服务器 Gind.cn
  1. 服务器 Gind.cn
  3. 单声道在SELinux强制执行时崩溃,如何在SELinux强制执行时使单声道服务器工作?
Intereting Posts
SOFTETHER。 客户端可以连接,但我无法访问服务器 如何使用Cloud Flare完全IPv6,一个兼容ipv4和ipv6的Web服务器? 安装共享点? 基本的Windowsnetworking问题 一个请求使用40%CPU的PHP-FPM 在重build时,mdadm RAID 5在2个驱动器中失败 只读权限仍然允许保存 尽pipe全面禁用了IPv6,域上的某些工作站/服务器仍使用IPv6来代替IPv4地址 EXE上的恶意行为:/ usr / bin / php CMD:/ usr / bin / php 如何将用户通过SFTP / FTP访问添加到Amazon EC2 Centos上的“/ var / www / html / website_abc”文件夹? mod_wsgi:共享虚拟主机之间的守护进程 Debian – chroot ntpd问题 如何fsck.ext3一个TrueCrypt卷? 在nginx中使用UNIX套接字 如何使源程序保持最新?

单声道在SELinux强制执行时崩溃,如何在SELinux强制执行时使单声道服务器工作?

这是SELinux执行时发生的情况: 

[root@shadmin ~]# elinks --dump 127.0.0.1/ASP-Portal/index.aspx Service Temporarily Unavailable The server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later. -------------------------------------------------------------------------- Apache/2.2.15 (Red Hat) Server at 127.0.0.1 Port 80 [root@shadmin ~]# tail /var/log/httpd/error_log [Tue Aug 09 17:27:00 2016] [notice] caught SIGTERM, shutting down [Tue Aug 09 17:27:00 2016] [alert] (13)Permission denied: Failed to acquire dashboard lock before destroying the dashboard [Tue Aug 09 17:27:00 2016] [alert] (13)Permission denied: Failed to acquire dashboard lock before destroying the dashboard [Tue Aug 09 17:27:00 2016] [alert] (13)Permission denied: Failed to acquire dashboard lock before destroying the dashboard [Tue Aug 09 17:27:01 2016] [notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 [Tue Aug 09 17:27:01 2016] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Tue Aug 09 17:27:01 2016] [notice] Digest: generating secret for digest authentication ... [Tue Aug 09 17:27:01 2016] [notice] Digest: done [Tue Aug 09 17:27:01 2016] [notice] Apache/2.2.15 (Unix) DAV/2 mod_mono/2.10 configured -- resuming normal operations [Tue Aug 09 17:27:38 2016] [error] Failed to connect to mod-mono-server after several attempts to spawn the process. [root@shadmin ~]# tail /var/log/messages Aug 9 17:27:02 shadmin abrtd: Corrupted or bad crash /var/spool/abrt/ccpp-1470743821-2987 (res:4), deleting Aug 9 17:27:32 shadmin kernel: mono[3006]: segfault at 0 ip 081035fd sp bfb49470 error 6 in mono[8048000+29d000] Aug 9 17:27:32 shadmin abrt[3007]: saved core dump of pid 3006 (/opt/mono/bin/mono) to /var/spool/abrt/ccpp-1470743852-3006.new/coredump (495616 bytes) Aug 9 17:27:32 shadmin abrtd: Directory 'ccpp-1470743852-3006' creation detected Aug 9 17:27:32 shadmin abrtd: Executable '/opt/mono/bin/mono' doesn't belong to any package Aug 9 17:27:32 shadmin abrtd: Corrupted or bad crash /var/spool/abrt/ccpp-1470743852-3006 (res:4), deleting Aug 9 17:27:34 shadmin kernel: mono[3009]: segfault at 0 ip 081035fd sp bfc46580 error 6 in mono[8048000+29d000] Aug 9 17:27:34 shadmin abrt[3010]: not dumping repeating crash in '/opt/mono/bin/mono' Aug 9 17:27:36 shadmin kernel: mono[3012]: segfault at 0 ip 081035fd sp bfe50c60 error 6 in mono[8048000+29d000] Aug 9 17:27:36 shadmin abrt[3013]: not dumping repeating crash in '/opt/mono/bin/mono'

看一下我的httpd.conf (我已经评论了几行,可能需要稍后)
我遵循: 1) 手动Mod_Monoconfiguration
2) 要排除故障:503服务暂时不可用 

