Ask Your Question
0

Selinux blocks the crontab command from php [closed]

asked 2017-03-23 14:33:18 -0600

graywolf2 gravatar image

updated 2017-03-23 19:24:47 -0600

There are Fedora 25 and apache on our server. I want to do so that the php script on our web site can change crontab settings.

I created the following test php script:

<?php
system("echo '*/2 * * * * date > /var/www/logs/testlog.txt' | crontab - 2>&1");

But it did not work. I got the message: /var/spool/cron/#tmp.mh203-95.XXXXG0KrFF: Permission denied

I looked at output of sealert -a /var/log/audit/audit.log and found: SELinux is preventing crontab from write access on the directory /var/spool/cron.

Okay. It sounds like apache is not allowed the write access to /var/spool/cron because that directory has not the httpdsysrwcontentt label. So I executed the command: chcon -v -R -t httpdsysrwcontentt /var/spool/cron

My php script begun to work. The crontab -l command gave normal output. But the new problem appeared. :( The cron tasks was not executed.

In the /var/log/cron I saw the error:

Mar 23 18:05:01 mh203-95 crond[1653]: (apache) Unauthorized SELinux context=unconfinedu:unconfinedr:unconfinedt:s0-s0:c0.c1023 filecontext=systemu:objectr:httpdsysrwcontentt:s0 (/var/spool/cron/apache)
Mar 23 18:05:01 mh203-95 crond[1653]: (apache) FAILED (loading cron table)

After many time of research... I found that the /var/spool/cron must have the usercronspoolt label. So I executed: chcon -v -R -t usercronspoolt /var/spool/cron.

The cron tasks begun to works. But my php script did not work again. The same problem as at the beginning.

sealert suggested the commands like:
ausearch -c 'crontab' --raw | audit2allow -M my-crontab
semodule -X 300 -i my-crontab.pp
But it did not help.

What am I missing? How to solve the problem? Can I somehow combine two labels usercronspoolt and httpdsysrwcontent_t for /var/spool/cron directory?

edit retag flag offensive reopen merge delete

Closed for the following reason the question is answered, right answer was accepted by graywolf2
close date 2017-03-23 19:16:59.936759

2 Answers

Sort by ยป oldest newest most voted
1

answered 2017-03-23 19:13:48 -0600

graywolf2 gravatar image

I had solved the problem.

The reason was in this: sealert generates the same politic name my-crontab in all suggested commands. The new politic overwrote the old.
It is just needed to change this name slightly.

So i executed:

ausearch -c 'crontab' --raw | audit2allow -M my-crontab
semodule -X 300 -i my-crontab.pp

ausearch -c 'crontab' --raw | audit2allow -M my-crontab2
semodule -X 300 -i my-crontab2.pp

ausearch -c 'crontab' --raw | audit2allow -M my-crontab3
semodule -X 300 -i my-crontab3.pp
...

Before every ausearch ... I executed:
echo -n "" > /var/log/audit/audit.log
My php script.
sealert -a /var/log/audit/audit.log

edit flag offensive delete link more
0

answered 2017-03-23 19:05:40 -0600

sixpack13 gravatar image

maybe this

https://fedoraproject.org/wiki/SELinux/apache

and/or

dnf install setroubleshoot

might help

edit flag offensive delete link more

Question Tools

Stats

Asked: 2017-03-23 14:33:18 -0600

Seen: 248 times

Last updated: Mar 23 '17