doushou6480
doushou6480
2016-04-04 16:30
浏览 51
已采纳

SELinux阻止php的exec('kill pid')在日志中没有任何错误

I'm trying to get a process PID and kill it with this code:

<?php
error_reporting(E_ALL);
ini_set('display_errors', '1');

$_script_path = "/path/to/scriptname.php";

$cmd_find_process = "ps aux | grep '[p]hp -f ".$_script_path."'";

echo $cmd_find_process.PHP_EOL;
echo exec($cmd_find_process);
echo PHP_EOL.PHP_EOL;

$cmd = "kill $(".$cmd_find_process." | awk '{print $2}')";
echo $cmd;
echo exec($cmd);
?>

Initially I couldn't list processes, which I fixed by compiling a custom SELinux module, selinux-httpd-allow-ps-aux.te:

policy_module(myhttpd,1.0.0)

gen_require(`
    type httpd_t;
')

domain_read_all_domains_state(httpd_t);

I've already disabled dontaudit statements with:

semodule -DB

But I can't kill any process which I've previously started by the same user: apache. No errors logged in the /var/log/audit/audit.log file.

For a complete understanding, the PHP script which I'm trying to kill is executed with this command:

su -s /bin/sh apache -c php -f /path/to/scriptname.php

I know it's SELinux because turning off SELinux with

echo 0 > /selinux/enforce

will make it work.

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 邀请回答

1条回答 默认 最新

  • dongmu5246
    dongmu5246 2016-04-04 17:38
    已采纳

    Apparently I had to restart auditd for the errors to show up.

    service auditd restart
    

    This is the error:

    type=AVC msg=audit(1459790992.546:15889813): avc:  denied  { signal } for  pid=25478 comm="sh" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=process
        Was caused by:
            Missing type enforcement (TE) allow rule.
    
            You can use audit2allow to generate a loadable module to allow this access.
    

    I was able to solve the issue through the audit2allow tool. This is the generated custom module that fixed the issue.

    module selinux-httpd-allow-signal 1.0;
    
    require {
            type httpd_t;
            type initrc_t;
            class process signal;
    }
    
    #============= httpd_t ==============
    allow httpd_t initrc_t:process signal;
    
    点赞 评论

相关推荐