I have problem with SElinux privilages with docker, in docker i run mailcow but now i have a blank screen and looks like it might be problem with privilages.
Because diagnostic says this:
SELinux is preventing /usr/local/bin/php from read access on the file /web/inc/init_db.inc.php.
Audit log:
type=AVC msg=audit(1676319004.771:1087): avc: denied { read } for pid=14555 comm="php-fpm" name="init_db.inc.php" dev="dm-0" ino=135058961 scontext=system_u:system_r:container_t:s0:c706,c972 tcontext=system_u:object_r:container_file_t:s0:c89,c575 tclass=file permissive=0
type=SYSCALL msg=audit(1676319004.771:1087): arch=c000003e syscall=2 success=no exit=-13 a0=7fffc4e15850 a1=8000 a2=0 a3=0 items=1 ppid=6637 pid=14555 auid=4294967295 uid=82 gid=82 euid=82 suid=82 fsuid=82 egid=82 sgid=82 fsgid=82 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/local/sbin/php-fpm" subj=system_u:system_r:container_t:s0:c706,c972 key=(null)
type=CWD msg=audit(1676319004.771:1087): cwd="/web"
type=PATH msg=audit(1676319004.771:1087): item=0 name="/web/inc/init_db.inc.php" inode=135058961 dev=fd:00 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:container_file_t:s0:c89,c575 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
how can i solved it?
This is what i tried:
ausearch -c 'php' --raw | audit2allow -M my-php semodule -X 300 -i my-php.pp
and results are:
compilation failed:
my-php.te:15:ERROR 'syntax error' at token 'mlsconstrain' on line 15:
# mlsconstrain file { ioctl read lock execute execute_no_trans } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
mlsconstrain file { write setattr append unlink link rename } ((h1 dom h2 -Fail-) or (t1 != mcs_constrained_type -Fail-) ); Constraint DENIED
/usr/bin/checkmodule: error(s) encountered while parsing configuration
[root#rhel ~]# semodule -X 300 -i my-php.pp
libsemanage.map_compressed_file: Unable to open my-php.pp
(No such file or directory).
libsemanage.semanage_direct_install_file: Unable to read file my-php.pp
(No such file or directory).
semodule: Failed on my-php.pp!
Related
I'm trying to get New Relic running in a docker container (FROM php:7.3-apache) to push up to Cloud Run.
I've followed this documentation
https://docs.newrelic.com/docs/agents/php-agent/advanced-installation/docker-other-container-environments-install-php-agent/
For "Install agent and daemon in the same container" and added
RUN \
curl -L https://download.newrelic.com/php_agent/release/newrelic-php5-9.17.1.301-linux.tar.gz | tar -C /tmp -zx && \
export NR_INSTALL_USE_CP_NOT_LN=1 && \
export NR_INSTALL_SILENT=1 && \
/tmp/newrelic-php5-*/newrelic-install install && \
rm -rf /tmp/newrelic-php5-* /tmp/nrinstall* && \
sed -i \
-e 's/"REPLACE_WITH_REAL_KEY"/"NRAK-xxxxxxxxxxxxxxxxxxx"/' \
-e 's/newrelic.appname = "PHP Application"/newrelic.appname = "My apps real name"/' \
-e 's/;newrelic.daemon.app_connect_timeout =.*/newrelic.daemon.app_connect_timeout=15s/' \
-e 's/;newrelic.daemon.start_timeout =.*/newrelic.daemon.start_timeout=5s/' \
/usr/local/etc/php/conf.d/newrelic.ini
To my docker file and switched the 3 variables to real values.
When I do PS inside the container it looks like it's running but nothing is appearing in the New Relic dashboard.
