解决方法是setenforce 0,目前没有设置selinux权限的信息,如果有知道的请留言
我在fedora20上安装的squid,使用cachemgr.cgi的流程简写如下
修改squid配置
http_access allow localnet manager
http_access deny manager
cp /usr/lib64/squid/cachemgr.cgi /var/www/cgi-bin/
在/etc/httpd/conf/httpd.conf中添加
<Location /cgi-bin/cachemgr.cgi>
AuthType Basic
AuthName "Squidadmin"
AuthUserFile /var/www/cgi-bin/squid.pwd
require valid-user
</Location>
使用命令,密码文件位置不同,selinux会影响系统使用
#cd /var/www/cgi-bin/
#htpasswd -c squid.pwd squidadmin “创建密码文件 ”
New passwd:
Re-type new passwd:
Adding password for user squidadmin
#chown apache:apche squid.pwd “将认证口令文件的属主改为apache”
这是日志中报的错误
[root@localhost cgi-bin]# journalctl |grep "SELinux is preventing "
Jul 03 21:26:38 localhost.localdomain setroubleshoot[8651]: SELinux is preventing /var/www/cgi-bin/cachemgr.cgi from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l e9a50c4e-f2e2-458c-a596-d58dd2991d0a
Jul 03 21:26:38 localhost.localdomain python[8651]: SELinux is preventing /var/www/cgi-bin/cachemgr.cgi from name_connect access on the tcp_socket .
[root@localhost cgi-bin]# sealert -l e9a50c4e-f2e2-458c-a596-d58dd2991d0a
If you believe that cachemgr.cgi should be allowed name_connect access on the tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cachemgr.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:httpd_squid_script_t:s0
Target Context system_u:object_r:http_port_t:s0
Target Objects [ tcp_socket ]
Source cachemgr.cgi
Source Path /var/www/cgi-bin/cachemgr.cgi
Port 80
Host localhost.localdomain
Source RPM Packages squid-3.3.12-2.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
UTC 2013 x86_64 x86_64
Alert Count 7
First Seen 2014-07-03 20:39:27 CST
Last Seen 2014-07-03 21:26:34 CST
Local ID e9a50c4e-f2e2-458c-a596-d58dd2991d0a
Raw Audit Messages
type=AVC msg=audit(1404393994.603:392): avc: denied { name_connect } for pid=8649 comm="cachemgr.cgi" dest=80 scontext=system_u:system_r:httpd_squid_script_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1404393994.603:392): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7fe3a8ff5760 a2=10 a3=7fff1deff060 items=0 ppid=8546 pid=8649 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=cachemgr.cgi exe=/usr/lib64/squid/cachemgr.cgi subj=system_u:system_r:httpd_squid_script_t:s0 key=(null)
Hash: cachemgr.cgi,httpd_squid_script_t,http_port_t,tcp_socket,name_connect
[root@localhost cgi-bin]#
我在fedora20上安装的squid,使用cachemgr.cgi的流程简写如下
修改squid配置
http_access allow localnet manager
http_access deny manager
cp /usr/lib64/squid/cachemgr.cgi /var/www/cgi-bin/
在/etc/httpd/conf/httpd.conf中添加
<Location /cgi-bin/cachemgr.cgi>
AuthType Basic
AuthName "Squidadmin"
AuthUserFile /var/www/cgi-bin/squid.pwd
require valid-user
</Location>
使用命令,密码文件位置不同,selinux会影响系统使用
#cd /var/www/cgi-bin/
#htpasswd -c squid.pwd squidadmin “创建密码文件 ”
New passwd:
Re-type new passwd:
Adding password for user squidadmin
#chown apache:apche squid.pwd “将认证口令文件的属主改为apache”
这是日志中报的错误
[root@localhost cgi-bin]# journalctl |grep "SELinux is preventing "
Jul 03 21:26:38 localhost.localdomain setroubleshoot[8651]: SELinux is preventing /var/www/cgi-bin/cachemgr.cgi from name_connect access on the tcp_socket . For complete SELinux messages. run sealert -l e9a50c4e-f2e2-458c-a596-d58dd2991d0a
Jul 03 21:26:38 localhost.localdomain python[8651]: SELinux is preventing /var/www/cgi-bin/cachemgr.cgi from name_connect access on the tcp_socket .
[root@localhost cgi-bin]# sealert -l e9a50c4e-f2e2-458c-a596-d58dd2991d0a
If you believe that cachemgr.cgi should be allowed name_connect access on the tcp_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep cachemgr.cgi /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context system_u:system_r:httpd_squid_script_t:s0
Target Context system_u:object_r:http_port_t:s0
Target Objects [ tcp_socket ]
Source cachemgr.cgi
Source Path /var/www/cgi-bin/cachemgr.cgi
Port 80
Host localhost.localdomain
Source RPM Packages squid-3.3.12-2.fc20.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.12.1-106.fc20.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.11.10-301.fc20.x86_64 #1 SMP Thu Dec 5 14:01:17
UTC 2013 x86_64 x86_64
Alert Count 7
First Seen 2014-07-03 20:39:27 CST
Last Seen 2014-07-03 21:26:34 CST
Local ID e9a50c4e-f2e2-458c-a596-d58dd2991d0a
Raw Audit Messages
type=AVC msg=audit(1404393994.603:392): avc: denied { name_connect } for pid=8649 comm="cachemgr.cgi" dest=80 scontext=system_u:system_r:httpd_squid_script_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1404393994.603:392): arch=x86_64 syscall=connect success=no exit=EACCES a0=3 a1=7fe3a8ff5760 a2=10 a3=7fff1deff060 items=0 ppid=8546 pid=8649 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm=cachemgr.cgi exe=/usr/lib64/squid/cachemgr.cgi subj=system_u:system_r:httpd_squid_script_t:s0 key=(null)
Hash: cachemgr.cgi,httpd_squid_script_t,http_port_t,tcp_socket,name_connect
[root@localhost cgi-bin]#
