SELinuxはPHPでpsコマンドを使用することはできません。

このコードを使用して、myserviceがPHPで実行されていることを確認します。 exec("ps -A | grep -i myservicename | grep -v grep 2>&1", $output);。 $outputは常に空です。しかし、実行すると素晴らしい動作しますsetenforce 0。したがって、SELinuxはhttpdがこのコマンドを実行するのを防ぎます。 audit2whyも私に次のメッセージを送信しました。

type=AVC msg=audit(1503739681.450:2905): avc:  denied  { search } for  pid=11273 comm="ps" name="11017" dev="proc" ino=97841 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=dir
    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

httpdが私のコマンドを実行できるようにSELinuxにどのように指示しますか？

修正する

結果audit2allow -aは次のとおりです。

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t NetworkManager_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t NetworkManager_t:dir getattr;
allow httpd_sys_script_t abrt_watch_log_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t abrt_watch_log_t:dir getattr;
allow httpd_sys_script_t auditd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t auditd_t:dir getattr;
allow httpd_sys_script_t crond_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t crond_t:dir getattr;
allow httpd_sys_script_t firewalld_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t firewalld_t:dir getattr;
allow httpd_sys_script_t fsdaemon_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t fsdaemon_t:dir getattr;
allow httpd_sys_script_t getty_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t getty_t:dir getattr;
allow httpd_sys_script_t httpd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t httpd_t:dir getattr;
allow httpd_sys_script_t init_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t init_t:dir getattr;
allow httpd_sys_script_t initrc_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t initrc_t:dir getattr;
allow httpd_sys_script_t irqbalance_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t irqbalance_t:dir getattr;
allow httpd_sys_script_t kernel_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t kernel_t:dir getattr;
allow httpd_sys_script_t lsmd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t lsmd_t:dir getattr;
allow httpd_sys_script_t lvm_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t lvm_t:dir getattr;
allow httpd_sys_script_t mysqld_safe_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t mysqld_safe_t:dir getattr;
allow httpd_sys_script_t mysqld_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t mysqld_t:dir getattr;
allow httpd_sys_script_t policykit_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t policykit_t:dir getattr;
allow httpd_sys_script_t postfix_master_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_master_t:dir getattr;
allow httpd_sys_script_t postfix_pickup_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_pickup_t:dir getattr;
allow httpd_sys_script_t postfix_qmgr_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t postfix_qmgr_t:dir getattr;
allow httpd_sys_script_t sshd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t sshd_t:dir getattr;
allow httpd_sys_script_t syslogd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t syslogd_t:dir getattr;
allow httpd_sys_script_t system_dbusd_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t system_dbusd_t:dir getattr;
allow httpd_sys_script_t systemd_logind_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t systemd_logind_t:dir getattr;
allow httpd_sys_script_t tuned_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t tuned_t:dir getattr;
allow httpd_sys_script_t udev_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t udev_t:dir getattr;
allow httpd_sys_script_t unconfined_service_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t unconfined_service_t:dir getattr;
allow httpd_sys_script_t unconfined_t:dir search;

#!!!! This avc is allowed in the current policy
allow httpd_sys_script_t unconfined_t:dir getattr;

#============= httpd_t ==============

#!!!! This avc is allowed in the current policy
allow httpd_t etc_runtime_t:sock_file write;

#!!!! This avc is allowed in the current policy
allow httpd_t mysqld_port_t:tcp_socket name_connect;

#!!!! This avc is allowed in the current policy
allow httpd_t self:rawip_socket create;

#============= mysqld_safe_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_safe_t var_lib_t:lnk_file read;

#============= mysqld_t ==============

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:dir { add_name remove_name write };

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:file { create rename unlink write };

#!!!! This avc is allowed in the current policy
allow mysqld_t etc_runtime_t:sock_file { create unlink };

#!!!! This avc is allowed in the current policy
allow mysqld_t var_lib_t:lnk_file { getattr read };

解決策

このコマンドで私の問題を解決しました。

semanage permissive -a httpd_sys_script_t

または

semanage permissive -a httpd_t

これで、httpdはどのコマンドでも実行できます。