Selinux blocks the crontab command from php [closed]
There are Fedora 25 and apache on our server. I want to do so that the php script on our web site can change crontab settings.
I created the following test php script:
<?php
system("echo '*/2 * * * * date > /var/www/logs/testlog.txt' | crontab - 2>&1");
But it did not work. I got the message: /var/spool/cron/#tmp.mh203-95.XXXXG0KrFF: Permission denied
I looked at output of sealert -a /var/log/audit/audit.log and found: SELinux is preventing crontab from write access on the directory /var/spool/cron.
Okay. It sounds like apache is not allowed the write access to /var/spool/cron because that directory has not the httpdsysrwcontentt label. So I executed the command: chcon -v -R -t httpdsysrwcontentt /var/spool/cron
My php script begun to work. The crontab -l command gave normal output. But the new problem appeared. :( The cron tasks was not executed.
In the /var/log/cron I saw the error:
Mar 23 18:05:01 mh203-95 crond[1653]: (apache) Unauthorized SELinux context=unconfinedu:unconfinedr:unconfinedt:s0-s0:c0.c1023 filecontext=systemu:objectr:httpdsysrwcontentt:s0 (/var/spool/cron/apache)
Mar 23 18:05:01 mh203-95 crond[1653]: (apache) FAILED (loading cron table)
After many time of research... I found that the /var/spool/cron must have the usercronspoolt label. So I executed: chcon -v -R -t usercronspoolt /var/spool/cron.
The cron tasks begun to works. But my php script did not work again. The same problem as at the beginning.
sealert suggested the commands like:
ausearch -c 'crontab' --raw | audit2allow -M my-crontab
semodule -X 300 -i my-crontab.pp
But it did not help.
What am I missing? How to solve the problem? Can I somehow combine two labels usercronspoolt and httpdsysrwcontent_t for /var/spool/cron directory?