20:11, Robert Moskowitz wrote: >> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: >>> Robert Moskowitz wrote: On 12/28/2016 05:11 AM, Todor Petkov wrote: > On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz > > wrote: >> Which is why I wonder if there is some different config for the >> C7.3 >> version >> of apache. >> >> Or something with the C7-arm build... > Can you check for SELinux warnings/errors in > /var/log/audit/audit.log? Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. >>> Bang. I would suggest, at this point, that you might want to set >>> selinux >>> into permissive mode, so you'll get the error messages from it, and >>> can >>> work out fixes, but will let your system operate as you intend. >>> setselinux 0 >>> >>> Note that this is *temporary*, and will revert on reboot. To make it >>> permanent, you'd need to edit /etc/selinux/config. >> Thanks, Mark, I was just getting around to that way of thinking. >> >> The command, at least on my Centos7-arm system is >> >> setenforce 0 >> >> A presto it works. So now to figure out what is wrong with SElinux on >> this image. >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos > Have you got the setroubleshoot-server package installed? For x86_64 it > is part of the base repository, obviously arm may differ. The package > installs a "SELinux Troubleshooter" entry in the Applications/Sundry > menu, or it can be launched via: No GUI in the base image. And on arm, we tend to use Xfce. > # /usr/bin/python -Es /usr/bin/sealert -s no sealert bin file, so it is off to install it. > It generates suggestions to fix SELinx issues. Sometimes it is quite > useful, on other occasions it just lists vast numbers of possibilities > with little or no help. On balance it is worth trying for when it does > help. I have never had it make useful suggestions to my on my notebook, but we will see... so here is what happens after I install it: # /usr/bin/python -Es /usr/bin/sealert -s Opps, sealert hit an error! Traceback (most recent call last): File "/usr/bin/sealert", line 651, in
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 06:13 PM, Greg Cornell wrote: On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz"wrote: On 12/28/2016 06:05 PM, J Martin Rushton wrote: On 28/12/16 21:24, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 03:32 PM, J Martin Rushton wrote: On 28/12/16 20:11, Robert Moskowitz wrote: On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz wrote: Which is why I wonder if there is some different config for the C7.3 version of apache. Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. Thanks, Mark, I was just getting around to that way of thinking. The command, at least on my Centos7-arm system is setenforce 0 A presto it works. So now to figure out what is wrong with SElinux on this image. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Have you got the setroubleshoot-server package installed? For x86_64 it is part of the base repository, obviously arm may differ. The package installs a "SELinux Troubleshooter" entry in the Applications/Sundry menu, or it can be launched via: No GUI in the base image. And on arm, we tend to use Xfce. # /usr/bin/python -Es /usr/bin/sealert -s no sealert bin file, so it is off to install it. It generates suggestions to fix SELinx issues. Sometimes it is quite useful, on other occasions it just lists vast numbers of possibilities with little or no help. On balance it is worth trying for when it does help. I have never had it make useful suggestions to my on my notebook, but we will see... so here is what happens after I install it: # /usr/bin/python -Es /usr/bin/sealert -s Opps, sealert hit an error! Traceback (most recent call last): File "/usr/bin/sealert", line 651, in import gtk ImportError: No module named gtk If it needs a GUI, then that won't work here. Headless system. Nahh... you want to instal setroubleshoot. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Sorry, missed the no GUI if it was mentioned earlier. Never mentioned it. I have not checked to see what GUI has been ported to try and load something. I *DO* use Xfce with Fedora-arm systems. But I would have to hook this little server up to such. You _might_ get away with ssh -Y from a workstation but you might end up wasting time. No guarantees I'm afraid. :-) Martin Yeah, ssh -Y can be such fun with a headless system. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Sorry, I’m a bit late to this thread so I don’t know if anyone has
Re: [CentOS] Help with httpd userdir recovery
On 12/28/16, 3:09 PM, "CentOS on behalf of Robert Moskowitz"wrote: On 12/28/2016 06:05 PM, J Martin Rushton wrote: > > On 28/12/16 21:24, m.r...@5-cent.us wrote: >> Robert Moskowitz wrote: >>> >>> On 12/28/2016 03:32 PM, J Martin Rushton wrote: On 28/12/16 20:11, Robert Moskowitz wrote: > On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: >> Robert Moskowitz wrote: >>> On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz wrote: > Which is why I wonder if there is some different config for the > C7.3 > version > of apache. > > Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? >>> Good advice. As I suspect the problem is with SELinux. >>> >>> So I tried an access. What follows is the access_log entry, the >>> error_log entry and the 3 entries in the audit.log: >>> >>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; >>> rv:50.0) >>> Gecko/20100101 Firefox/50.0" >>> >>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't >>> open >>> directory for index: /home/rgm/public_html/family/ >>> >>> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >>> scontext=system_u:system_r:httpd_t:s0 >>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >>> permissive=0 >>> >>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 >>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 >>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 >>> suid=48 >>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 >>> comm="httpd" >>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >>> >>> type=PROCTITLE msg=audit(1482944350.289:339): >>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >>> >>> >>> I will say that after enabling selinux on this image per the >>> instructions of the team doing the Centos7-arm builds, I got the >>> following messages when I did things like 'setsebool -P >>> httpd_enable_homedirs on': >>> >>> [ 2273.047017] SELinux: Class binder not defined in policy. >>> [ 2273.052531] SELinux: the above unknown classes and permissions >>> will >>> be allowed >>> >>> >>> So something may well not be right with my SELinux. >>> >> Bang. I would suggest, at this point, that you might want to set >> selinux >> into permissive mode, so you'll get the error messages from it, and >> can >> work out fixes, but will let your system operate as you intend. >> setselinux 0 >> >> Note that this is *temporary*, and will revert on reboot. To make it >> permanent, you'd need to edit /etc/selinux/config. > Thanks, Mark, I was just getting around to that way of thinking. > > The command, at least on my Centos7-arm system is > > setenforce 0 > > A presto it works. So now to figure out what is wrong with SElinux on > this image. > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos Have you got the setroubleshoot-server package installed? For x86_64 it is part of the base repository, obviously arm may differ. The package installs a "SELinux Troubleshooter" entry in the Applications/Sundry menu, or it can be launched via: >>> No GUI in the base image. And on arm, we tend to use Xfce. >>> # /usr/bin/python -Es /usr/bin/sealert -s >>> no sealert bin file, so it is off to install it. >>> It generates suggestions to fix SELinx issues. Sometimes it is quite useful, on other occasions it just lists vast numbers of possibilities with little or no help. On balance it is worth trying for when it does help. >>> I have never had it make useful suggestions to my on my notebook, but we >>> will see... >>> >>> so here is what happens after I install it: >>> >>> # /usr/bin/python -Es /usr/bin/sealert -s >>> Opps, sealert hit an error! >>> >>> Traceback (most recent call last): >>> File "/usr/bin/sealert", line 651, in >>> import gtk >>> ImportError: No module named gtk >>> >>> If it needs a GUI, then that won't work here. Headless system. >>> >> Nahh... you want to instal setroubleshoot. >> >> mark >> >> ___ >> CentOS mailing list >>
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 06:05 PM, J Martin Rushton wrote: On 28/12/16 21:24, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 03:32 PM, J Martin Rushton wrote: On 28/12/16 20:11, Robert Moskowitz wrote: On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitzwrote: Which is why I wonder if there is some different config for the C7.3 version of apache. Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. Thanks, Mark, I was just getting around to that way of thinking. The command, at least on my Centos7-arm system is setenforce 0 A presto it works. So now to figure out what is wrong with SElinux on this image. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Have you got the setroubleshoot-server package installed? For x86_64 it is part of the base repository, obviously arm may differ. The package installs a "SELinux Troubleshooter" entry in the Applications/Sundry menu, or it can be launched via: No GUI in the base image. And on arm, we tend to use Xfce. # /usr/bin/python -Es /usr/bin/sealert -s no sealert bin file, so it is off to install it. It generates suggestions to fix SELinx issues. Sometimes it is quite useful, on other occasions it just lists vast numbers of possibilities with little or no help. On balance it is worth trying for when it does help. I have never had it make useful suggestions to my on my notebook, but we will see... so here is what happens after I install it: # /usr/bin/python -Es /usr/bin/sealert -s Opps, sealert hit an error! Traceback (most recent call last): File "/usr/bin/sealert", line 651, in import gtk ImportError: No module named gtk If it needs a GUI, then that won't work here. Headless system. Nahh... you want to instal setroubleshoot. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Sorry, missed the no GUI if it was mentioned earlier. Never mentioned it. I have not checked to see what GUI has been ported to try and load something. I *DO* use Xfce with Fedora-arm systems. But I would have to hook this little server up to such. You _might_ get away with ssh -Y from a workstation but you might end up wasting time. No guarantees I'm afraid. :-) Martin Yeah, ssh -Y can be such fun with a headless system. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 04:24 PM, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 03:32 PM, J Martin Rushton wrote: On 28/12/16 20:11, Robert Moskowitz wrote: On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitzwrote: Which is why I wonder if there is some different config for the C7.3 version of apache. Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. Thanks, Mark, I was just getting around to that way of thinking. The command, at least on my Centos7-arm system is setenforce 0 A presto it works. So now to figure out what is wrong with SElinux on this image. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Have you got the setroubleshoot-server package installed? For x86_64 it is part of the base repository, obviously arm may differ. The package installs a "SELinux Troubleshooter" entry in the Applications/Sundry menu, or it can be launched via: No GUI in the base image. And on arm, we tend to use Xfce. # /usr/bin/python -Es /usr/bin/sealert -s no sealert bin file, so it is off to install it. It generates suggestions to fix SELinx issues. Sometimes it is quite useful, on other occasions it just lists vast numbers of possibilities with little or no help. On balance it is worth trying for when it does help. I have never had it make useful suggestions to my on my notebook, but we will see... so here is what happens after I install it: # /usr/bin/python -Es /usr/bin/sealert -s Opps, sealert hit an error! Traceback (most recent call last): File "/usr/bin/sealert", line 651, in import gtk ImportError: No module named gtk If it needs a GUI, then that won't work here. Headless system. Nahh... you want to instal setroubleshoot. # yum install setroubleshoot Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile No package setroubleshoot available. Error: Nothing to do :( ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 28/12/16 21:24, m.r...@5-cent.us wrote: > Robert Moskowitz wrote: >> >> >> On 12/28/2016 03:32 PM, J Martin Rushton wrote: >>> >>> On 28/12/16 20:11, Robert Moskowitz wrote: On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: > Robert Moskowitz wrote: >> On 12/28/2016 05:11 AM, Todor Petkov wrote: >>> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz >>>>>> wrote: Which is why I wonder if there is some different config for the C7.3 version of apache. Or something with the C7-arm build... >>> Can you check for SELinux warnings/errors in >>> /var/log/audit/audit.log? >> Good advice. As I suspect the problem is with SELinux. >> >> So I tried an access. What follows is the access_log entry, the >> error_log entry and the 3 entries in the audit.log: >> >> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; >> rv:50.0) >> Gecko/20100101 Firefox/50.0" >> >> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't >> open >> directory for index: /home/rgm/public_html/family/ >> >> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >> scontext=system_u:system_r:httpd_t:s0 >> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >> permissive=0 >> >> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 >> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 >> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 >> suid=48 >> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 >> comm="httpd" >> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >> >> type=PROCTITLE msg=audit(1482944350.289:339): >> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >> >> >> I will say that after enabling selinux on this image per the >> instructions of the team doing the Centos7-arm builds, I got the >> following messages when I did things like 'setsebool -P >> httpd_enable_homedirs on': >> >> [ 2273.047017] SELinux: Class binder not defined in policy. >> [ 2273.052531] SELinux: the above unknown classes and permissions >> will >> be allowed >> >> >> So something may well not be right with my SELinux. >> > Bang. I would suggest, at this point, that you might want to set > selinux > into permissive mode, so you'll get the error messages from it, and > can > work out fixes, but will let your system operate as you intend. > setselinux 0 > > Note that this is *temporary*, and will revert on reboot. To make it > permanent, you'd need to edit /etc/selinux/config. Thanks, Mark, I was just getting around to that way of thinking. The command, at least on my Centos7-arm system is setenforce 0 A presto it works. So now to figure out what is wrong with SElinux on this image. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos >>> Have you got the setroubleshoot-server package installed? For x86_64 it >>> is part of the base repository, obviously arm may differ. The package >>> installs a "SELinux Troubleshooter" entry in the Applications/Sundry >>> menu, or it can be launched via: >> >> No GUI in the base image. And on arm, we tend to use Xfce. >> >>> # /usr/bin/python -Es /usr/bin/sealert -s >> >> no sealert bin file, so it is off to install it. >> >>> It generates suggestions to fix SELinx issues. Sometimes it is quite >>> useful, on other occasions it just lists vast numbers of possibilities >>> with little or no help. On balance it is worth trying for when it does >>> help. >> >> I have never had it make useful suggestions to my on my notebook, but we >> will see... >> >> so here is what happens after I install it: >> >> # /usr/bin/python -Es /usr/bin/sealert -s >> Opps, sealert hit an error! >> >> Traceback (most recent call last): >>File "/usr/bin/sealert", line 651, in >> import gtk >> ImportError: No module named gtk >> >> If it needs a GUI, then that won't work here. Headless system. >> > Nahh... you want to instal setroubleshoot. > >mark > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > Sorry, missed the no GUI if it was mentioned earlier. You _might_ get away with ssh -Y from a workstation but you might end up wasting time. No guarantees I'm afraid. :-) Martin signature.asc Description: OpenPGP
Re: [CentOS] Help with httpd userdir recovery