When I cat out php_agent.log I get
2021-06-21 19:06:34.870 +0000 (1 1) info: attempt daemon connection via '#newrelic'
2021-06-21 19:06:34.871 +0000 (1 1) info: New Relic 9.17.1.301 ("xigua" - "6498785b65c7") [daemon='#newrelic' php='7.3.28' zts=no sapi='apache2handler' apache='2.4.38' mpm=prefork pid=1 ppid=0 uid=0 euid=0 gid=0 egid=0 backtrace=yes
startup=agent os='Linux' rel='4.19.128-microsoft-standard' mach='x86_64' ver='#1 SMP Tue Jun 23 12' node='544d6a6fd26a']
2021-06-21 19:06:34.871 +0000 (1 1) warning: A global default license has not been set or has invalid format. Please add a 'newrelic.license' key in the global php.ini or in the newrelic.ini file, or ensure that a valid license is provided on a per-virtual host or per-directory basis.
When I cat out newrelic-daemon.log I get
2021/06/21 19:06:34.974122 (17) Info: New Relic daemon version 9.17.1.301-6498785b65c7 [listen="#newrelic" startup=agent pid=17 ppid=1 uid=0 euid=0 gid=0 egid=0 runtime="go1.9.7" GOMAXPROCS=24 GOOS=linux GOARCH=amd64]
2021/06/21 19:06:35.024983 (36) Info: New Relic daemon version 9.17.1.301-6498785b65c7 [listen="#newrelic" startup=agent pid=36 ppid=17 uid=0 euid=0 gid=0 egid=0 runtime="go1.9.7" GOMAXPROCS=24 GOOS=linux GOARCH=amd64]
2021/06/21 19:06:35.071290 (53) Info: New Relic daemon version 9.17.1.301-6498785b65c7 [listen="#newrelic" startup=agent pid=53 ppid=36 uid=0 euid=0 gid=0 egid=0 runtime="go1.9.7" GOMAXPROCS=24 GOOS=linux GOARCH=amd64]
2021/06/21 19:06:35.071516 (53) Info: collector configuration is &{CAFile: CAPath: Proxy:}
2021/06/21 19:06:35.071855 (53) Info: daemon listening on #newrelic
php --ini gives me
Configuration File (php.ini) Path: /usr/local/etc/php
Loaded Configuration File: (none)
Scan for additional .ini files in: /usr/local/etc/php/conf.d
Additional .ini files parsed: /usr/local/etc/php/conf.d/docker-php-ext-imap.ini,
/usr/local/etc/php/conf.d/docker-php-ext-mysqli.ini,
/usr/local/etc/php/conf.d/docker-php-ext-pdo_mysql.ini,
/usr/local/etc/php/conf.d/docker-php-ext-sodium.ini,
/usr/local/etc/php/conf.d/docker-php-ext-zip.ini,
/usr/local/etc/php/conf.d/newrelic.ini
When I cat /usr/local/etc/php/conf.d/newrelic.ini | grep "newrelic.license" I get my real correct key
; Setting: newrelic.license
newrelic.license = "NRAK-xxxxxxxxxxxxxxxxxxxxx"
What am I doing wrong or what step have I missed?
Your license key is wrong.
A global default license has not been set or has invalid format. Please add a 'newrelic.license' key in the global php.ini or in the newrelic.ini file, or ensure that a valid license is provided on a per-virtual host or per-directory basis.
It's appears that you are putting the user API_KEY: NRAK-xxxxxxxxxxxxxxxxxxxxx, but acctually you have to put your licence key found on Administration > API Keys > License Keys
You might want to also actually enable the extension:
newrelic.enabled=1
... that setting does not have a default value of true: https://docs.newrelic.com/docs/apm/agents/php-agent/configuration/php-agent-configuration/#inivar-enabled
I'm trying to generate pdfs with Symfony2, KnpSnappyBundle, Wkhtmltopdf on a mutualized OVH server.
I've putted wkhtmltopdf binary in the bin folder of symfony.
