I'm using fireguard to create pdf at my laravel application , but on fedora if I execute the command setenforce 0 ,it runs just fine as expected. But if I turn selinux on with setenforce 1 , it gives me the message :
PhantomJS: sh: /var/www/html/.../vendor/bin/phantomjs: Permission
denied.
The audit.log gives me the message :
type=AVC msg=audit(1493867419.082:61578): avc: denied { execute }
for pid=15202 comm="sh" name="phantomjs" dev="xvda1" ino=279975
scontext=system_u:system_r:httpd_t:s0
tcontext=unconfined_u:object_r:httpd_sys_rw_content_t:s0 tclass=file
permissive=0
what should I do to allow phatomjs by selinux without disabling selinux entirely with setenforce 0 ?
Related
I am trying to scan uploaded files on PHP server using clamAV. I've installed ClamAV on my server (Centos 7). Currently, I am using PHP 7, so I am using Clamd socket connection to scan uploaded files. I've enabled PHP sockets, clamd.sock file is present at /var/run/clamd.scan/ folder with apache owner.
My Socket connection code -
$socket = socket_create(AF_UNIX, SOCK_STREAM, 0);
if(socket_connect($socket, '/var/run/clamd.scan/clamd.sock')) {
return $socket;
}
When I try to run above code on the browser I am getting error as socket_connect(): unable to connect [13]: Permission denied, But if I run the PHP code through command line with a user as root it is working fine.
I know there is some issue with SELinux policy with Centos as if I disable SELinux policy everything is working fine from the browser as well. I have checked httpd_can_network_connect --> on and antivirus_can_scan_system --> on both are on.
The issue is with accessing anything inside /var/run/ folder for apache user, there is something (some policy) from SELinux which is stopping apache to connect to clamd socket file. Any ideas?
After debugging, got to know that this is SELinux policy issue.
You need to enable daemons_enable_cluster_mode policy in SELinux.
To Enable daemons_enable_cluster_mode:
setsebool -P daemons_enable_cluster_mode 1
This will allow executing ClamAV scan through another service like Apache in my case.
When I try to open my Laravel app I get the following error:
UnexpectedValueException
The stream or file "/laravel/storage/logs/laravel.log" could not be opened:
failed to open stream: Permission denied
Why is this and how can I fix it?
Write the following within terminal and ensure you are in the projects directory:
sudo chmod -R 777 storage/*
on FINDER right clic on STORAGE (inside ::your disk:: /Applications/XAMPP/xamppfiles/htdocs/laravel) folder and go to INFORMATION, go to bottom SHARING AND PERMISSIONS, there you must give READ AND WRITE permissions to EVERYONE. This option worked for me
NOTE: my OS languaje is SPANISH, may be text have some little variations; please, excuse my english
Maybe if you have installed Cent OS have to disable selinux.
setenforce 0
it will works.
I have a simple script that outputs Permission denied warning in the browser:
rename('/opt/web/test.tmp', '/opt/web/test.tmp1')
Script path is /opt/web/test_rename.php
/opt/, /opt/web/ and /opt/web/test_rename.php are 777 and have apache owner / group.
httpd process owner is apache
test.tmp is 777 and have apache owner as well
It works fine with cli.
What else could I do to make it work via apache?
The problem was with SELinux. It can block php rename function.
I've found the answer here: http://forums.fedoraforum.org/archive/index.php/t-111081.html
On the Fedora Core 3 Linux distribution, you may get a "failed to open stream: Permission denied in ..." message. In fact changing the permission of the directory will not work (even if you set to 0777).
It is because of the new SELinux kernel that allow apache user to write only in /tmp dir (I think). In order to solve the problem you must to disable the SELinux (at least for apache service) to allow the server to write in other directories. To do that, run the system-config-securitylevel app and disable the SE to apache service. Reboot your system and continue your work.
I am trying to start my Apache server through both webmin and putty, but I am getting the same error codes.
Apache was running perfectly fine before we did a restart of our VPS, now all the services started except for Apache.
We are running CentOS, the main error we are getting is posted below:
May 23 21:56:47 www.mydomain.com httpd[6234]: AH00526: Syntax error on line 373 of /etc/httpd/conf/httpd.conf:
May 23 21:56:47 www.mydomain.com httpd[6234]: Wrapper /home/mydomain/fcgi-bin/php5.fcgi cannot be accessed: (13)Permission denied
Line 373: FCGIWrapper /home/vps78446/fcgi-bin/php5.fcgi .php
Line 374: FCGIWrapper /home/vps78446/fcgi-bin/php5.fcgi .php5
I have tried editing the permissions, looking at the files called by php5.fcgi, and anything else I could find on the internet.
getent passwd return:
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
systemd-bus-proxy:x:997:994:systemd Bus Proxy:/:/sbin/nologin
systemd-network:x:996:993:systemd Network Management:/:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin
dovecot:x:97:97:Dovecot IMAP server:/usr/libexec/dovecot:/sbin/nologin
dovenull:x:995:992:Dovecot's unauthorized user:/usr/libexec/dovecot:/sbin/nologin
mysql:x:27:27:MariaDB Server:/var/lib/mysql:/sbin/nologin
mailman:x:41:41:GNU Mailing List Manager:/usr/lib/mailman:/sbin/nologin
postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash
named:x:25:25:Named:/var/named:/sbin/nologin
saslauth:x:994:76:Saslauthd user:/run/saslauthd:/sbin/nologin
clamupdate:x:993:991:Clamav database update user:/var/lib/clamav:/sbin/nologin
Kalgon:x:500:500::/home/Kalgon:/bin/sh
vitalitygaming:x:502:502:Main Site:/home/vitalitygaming:/bin/sh
vps78446:x:503:502:Main Site:/home/vps78446:/bin/sh
scgaminguser.vitalitygaming:x:506:502:SCGamingUser:/home/vitalitygaming/homes/scgaminguser:/bin/false
development.vitalitygaming:x:507:502:Development:/home/vitalitygaming/homes/development:/dev/null
dadenz.vitalitygaming:x:508:502:Dennis:/home/vitalitygaming/homes/dadenz:/dev/null
can you give us the permissions for those files,
open terminal enter cd /home/vps78446/fcgi-bin/ then ls -la
post results:
edit:
run the command below
sudo chown -R www-data:www-data /home/vps78446/fcgi-bin
try to run Apache after that
my cassandra is working well in CLI. and thrift also installed well. i already started apache server and cassandara..but when trying to execute php file that is not executed on browser.it shows the error as:
TException: Error: TSocket: Could not connect to localhost:9160 (Permission denied [13])
and the 12th and 13th line is:
$socket = new TSocket('localhost', 9160);
$transport = new TBufferedTransport($socket, 1024, 1024);
i gave 127.0.0.1 instead of localhost.even it is not working.
can any one please help me?
hi every one i solve the problem....
selinux is cause for that problem.....
TException: Error: TSocket: Could not connect to localhost:9160 (Permission denied [13])
To resolve it, you need to change an SELinux boolean value (which will automatically persist across reboots). You may also want to restart httpd to reset the proxy worker, although this isn't strictly required.
setsebool -P httpd_can_network_connect 1
http://wiki.apache.org/httpd/13PermissionDenied