Robert Moskowitz wrote: > > > On 12/28/2016 03:32 PM, J Martin Rushton wrote: >> >> On 28/12/16 20:11, Robert Moskowitz wrote: >>> >>> On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: Robert Moskowitz wrote: > On 12/28/2016 05:11 AM, Todor Petkov wrote: >> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz >>>> wrote: >>> Which is why I wonder if there is some different config for the >>> C7.3 >>> version >>> of apache. >>> >>> Or something with the C7-arm build... >> Can you check for SELinux warnings/errors in >> /var/log/audit/audit.log? > Good advice. As I suspect the problem is with SELinux. > > So I tried an access. What follows is the access_log entry, the > error_log entry and the 3 entries in the audit.log: > > 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ > HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; > rv:50.0) > Gecko/20100101 Firefox/50.0" > > [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] > (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't > open > directory for index: /home/rgm/public_html/family/ > > type=AVC msg=audit(1482944350.289:339): avc: denied { read } for > pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 > scontext=system_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir > permissive=0 > > type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 > per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 > items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 > suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 > comm="httpd" > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) > > type=PROCTITLE msg=audit(1482944350.289:339): > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > > I will say that after enabling selinux on this image per the > instructions of the team doing the Centos7-arm builds, I got the > following messages when I did things like 'setsebool -P > httpd_enable_homedirs on': > > [ 2273.047017] SELinux: Class binder not defined in policy. > [ 2273.052531] SELinux: the above unknown classes and permissions > will > be allowed > > > So something may well not be right with my SELinux. > Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. >>> Thanks, Mark, I was just getting around to that way of thinking. >>> >>> The command, at least on my Centos7-arm system is >>> >>> setenforce 0 >>> >>> A presto it works. So now to figure out what is wrong with SElinux on >>> this image. >>> >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> Have you got the setroubleshoot-server package installed? For x86_64 it >> is part of the base repository, obviously arm may differ. The package >> installs a "SELinux Troubleshooter" entry in the Applications/Sundry >> menu, or it can be launched via: > > No GUI in the base image. And on arm, we tend to use Xfce. > >> # /usr/bin/python -Es /usr/bin/sealert -s > > no sealert bin file, so it is off to install it. > >> It generates suggestions to fix SELinx issues. Sometimes it is quite >> useful, on other occasions it just lists vast numbers of possibilities >> with little or no help. On balance it is worth trying for when it does >> help. > > I have never had it make useful suggestions to my on my notebook, but we > will see... > > so here is what happens after I install it: > > # /usr/bin/python -Es /usr/bin/sealert -s > Opps, sealert hit an error! > > Traceback (most recent call last): >File "/usr/bin/sealert", line 651, in > import gtk > ImportError: No module named gtk > > If it needs a GUI, then that won't work here. Headless system. > Nahh... you want to instal setroubleshoot. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 03:32 PM, J Martin Rushton wrote: On 28/12/16 20:11, Robert Moskowitz wrote: On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitzwrote: Which is why I wonder if there is some different config for the C7.3 version of apache. Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. Thanks, Mark, I was just getting around to that way of thinking. The command, at least on my Centos7-arm system is setenforce 0 A presto it works. So now to figure out what is wrong with SElinux on this image. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos Have you got the setroubleshoot-server package installed? For x86_64 it is part of the base repository, obviously arm may differ. The package installs a "SELinux Troubleshooter" entry in the Applications/Sundry menu, or it can be launched via: No GUI in the base image. And on arm, we tend to use Xfce. # /usr/bin/python -Es /usr/bin/sealert -s no sealert bin file, so it is off to install it. It generates suggestions to fix SELinx issues. Sometimes it is quite useful, on other occasions it just lists vast numbers of possibilities with little or no help. On balance it is worth trying for when it does help. I have never had it make useful suggestions to my on my notebook, but we will see... so here is what happens after I install it: # /usr/bin/python -Es /usr/bin/sealert -s Opps, sealert hit an error! Traceback (most recent call last): File "/usr/bin/sealert", line 651, in import gtk ImportError: No module named gtk If it needs a GUI, then that won't work here. Headless system. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] CentOS 7 and systemd: SysV initscript: how detect boot vs. interactive use?
whitiverywrote: >Jonathan Billings >wrote: > >>On Sun, Dec 18, 2016 at 08:50:54PM -0800, whitivery wrote: >>> It is a system with several servers (various platforms/distros). >>> >>> One piece of software runs on all of the servers. For it to operate >>> correctly, the instance on one server (prime) must start before the others >>> (auxiliary). >>> >>> So a boot delay is added (via a script sourced from initscript, which >>> first waits for network to come up) to set the boot delay values for each >>> server - prime at 0, others at some other value of 15 to 110 seconds >>> depending on platform. >>> >>> But when it is necessary to manipulate the service interactively via the >>> "service" command, the boot delay needs to be bypassed. >> >>Well, the first thing I'd do is make the service wait for the network >>to be online. In the [Unit] section add Wants=network-online.target. >> >>Secondly, I'd try to find a way for the auxiliary services to ping the >>prime service to ensure its up, and make that script a ExecStartPre >>entry in the [Service] section. You'll want to adjust the >>TimeoutStartSec in case it might exceed the DefaultTimeoutStartSec in >>/etc/systemd/system.conf, which is 90 seconds. > >Thank you for the idea, but as mentioned, the same service runs on a mix >of server platforms and distros, and the older ones do not use systemd, so >I'd prefer to stick with SysV type initscripts that work on all of them. Follow-up: with no other solution, I solved the problem externally. I made an alias (actually, a shell function) for "service". If the interactive user is trying to start or restart the affected service, a flag (sourced environment variable in a file under /etc/default) is set, the real service binary is called, the initscript sees the flag and skips the boot delay, then the "service" function restores the flag. Less than ideal but it works. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