In\app\config\parameters.yml :
wkhtmlto.binary: %kernel.root_dir%/../bin/wkhtmltopdf
In \app\config\config.yml :s
knp_snappy:
pdf:
enabled: true
binary: %wkhtmlto.binary%
options: []
With chmod 604 on wkhtmltopdf, I've this message :
The exit status code '126' says something went wrong:
stderr: "sh: /home/procontakq/Configurateur/app/../bin/wkhtmltopdf:
Permission denied
"
stdout: ""
command: /home/procontakq/Configurateur/app/../bin/wkhtmltopdf --lowquality
'/tmp/knp_snappy59cbc7c736b541.46778125.html'
'/tmp/knp_snappy59cbc7c736c0f4.36952821.pdf'.
If I put the wkhtmltopdf binary with 715 access right , I have the following error message :
With chmod 715 on wkhtmltopdf, I've this message :
stderr: "sh: /home/procontakq/Configurateur/app/../bin/wkhtmltopdf: No such
file or directory
"
stdout: ""
command: /home/procontakq/Configurateur/app/../bin/wkhtmltopdf --lowquality
'/tmp/knp_snappy59cbc893b03971.22099815.html'
'/tmp/knp_snappy59cbc893b03c91.27932094.pdf'.
I'm using fireguard to create pdf at my laravel application , but on fedora if I execute the command setenforce 0 ,it runs just fine as expected. But if I turn selinux on with setenforce 1 , it gives me the message :
PhantomJS: sh: /var/www/html/.../vendor/bin/phantomjs: Permission
denied.
The audit.log gives me the message :
type=AVC msg=audit(1493867419.082:61578): avc: denied { execute }
for pid=15202 comm="sh" name="phantomjs" dev="xvda1" ino=279975
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
permissive=0
what should I do to allow phatomjs by selinux without disabling selinux entirely with setenforce 0 ?
I am trying to start my Apache server through both webmin and putty, but I am getting the same error codes.
Apache was running perfectly fine before we did a restart of our VPS, now all the services started except for Apache.
We are running CentOS, the main error we are getting is posted below:
May 23 21:56:47 www.mydomain.com httpd[6234]: AH00526: Syntax error on line 373 of /etc/httpd/conf/httpd.conf:
May 23 21:56:47 www.mydomain.com httpd[6234]: Wrapper /home/mydomain/fcgi-bin/php5.fcgi cannot be accessed: (13)Permission denied
Line 373: FCGIWrapper /home/vps78446/fcgi-bin/php5.fcgi .php
Line 374: FCGIWrapper /home/vps78446/fcgi-bin/php5.fcgi .php5
I have tried editing the permissions, looking at the files called by php5.fcgi, and anything else I could find on the internet.
getent passwd return:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
systemd-bus-proxy:x:997:994:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:996:993:systemd Network Management:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:995:992:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
saslauth:x:994:76:Saslauthd user:/run/saslauthd:/sbin/nologin
clamupdate:x:993:991:Clamav database update user:/var/lib/clamav:/sbin/nologin
Kalgon:x:500:500::/home/Kalgon:/bin/sh
vitalitygaming:x:502:502:Main Site:/home/vitalitygaming:/bin/sh
vps78446:x:503:502:Main Site:/home/vps78446:/bin/sh
scgaminguser.vitalitygaming:x:506:502:SCGamingUser:/home/vitalitygaming/homes/scgaminguser:/bin/false
development.vitalitygaming:x:507:502:Development:/home/vitalitygaming/homes/development:/dev/null
dadenz.vitalitygaming:x:508:502:Dennis:/home/vitalitygaming/homes/dadenz:/dev/null
can you give us the permissions for those files,
open terminal enter cd /home/vps78446/fcgi-bin/ then ls -la
post results:
edit:
run the command below
sudo chown -R www-data:www-data /home/vps78446/fcgi-bin
try to run Apache after that
I'm currently trying to set up a GAE push-to-deploy from my bitbucket wordpress repo.
