告诉SELinux让Apache执行对文件根目录之外的PHP文件的访问

我有一个保存共享PHP脚本的目录(名字是任意的,但不是/ var /,/ usr /,或者SELinux具有特定设置的任何东西):
/不pipe/脚本/

这些脚本可以通过cronjobs来执行,也可以通过Apache或Tomcat来执行,这样输出可以包含在网页中。

SELinux拒绝许可:

type = AVC msg = audit(1363205612.276:476923):avc:denied {execute} for pid = 6855 comm =“sh”name =“script.php”dev = sda3 ino = 4325828 scontext = system_u:system_r:httpd_t:s0 tcontext = unconfined_u:object_r:etc_runtime_t:s0 tclass = file

type = SYSCALL msg = audit(1363205612.276:476923):arch = c000003e syscall = 59 success = no exit = -13 a0 = 2431d10 a1 = 2431d70 a2 = 24301e0 a3 = 50 items = 0 ppid = 23100 pid = 6855 auid = 4294967295 uid system_u:system_u:= 48 gid = 48 euid = 48 suid = 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty =(none)ses = 4294967295 comm =“sh”exe =“/ bin / bash” httpd_t:s0 key =(null)

type = AVC msg = audit(1363205612.277:476924):avc:denied {execute} for pid = 6855 comm =“sh”name =“script.php”dev = sda3 ino = 4325828 scontext = system_u:system_r:httpd_t:s0 tcontext = unconfined_u:object_r:etc_runtime_t:s0 tclass = file

type = SYSCALL msg = audit(1363205612.277:476924):arch = c000003e syscall = 21 success = no exit = -13 a0 = 2431d10 a1 = 1 a2 = 0 a3 = 50 items = 0 ppid = 23100 pid = 6855 auid = 4294967295 uid system_u:system_u:= 48 gid = 48 euid = 48 suid = 48 fsuid = 48 egid = 48 sgid = 48 fsgid = 48 tty =(none)ses = 4294967295 comm =“sh”exe =“/ bin / bash” httpd_t:s0 key =(null)

我知道有一个命令我可以用来告诉SELinux允许这个,但是这个命令让我难以理解。

即使使目录和脚本所有者和组apache不起作用,所以它不是一个经典的权限问题,但SELinux具体。

系统是CentOS 6.3。

我找到了这两个命令的解决方案:

semanage fcontext -a -t httpd_sys_script_exec_t'/whatever/scripts(/.*)?'

restorecon -R -v / whatever / scripts /

这允许Apache在该目录中执行PHP脚本,并在重新启动后或系统范围的重新标记之后保留。