Robert Moskowitz wrote: > On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: >> Robert Moskowitz wrote: >> Bang. I would suggest, at this point, that you might want to set selinux >> into permissive mode, so you'll get the error messages from it, and can >> work out fixes, but will let your system operate as you intend. >> setselinux 0 >> >> Note that this is *temporary*, and will revert on reboot. To make it >> permanent, you'd need to edit /etc/selinux/config. > > Thanks, Mark, I was just getting around to that way of thinking. > > The command, at least on my Centos7-arm system is > > setenforce 0 > Sorry. Clearly, there's too much blood in my caffeine stream > A presto it works. So now to figure out what is wrong with SElinux on > this image. Good luck. mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 28/12/16 20:11, Robert Moskowitz wrote: > > > On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: >> Robert Moskowitz wrote: >>> On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitzwrote: > Which is why I wonder if there is some different config for the C7.3 > version > of apache. > > Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? >>> Good advice. As I suspect the problem is with SELinux. >>> >>> So I tried an access. What follows is the access_log entry, the >>> error_log entry and the 3 entries in the audit.log: >>> >>> 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ >>> HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) >>> Gecko/20100101 Firefox/50.0" >>> >>> [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] >>> (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open >>> directory for index: /home/rgm/public_html/family/ >>> >>> type=AVC msg=audit(1482944350.289:339): avc: denied { read } for >>> pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 >>> scontext=system_u:system_r:httpd_t:s0 >>> tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir >>> permissive=0 >>> >>> type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 >>> per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 >>> items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 >>> fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" >>> exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) >>> >>> type=PROCTITLE msg=audit(1482944350.289:339): >>> proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 >>> >>> >>> I will say that after enabling selinux on this image per the >>> instructions of the team doing the Centos7-arm builds, I got the >>> following messages when I did things like 'setsebool -P >>> httpd_enable_homedirs on': >>> >>> [ 2273.047017] SELinux: Class binder not defined in policy. >>> [ 2273.052531] SELinux: the above unknown classes and permissions will >>> be allowed >>> >>> >>> So something may well not be right with my SELinux. >>> >> Bang. I would suggest, at this point, that you might want to set selinux >> into permissive mode, so you'll get the error messages from it, and can >> work out fixes, but will let your system operate as you intend. >> setselinux 0 >> >> Note that this is *temporary*, and will revert on reboot. To make it >> permanent, you'd need to edit /etc/selinux/config. > > Thanks, Mark, I was just getting around to that way of thinking. > > The command, at least on my Centos7-arm system is > > setenforce 0 > > A presto it works. So now to figure out what is wrong with SElinux on > this image. > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos Have you got the setroubleshoot-server package installed? For x86_64 it is part of the base repository, obviously arm may differ. The package installs a "SELinux Troubleshooter" entry in the Applications/Sundry menu, or it can be launched via: # /usr/bin/python -Es /usr/bin/sealert -s It generates suggestions to fix SELinx issues. Sometimes it is quite useful, on other occasions it just lists vast numbers of possibilities with little or no help. On balance it is worth trying for when it does help. signature.asc Description: OpenPGP digital signature ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 01:53 PM, m.r...@5-cent.us wrote: Robert Moskowitz wrote: On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitzwrote: Which is why I wonder if there is some different config for the C7.3 version of apache. Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. Thanks, Mark, I was just getting around to that way of thinking. The command, at least on my Centos7-arm system is setenforce 0 A presto it works. So now to figure out what is wrong with SElinux on this image. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