Seems like all the needed steps for setting up jenkins on GCE were done, but build failed with OSError: [Errno 13] Permission denied: '/root/.config'
I think shell command: gcloud --project=projectjp01 preview app deploy . added to the build step caused problem. (looks like jenkins user cannot access root folder or log folder )
Could someone help me out successfully accomplishing this push-to-depoly process for GAE?
Any helps will be appreciated.
FYI, below are the console message for the build process:
Started by user User Name Building in workspace
/opt/bitnami/apps/jenkins/jenkins_home/jobs/firstjenkins/workspace
/opt/bitnami/git/bin/git rev-parse --is-inside-work-tree # timeout=10 Fetching changes from the remote Git repository
/opt/bitnami/git/bin/git config remote.origin.url https://source.developers.google.com/p/projectjp01 # timeout=10
Fetching upstream changes from
source.developers.google.com/p/projectname
/opt/bitnami/git/bin/git --version # timeout=10 using .gitcredentials to set credentials
/opt/bitnami/git/bin/git config --local credential.helper store --file=/opt/bitnami/apache-tomcat/temp/git2753293187622835876.credentials
timeout=10
/opt/bitnami/git/bin/git fetch --tags --progress
+refs/heads/:refs/remotes/origin/
/opt/bitnami/git/bin/git config --local --remove-section credential # timeout=10
/opt/bitnami/git/bin/git rev-parse refs/remotes/origin/master^{commit} # timeout=10
/opt/bitnami/git/bin/git rev-parse refs/remotes/origin/origin/master^{commit} > # timeout=10 Checking out
Revision 2297db6db06f19198dd3097e8db6b72687e8d433
(refs/remotes/origin/master)
/opt/bitnami/git/bin/git config core.sparsecheckout # timeout=10
/opt/bitnami/git/bin/git checkout -f 2297db6db06f19198dd3097e8db6b72687e8d433
/opt/bitnami/git/bin/git rev-list 2297db6db06f19198dd3097e8db6b72687e8d433 # timeout=10 [workspace] $
/bin/sh -xe
/opt/bitnami/apache-tomcat/temp/hudson1649832068994489242.sh
+ gcloud --project=projectname preview app deploy . Traceback (most recent call last): File
"/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/gcloud/gcloud.py",
line 177, in
_cli = CreateCLI() File "/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/gcloud/gcloud.py",
line 175, in CreateCLI
return loader.Generate() File "/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/calliope/cli.py",
line 236, in Generate
return self.__LoadCLIFromGroups() File "/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/calliope/cli.py",
line 280, in __LoadCLIFromGroups
cli = self.__MakeCLI(top_group) File "/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/calliope/cli.py",
line 442, in __MakeCLI
log.AddFileLogging(self.__logs_dir) File "/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/core/log.py",
line 532, in AddFileLogging
_log_manager.AddLogsDir(logs_dir=logs_dir) File "/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/core/log.py",
line 316, in AddLogsDir
log_file = self._SetupLogsDir(logs_dir) File "/usr/local/bin/../share/google/google-cloud-sdk/./lib/googlecloudsdk/core/log.py",
line 393, in _SetupLogsDir
os.makedirs(day_dir_path) File "/usr/lib/python2.7/os.py", line 150, in makedirs
makedirs(head, mode) File "/usr/lib/python2.7/os.py", line 150, in makedirs
makedirs(head, mode) File "/usr/lib/python2.7/os.py", line 150, in makedirs
makedirs(head, mode) File "/usr/lib/python2.7/os.py", line 157, in makedirs
mkdir(name, mode) OSError: [Errno 13] Permission denied: '/root/.config' Build step 'Execute shell' marked build as failure
Finished: FAILURE
I found out myself. All the problem comes from permission setting.
gcloud should be run as sudo but the tomcat (jenkins) configured to disable the sudo by default.
So I ssh to the GCE server where jenkins are running, open(create) file with:
sudo vi /etc/sudoers.d/tomcat
and then put this line:
tomcat ALL=(ALL) NOPASSWD: ALL
that's it. I can build & deploy without problem now.