***** Plugin httpd_write_content (92.2 confidence) suggests ***************
If you want to allow httpd to have write access on the runtime directory
Then you need to change the label on 'runtime'
Do
# semanage fcontext -a -t httpd_sys_rw_content_t 'runtime'
# restorecon -v 'runtime'
***** Plugin catchall_boolean (7.83 confidence) suggests ******************
If you want to allow httpd to unified
Then you must tell SELinux about this by enabling the 'httpd_unified' boolean.
You can read 'None' man page for more details.
Do
setsebool -P httpd_unified 1
***** Plugin catchall (1.41 confidence) suggests **************************
If you believe that httpd should be allowed write access on the runtime directory by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'httpd' --raw | audit2allow -M my-httpd
# semodule -i my-httpd.pp
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context unconfined_u:object_r:httpd_sys_content_t:s0
Target Objects runtime [ dir ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.4.6-67.el7.centos.6.x86_64
Target RPM Packages
Policy RPM selinux-policy-3.13.1-166.el7_4.9.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name localhost.localdomain
Platform Linux localhost.localdomain
3.10.0-693.21.1.el7.x86_64 #1 SMP Wed Mar 7
19:03:37 UTC 2018 x86_64 x86_64
Alert Count 24
First Seen 2018-05-16 21:17:40 CST
Last Seen 2018-05-16 22:29:42 CST
Local ID a77cbfab-4419-4189-b7ba-aaee2c475742
Raw Audit Messages
type=AVC msg=audit(1526480982.863:513432): avc: denied { write } for pid=21178 comm="httpd" name="runtime" dev="dm-0" ino=145568 scontext=system_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_sys_content_t:s0 tclass=dir
type=SYSCALL msg=audit(1526480982.863:513432): arch=x86_64 syscall=mkdir success=no exit=EACCES a0=55be039697b8 a1=1fd a2=8 a3=7fa61804b020 items=0 ppid=21173 pid=21178 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=httpd exe=/usr/sbin/httpd subj=system_u:system_r:httpd_t:s0 key=(null)
Hash: httpd,httpd_t,httpd_sys_content_t,dir,write
1.将您的用户 (这里指 ec2-user) 添加到 apache
组。
[ec2-user ~]$
sudo usermod -a -G apache
ec2-user
2.先退出再重新登录以选取新组,然后验证您的成员资格。
要验证您是否为 apache
组的成员,请重新连接到实例,然后运行以下命令:
[ec2-user ~]$
groups
ec2-user adm wheel apache systemd-journal
3.将
/var/www
及其内容的组所有权更改到 apache
组。
[ec2-user ~]$
sudo chown -R ec2-user:apache /var/www
4.要添加组写入权限以及设置未来子目录上的组 ID,请更改
/var/www
及其子目录的目录权限。
[ec2-user ~]$
sudo chmod 2775 /var/www && find /var/www -type d -exec sudo chmod 2775 {} \;
5.要添加组写入权限,请递归地更改
/var/www
及其子目录的文件权限:
[ec2-user ~]$
find /var/www -type f -exec sudo chmod 0664 {} \;
现在,ec2-user 用户 (以及
apache
组的任何未来成员) 可以在 Apache 文档根目录中添加、删除和编辑文件。现在您已准备好添加内容,例如静态网站或 PHP 应用程序。
semanage fcontext -a -t httpd_sys_rw_content_t '/var/www/html/site/run/frontend/runtime' && restorecon -v '/var/www/html/site/run/frontend/runtime'
cat /etc/selinux/targeted/contexts/files/file_contexts.local
chcon -R -t httpd_sys_rw_content_t /var/www/html/
http://man.linuxde.net/semanage
https://abcdabcd987.com/stop-disabling-selinux/