Robert Moskowitz wrote: > On 12/28/2016 05:11 AM, Todor Petkov wrote: >> On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitz>> wrote: >>> Which is why I wonder if there is some different config for the C7.3 >>> version >>> of apache. >>> >>> Or something with the C7-arm build... >> Can you check for SELinux warnings/errors in /var/log/audit/audit.log? > > Good advice. As I suspect the problem is with SELinux. > > So I tried an access. What follows is the access_log entry, the > error_log entry and the 3 entries in the audit.log: > > 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ > HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) > Gecko/20100101 Firefox/50.0" > > [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] > (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open > directory for index: /home/rgm/public_html/family/ > > type=AVC msg=audit(1482944350.289:339): avc: denied { read } for > pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 > scontext=system_u:system_r:httpd_t:s0 > tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir > permissive=0 > > type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 > per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 > items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" > exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) > > type=PROCTITLE msg=audit(1482944350.289:339): > proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 > > > I will say that after enabling selinux on this image per the > instructions of the team doing the Centos7-arm builds, I got the > following messages when I did things like 'setsebool -P > httpd_enable_homedirs on': > > [ 2273.047017] SELinux: Class binder not defined in policy. > [ 2273.052531] SELinux: the above unknown classes and permissions will > be allowed > > > So something may well not be right with my SELinux. > Bang. I would suggest, at this point, that you might want to set selinux into permissive mode, so you'll get the error messages from it, and can work out fixes, but will let your system operate as you intend. setselinux 0 Note that this is *temporary*, and will revert on reboot. To make it permanent, you'd need to edit /etc/selinux/config. mark mark ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 05:11 AM, Todor Petkov wrote: On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitzwrote: Which is why I wonder if there is some different config for the C7.3 version of apache. Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? Good advice. As I suspect the problem is with SELinux. So I tried an access. What follows is the access_log entry, the error_log entry and the 3 entries in the audit.log: 192.168.160.12 - - [28/Dec/2016:11:59:10 -0500] "GET /~rgm/family/ HTTP/1.1" 403 214 "-" "Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0" [Wed Dec 28 11:59:10.294915 2016] [autoindex:error] [pid 2141] (13)Permission denied: [client 192.168.160.12:56456] AH01275: Can't open directory for index: /home/rgm/public_html/family/ type=AVC msg=audit(1482944350.289:339): avc: denied { read } for pid=2141 comm="httpd" name="family" dev="sda3" ino=262199 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_user_content_t:s0 tclass=dir permissive=0 type=SYSCALL msg=audit(1482944350.289:339): arch=4028 syscall=322 per=80 success=no exit=-13 a0=ff9c a1=80657458 a2=a4800 a3=0 items=0 ppid=2135 pid=2141 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) type=PROCTITLE msg=audit(1482944350.289:339): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 I will say that after enabling selinux on this image per the instructions of the team doing the Centos7-arm builds, I got the following messages when I did things like 'setsebool -P httpd_enable_homedirs on': [ 2273.047017] SELinux: Class binder not defined in policy. [ 2273.052531] SELinux: the above unknown classes and permissions will be allowed So something may well not be right with my SELinux. Bob ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 09:26 AM, Louis Lagendijk wrote: On Wed, 2016-12-28 at 08:20 -0500, Robert Moskowitz wrote: On 12/28/2016 07:35 AM, Louis Lagendijk wrote: Robert, On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote: On 12/28/2016 01:12 AM, Robert Moskowitz wrote: On 12/27/2016 07:06 PM, John Fawcett wrote: On 12/28/2016 12:34 AM, Robert Moskowitz wrote: On 12/27/2016 05:44 PM, John Fawcett wrote: That error should be caused by having MultiViews options but incorrect permissions (711 instead of 755) on the directory. I just did chmod -R 755 /home/rgm/public_html and no change in behavior. Even tried chmod -R 755 /home/rgm Are you actually using MultiViews? If you don't need that option, maybe the easiest thing is to take it out and see if the error message changes. I am using the default conf file for userdir. /etc/httpd/conf.d/userdir.conf So I deleted Multiviews and now the error is: [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138] (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't open directory for index: /home/rgm/public_html/family/ I know this is not going to help, but that error means that apache does not have access to read the directory /home/rgm/public_html/family/. That doesn't really fit with the rest of the evidence, that you have chmod 755 everything from /home/rgm/public_html downwards and that apache can read specific files from /home/rgm/public_html. John but is apache allowed access to /home/rgm ? Try su - apache -s /bin/bash to run a shell as apache and see how far you get starting from cd /home and if that works cd /home/rgm and so on... That will check normal user permissions, but not selinux Command apache not known! All I installed, directly, for the web server was 'yum install httpd'. In a single command from root: su - apache -s /bin/bash The "su -" is part of the command I really did not read your instructions well enough. I got it this time and followed it. I had no problem CDing all the way up the /home tree, doing 'ls' along the way. So normal user permissions work. I have to check out selinux as Todor recommended. There was/is some sort of selinux issue with this C7-arm image. I will post all of that in a separate message. Plus some posts on the centos-arm list will be needed. Bob ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On Wed, 2016-12-28 at 08:20 -0500, Robert Moskowitz