我用過PHP執行命令發出lpr -P printer_name /var/www/html/somefile.pdf,但在 RHEL 系統更新(7.2 到 7.3)之後,selinux 決定開始封鎖這些要求。
傳送列印的檔案的 selinux 權限:
ls -lZ /var/www/html/somefile.pdf
-rw-r-----. apache webdev system_u:object_r:httpd_sys_rw_content_t:s0 /var/www/html/somefile.pdf
審計日誌中顯示以下內容,與cmdPHP 的上述內容相對應:
時間->2016年11月3日星期四 15:07:02
型別=PATH msg=audit(1478200022.446:5151): item=0 name="/etc/cups/lpoptions" inode=134317708 dev=fd:03 mode=0100644 ouid=system=u07 :object_r:cupsd_rw_etc_t:s0 objtype=正常
型態=CWD msg=審核(1478200022.446:5151): cwd="/var/www/html"
類型=SYSCALL msg=審核(1478200022.446:5151): arch=c000003e syscall=2 成功=是退出=5 a0=7fff26837c70 a1=0 a2=0 a3=9 專案=17496837c70 a1=0 a2=0 a3=9 專案=17494963494960 48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(無) ses=4294967295 comm="lpr" exe="/usr/bin/lpr.cups" subj=system_u :system_r:httpd_t:s0 key=(空)
類型=AVC msg=audit(1478200022.446:5151): avc:被拒絕{打開} for pid=46644 comm="lpr" path="/etc/cups/lpoptions" dev="dm-3" ino=134317088 scontext=8 scontext system_u :system_r:httpd_t:s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=文件
類型=AVC msg=audit(1478200022.446:5151): avc: 拒絕{讀取} for pid=46644 comm="lpr" name="lpoptions" dev="dm-3" ino=134317708 sconsystem=system_httpu : s0 tcontext=system_u:object_r:cupsd_rw_etc_t:s0 tclass=文件
這是目前的 selinux 配置:
# getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> on
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> on
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> on
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> off
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> on
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> on
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
是什麼導致了否認?
答案1
我最終安裝了一些額外的 seLinux 工具幫助解決問題:
yum install setroubleshoot setools
然後跑了
sealert -a /var/log/audit/audit.log
輸出建議進行以下修改:
ausearch -c 'lpr' --raw | audit2allow -M my-lpr
semodule -i my-lpr.pp
ausearch -c 'wkhtmltopdf-amd' --raw | audit2allow -M my-wkhtmltopdfamd
semodule -i my-wkhtmltopdfamd.pp
發出這些命令,現在我可以再次從我的 PHP 應用程式進行列印。