 # httpd.conf : ServerTokens OS ServerRoot "/etc/httpd" PidFile run/httpd.pid Timeout 60 KeepAlive Off MaxKeepAliveRequests 100 KeepAliveTimeout 2 Listen 80 LoadModule auth_basic_module modules/mod_auth_basic.so LoadModule auth_digest_module modules/mod_auth_digest.so LoadModule authn_file_module modules/mod_authn_file.so LoadModule authn_alias_module modules/mod_authn_alias.so LoadModule authn_anon_module modules/mod_authn_anon.so LoadModule authn_dbm_module modules/mod_authn_dbm.so LoadModule authn_default_module modules/mod_authn_default.so LoadModule authz_host_module modules/mod_authz_host.so LoadModule authz_user_module modules/mod_authz_user.so LoadModule authz_owner_module modules/mod_authz_owner.so LoadModule authz_groupfile_module modules/mod_authz_groupfile.so LoadModule authz_dbm_module modules/mod_authz_dbm.so LoadModule authz_default_module modules/mod_authz_default.so LoadModule ldap_module modules/mod_ldap.so LoadModule authnz_ldap_module modules/mod_authnz_ldap.so LoadModule include_module modules/mod_include.so LoadModule log_config_module modules/mod_log_config.so LoadModule logio_module modules/mod_logio.so LoadModule env_module modules/mod_env.so LoadModule ext_filter_module modules/mod_ext_filter.so LoadModule mime_magic_module modules/mod_mime_magic.so LoadModule expires_module modules/mod_expires.so LoadModule deflate_module modules/mod_deflate.so LoadModule headers_module modules/mod_headers.so LoadModule usertrack_module modules/mod_usertrack.so LoadModule setenvif_module modules/mod_setenvif.so LoadModule mime_module modules/mod_mime.so LoadModule dav_module modules/mod_dav.so LoadModule status_module modules/mod_status.so LoadModule autoindex_module modules/mod_autoindex.so LoadModule info_module modules/mod_info.so LoadModule dav_fs_module modules/mod_dav_fs.so LoadModule vhost_alias_module modules/mod_vhost_alias.so LoadModule negotiation_module modules/mod_negotiation.so LoadModule dir_module modules/mod_dir.so LoadModule actions_module modules/mod_actions.so LoadModule speling_module modules/mod_speling.so LoadModule userdir_module modules/mod_userdir.so LoadModule alias_module modules/mod_alias.so LoadModule substitute_module modules/mod_substitute.so LoadModule rewrite_module modules/mod_rewrite.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_balancer_module modules/mod_proxy_balancer.so LoadModule proxy_ftp_module modules/mod_proxy_ftp.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_ajp_module modules/mod_proxy_ajp.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule cache_module modules/mod_cache.so LoadModule suexec_module modules/mod_suexec.so LoadModule disk_cache_module modules/mod_disk_cache.so LoadModule cgi_module modules/mod_cgi.so LoadModule version_module modules/mod_version.so #Manual Load of Mono: LoadModule mono_module modules/mod_mono.so User apache Group apache #Note : mod_mono.conf is in /etc/httpd/conf.d/ Include conf.d/*.conf ServerAdmin root@localhost UseCanonicalName Off DocumentRoot "/var/www/html" UserDir disabled HostnameLookups Off <VirtualHost 192.168.***.***:80> ## Note : ***.*** can be any random static IP I'm using ServerAdmin [email protected] DocumentRoot /var/www/html/ ServerName shadmin.shahu.com ServerAlias *.shahu.com ErrorLog logs/shadmin.shahu.com-error_log CustomLog logs/shadmin.shahu.com-access_log common HostnameLookups off # Note : Used 'UseCanonicalName off' above but 'on' below (I think it acts differently for VirtualHost; Correct me if I'm wrong in this case) UseCanonicalName on # MonoPath default "/opt/mono/bin/mono" # MonoServerPath default "/opt/mono/bin/mod-mono-server2" MonoAutoApplication disabled AddHandler mono .aspx .ascx .asax .ashx .config .cs .asmx .axd Alias /ASP-Portal "/var/www/html/ASP-Portal" MonoApplications "/ASP-Portal:/var/www/html/ASP-Portal" <Location /ASP-Portal> # MonoSetServerAlias default SetHandler mono </Location> # <Directory /var/www/html/ASP-Portal> # Options Indexes FollowSymLinks # AllowOverride None # Order allow,deny # Allow from all # </Directory> </VirtualHost>

禁用SELinux时访问.aspx; 为了在SELinux执行时允许单声道服务器,我遵循下面的链接:

1)[适用于Mono(.NET)Web应用程序的SELinux策略]
www.brendanwhelan.net/2013/selinux-policies-for-mono-web-applications
按照上述链接进行步骤; 收到 : 

 [root@shadmin /]# cat /var/log/messages | audit2allow #============= ifconfig_t ============== allow ifconfig_t self:capability sys_module;

那么,这个: 

 make /usr/share/selinux/devel/mod_mono.pp make: *** No rule to make target `/usr/share/selinux/devel/mod_mono.pp'. Stop.

2)然后,尝试另一个[链接来configurationSELinux策略]
www.serverlab.ca/tutorials/linux/web-servers-linux/configuring-selinux-policies-for-apache-web-servers/
按照上面的链接,我得到了:(注意:我在“/ var / www / html / ASP-Portal”中存储了ASP.NET应用程序) 

 [root@shadmin /]# semanage fcontext -a -t http_sys_content_t "/var/www/html/ASP-Portal(/.*)?" libsepol.context_from_record: type http_sys_content_t is not defined (No such file or directory). libsepol.context_from_record: could not create context structure (Invalid argument). libsemanage.validate_handler: invalid context system_u:object_r:http_sys_content_t:s0 specified for /var/www/html/ASP-Portal(/.*)? [all files] (Invalid argument). libsemanage.dbase_llist_iterate: could not iterate over records (Invalid argument). /usr/sbin/semanage: Could not commit semanage transaction

我也不能制定政策,我试图使这篇文章很短,但也解释了我迄今为止所做的任何事情.. 我怎么能让SELinux完美无缺地运行单声道服务器? 任何帮助?
PS:我在Windows主机上的VirtualBox 5.1上使用Redhat 6.1

这不是完全解决整体问题的方法,但是至less错误503:服务暂时不可用。
在这里我做了一些事情: 

 # setsebool httpd_execmem on # getsebool -a | grep httpd_execmem httpd_execmem --> on

要检查SELinux状态: 

 # sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 24 Policy from config file: targeted

现在,单声道服务器正在运行,而SELinux强制执行,但另一个错误(Yeiks!): 

 # elinks --dump 127.0.0.1/ASP-Portal/index.aspx Failed to create shadow copy (CopyFile). Description: HTTP 500. Error processing request.