wrote: > > On 12/28/2016 07:35 AM, Louis Lagendijk wrote: > > Robert, > > On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote: > > > On 12/28/2016 01:12 AM, Robert Moskowitz wrote: > > > > > > > > On 12/27/2016 07:06 PM, John Fawcett wrote: > > > > > On 12/28/2016 12:34 AM, Robert Moskowitz wrote: > > > > > > On 12/27/2016 05:44 PM, John Fawcett wrote: > > > > > > > That error should be caused by having MultiViews options > > > > > > > but > > > > > > > incorrect > > > > > > > permissions (711 instead of 755) on the directory. > > > > > > > > > > > > I just did chmod -R 755 /home/rgm/public_html and no change > > > > > > in > > > > > > behavior. > > > > > > > > > > > > Even tried chmod -R 755 /home/rgm > > > > > > > > > > Are you actually using MultiViews? If you don't need that > > > > > option, > > > > > maybe > > > > > the easiest thing is to take it out and see if the error > > > > > message > > > > > changes. > > > > > > > > I am using the default conf file for userdir. > > > > > > > > /etc/httpd/conf.d/userdir.conf > > > > > > > > So I deleted Multiviews and now the error is: > > > > > > > > [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138] > > > > (13)Permission denied: [client 192.168.160.12:55762] AH01275: > > > > Can't > > > > open directory for index: /home/rgm/public_html/family/ > > > > > > > > > > > > > > > > > > I know this is not going to help, but that error means that > > > apache > > > does > > > not have access to read the directory > > > /home/rgm/public_html/family/. > > > That doesn't really fit with the rest of the evidence, that you > > > have > > > chmod 755 everything from /home/rgm/public_html downwards and > > > that > > > apache can read specific files from /home/rgm/public_html. > > > John > > > > but is apache allowed access to /home/rgm ? > > Try su - apache -s /bin/bash to run a shell as apache and see how > > far > > you get starting from cd /home and if that works cd /home/rgm and > > so > > on... That will check normal user permissions, but not selinux > > Command apache not known! > > All I installed, directly, for the web server was 'yum install > httpd'. > > In a single command from root: su - apache -s /bin/bash The "su -" is part of the command /Louis > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos > ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 07:35 AM, Louis Lagendijk wrote: Robert, On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote: On 12/28/2016 01:12 AM, Robert Moskowitz wrote: On 12/27/2016 07:06 PM, John Fawcett wrote: On 12/28/2016 12:34 AM, Robert Moskowitz wrote: On 12/27/2016 05:44 PM, John Fawcett wrote: That error should be caused by having MultiViews options but incorrect permissions (711 instead of 755) on the directory. I just did chmod -R 755 /home/rgm/public_html and no change in behavior. Even tried chmod -R 755 /home/rgm Are you actually using MultiViews? If you don't need that option, maybe the easiest thing is to take it out and see if the error message changes. I am using the default conf file for userdir. /etc/httpd/conf.d/userdir.conf So I deleted Multiviews and now the error is: [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138] (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't open directory for index: /home/rgm/public_html/family/ I know this is not going to help, but that error means that apache does not have access to read the directory /home/rgm/public_html/family/. That doesn't really fit with the rest of the evidence, that you have chmod 755 everything from /home/rgm/public_html downwards and that apache can read specific files from /home/rgm/public_html. John but is apache allowed access to /home/rgm ? Try su - apache -s /bin/bash to run a shell as apache and see how far you get starting from cd /home and if that works cd /home/rgm and so on... That will check normal user permissions, but not selinux Command apache not known! All I installed, directly, for the web server was 'yum install httpd'. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] GRE based attack?
My new Centso7 server that I am testing out is connected with a public address on my dmz. I am connected to the console port. Overnight the following message was logged to the console: [44133.679108] conntrack: generic helper won't handle protocol 47. Please consider loading the specific helper module. Protocol 47 is GRE. So was this 'just' an a ping by an attacker? No one, but I have any business on this server. Well other than the files I put up for people. thanks ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
Robert, On Wed, 2016-12-28 at 01:43 +0100, John Fawcett wrote: > On 12/28/2016 01:12 AM, Robert Moskowitz wrote: > > > > > > On 12/27/2016 07:06 PM, John Fawcett wrote: > > > On 12/28/2016 12:34 AM, Robert Moskowitz wrote: > > > > > > > > On 12/27/2016 05:44 PM, John Fawcett wrote: > > > > > That error should be caused by having MultiViews options but > > > > > incorrect > > > > > permissions (711 instead of 755) on the directory. > > > > > > > > I just did chmod -R 755 /home/rgm/public_html and no change in > > > > behavior. > > > > > > > > Even tried chmod -R 755 /home/rgm > > > > > > Are you actually using MultiViews? If you don't need that option, > > > maybe > > > the easiest thing is to take it out and see if the error message > > > changes. > > > > I am using the default conf file for userdir. > > > > /etc/httpd/conf.d/userdir.conf > > > > So I deleted Multiviews and now the error is: > > > > [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138] > > (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't > > open directory for index: /home/rgm/public_html/family/ > > > > > > > > I know this is not going to help, but that error means that apache > does > not have access to read the directory /home/rgm/public_html/family/. > That doesn't really fit with the rest of the evidence, that you have > chmod 755 everything from /home/rgm/public_html downwards and that > apache can read specific files from /home/rgm/public_html. > John but is apache allowed access to /home/rgm ? Try su - apache -s /bin/bash to run a shell as apache and see how far you get starting from cd /home and if that works cd /home/rgm and so on... That will check normal user permissions, but not selinux /Louis ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nVidia K1200 on Centos
On 28/12/16 01:07, H wrote: Can anyone confirm that the above 4-port card is supported at its full resolution and capabilities under CentOS 6 and/or 7? The card has four DisplayPort 1.2 connectors, each capable of driving a 4K monitor. Thank you. According to NVIDIA the card is supported by the latest NVIDIA proprietary driver: ftp://download.nvidia.com/XFree86/Linux-x86_64/375.26/README/supportedchips.html I believe support was added in the 346.xx series driver, so anything newer than that should support your card. Hope that helps. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] Help with httpd userdir recovery
On 12/28/2016 04:16 AM, Robert Moskowitz wrote: > > > On 12/27/2016 08:20 PM, John Fawcett wrote: >> On 12/28/2016 01:43 AM, John Fawcett wrote: >>> On 12/28/2016 01:12 AM, Robert Moskowitz wrote: On 12/27/2016 07:06 PM, John Fawcett wrote: > On 12/28/2016 12:34 AM, Robert Moskowitz wrote: >> On 12/27/2016 05:44 PM, John Fawcett wrote: >>> That error should be caused by having MultiViews options but >>> incorrect >>> permissions (711 instead of 755) on the directory. >> I just did chmod -R 755 /home/rgm/public_html and no change in >> behavior. >> >> Even tried chmod -R 755 /home/rgm > Are you actually using MultiViews? If you don't need that option, > maybe > the easiest thing is to take it out and see if the error message > changes. I am using the default conf file for userdir. /etc/httpd/conf.d/userdir.conf So I deleted Multiviews and now the error is: [Tue Dec 27 19:09:31.013176 2016] [autoindex:error] [pid 2138] (13)Permission denied: [client 192.168.160.12:55762] AH01275: Can't open directory for index: /home/rgm/public_html/family/ >>> I know this is not going to help, but that error means that apache does >>> not have access to read the directory /home/rgm/public_html/family/. >>> That doesn't really fit with the rest of the evidence, that you have >>> chmod 755 everything from /home/rgm/public_html downwards and that >>> apache can read specific files from /home/rgm/public_html. >>> John >>> ___ >>> CentOS mailing list >>> CentOS@centos.org >>> https://lists.centos.org/mailman/listinfo/centos >> Here is a small test program that you can use to check the permissions. >> >> You can compile it with: >> >> cc -o test test.c > > This is on Centos7-arm, so I will have to install all the build stuff, > and hopefully won't take too long to compile > > Tomorrow most likely. > > > >> >> then run it with: >> >> ./test apache /home/rgm/public_html/family/ >> >> where apache is the name of the user that your web server runs under >> (check it with ps -ef | grep http). You should run it as root (or from >> sudo). >> >> John >> >> --test.c--- >> >> #include >> #include >> #include >> #include >> #include >> #include >> #include >> >> int >> main(int argc, char *argv[]) >> { >> struct passwd pwd; >> struct passwd *result; >> char *buf; >> size_t bufsize; >> int s; >> >> if (argc != 3) { >> fprintf(stderr, "Usage: %s username directory\n", argv[0]); >> exit(EXIT_FAILURE); >> } >> >> bufsize = sysconf(_SC_GETPW_R_SIZE_MAX); >> if (bufsize == -1) /* Value was indeterminate */ >> bufsize = 16384;/* Should be more than enough */ >> >> buf = malloc(bufsize); >> if (buf == NULL) { >> perror("malloc"); >> exit(EXIT_FAILURE); >> } >> >> s = getpwnam_r(argv[1], , buf, bufsize, ); >> if (result == NULL) { >> if (s == 0) >> printf("Not found\n"); >> else { >> errno = s; >> perror("getpwnam_r"); >> } >> exit(EXIT_FAILURE); >> } >> >> printf("Name: %s; UID: %ld GID: %ld\n", pwd.pw_gecos, (long) >> pwd.pw_uid, (long) pwd.pw_gid); >> >> /* process is running as root, drop privileges */ >> >> if (getuid() == 0) { >> if (setgid(pwd.pw_gid) != 0) { >> perror("setgid: Unable to drop group privileges"); >> exit(EXIT_FAILURE); >> } >> if (setuid(pwd.pw_uid) != 0) { >> perror("setuid: Unable to drop user privileges"); >> exit(EXIT_FAILURE); >> } >> printf("dropped privileges\n"); >> } else { >> errno = ENOTSUP; >> perror("process is not running as root cannot change user\n"); >> exit(EXIT_FAILURE); >> } >> >> /* check privileges really dropped */ >> >> if (setuid(0) != -1) { >> errno = ENOTSUP; >> perror("ERROR: Managed to regain root privileges"); >> exit(EXIT_FAILURE); >> } >> >> /* open directory */ >> >> DIR * d; >> d = opendir(argv[2]); >> printf("Attempting to open directory %s\n",argv[2]); >> if (d == NULL) { >> perror("Error opening directory"); >> exit(EXIT_FAILURE); >> } else { >> printf("Success opening directory %s\n",argv[2]); >> } >> exit(EXIT_SUCCESS); >> } >> >> >> ___ >> CentOS mailing list >> CentOS@centos.org >> https://lists.centos.org/mailman/listinfo/centos >> > > ___ > CentOS mailing list > CentOS@centos.org > https://lists.centos.org/mailman/listinfo/centos I'm not sure if it is worth installing a build system just for this unless you need it for other stuff. Maybe other lines of
Re: [CentOS] Help with httpd userdir recovery
On Wed, Dec 28, 2016 at 5:18 AM, Robert Moskowitzwrote: > > Which is why I wonder if there is some different config for the C7.3 version > of apache. > > Or something with the C7-arm build... Can you check for SELinux warnings/errors in /var/log/audit/audit.log? Regards, ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos