-
Notifications
You must be signed in to change notification settings - Fork 4.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'selinux' not supported in vagrant VM (Centos / Redhat 7.x) #6970
Comments
Is this solution possible within vagrant, or should I try to customize selinux. More specifically, try to define any mounted directory to the system context of Note: I've changed the document root for IRC #centos (02/03/16 ~ 2:15pm EST):
|
Perhaps the
Though, I'm not sure what to do with the above
Though, in this case, I'm not sure how I would need to change the Note: the above command was attained from Redhat 7 documentation on Mounting File Systems. |
We may be able to implement the vagrant IRC #centos (02/03/16 ~ 3:00pm EST):
IRC #centos (02/03/16 ~ 3:30pm EST):
|
We will try the following addition to our
|
We tested the following within our
However, it doesn't fix overall apache not rendering drupal webpage, if we remove
Upon $ vagrant reload
==> default: vagrant-r10k: Building the r10k module path with puppet provisioner module_path "puppet/environment/development/modules". (if module_path is an array, first element is used)
==> default: vagrant-r10k: Beginning r10k deploy of puppet modules into /path/to/drupal-demonstration/puppet/environment/development/modules using /path/to/drupal-demonstration/puppet/environment/development/Puppetfile
==> default: vagrant-r10k: Deploy finished
==> default: Attempting graceful shutdown of VM...
Text will be echoed in the clear. Please install the HighLine or Termios libraries to suppress echoed text.
[email protected]'s password:myVagrantUserPassword
default:
default: Inserting generated public key within guest...
default: Removing insecure key from the guest if it's present...
default: Key inserted! Disconnecting and reconnecting using new SSH key...
Text will be echoed in the clear. Please install the HighLine or Termios libraries to suppress echoed text.
[email protected]'s password:myVagrantUserPassword
==> default: Clearing any previously set forwarded ports...
==> default: vagrant-r10k: Building the r10k module path with puppet provisioner module_path "puppet/environment/development/modules". (if module_path is an array, first element is used)
==> default: vagrant-r10k: Beginning r10k deploy of puppet modules into /path/to/drupal-demonstration/puppet/environment/development/modules using /path/to/drupal-demonstration/puppet/environment/development/Puppetfile
==> default: vagrant-r10k: Deploy finished
==> default: Clearing any previously set network interfaces...
==> default: Preparing network interfaces based on configuration...
default: Adapter 1: nat
==> default: Forwarding ports...
default: 80 => 8333 (adapter 1)
default: 443 => 8334 (adapter 1)
default: 22 => 2222 (adapter 1)
==> default: Booting VM...
==> default: Waiting for machine to boot. This may take a few minutes...
default: SSH address: 127.0.0.1:2222
default: SSH username: vagrant
default: SSH auth method: password
default: Warning: Connection timeout. Retrying...
default: Warning: Remote connection disconnect. Retrying...
Text will be echoed in the clear. Please install the HighLine or Termios libraries to suppress echoed text.
[email protected]'s password:
default: Warning: Connection timeout. Retrying...
Text will be echoed in the clear. Please install the HighLine or Termios libraries to suppress echoed text.
[email protected]'s password:myVagrantUserPassword
==> default: Machine booted and ready!
GuestAdditions 5.0.12 running --- OK.
==> default: Checking for guest additions in VM...
==> default: Mounting shared folders...
default: /vagrant => /path/to/drupal-demonstration
default: /vagrant/webroot => /path/to/drupal-demonstration/webroot
Failed to mount folders in Linux guest. This is usually because
the "vboxsf" file system is not available. Please verify that
the guest additions are properly installed in the guest and
can work properly. The command attempted was:
mount -t vboxsf -o uid=`id -u vagrant`,gid=`getent group apache | cut -d: -f3`,dmode=755,fmode=664,context=system_u:object_r:httpd_sys_content_t:s0 vagrant_webroot /vagrant/webroot
mount -t vboxsf -o uid=`id -u vagrant`,gid=`id -g apache`,dmode=755,fmode=664,context=system_u:object_r:httpd_sys_content_t:s0 vagrant_webroot /vagrant/webroot
The error output from the last command was:
|
I checked to see if guest additions are properly installed: $ vagrant ssh
==> default: The machine you're attempting to SSH into is configured to use
==> default: password-based authentication. Vagrant can't script entering the
==> default: password for you. If you're prompted for a password, please enter
==> default: the same password you have configured in the Vagrantfile.
Enter passphrase for key '/path/to/.ssh/id_rsa':
[email protected]'s password:
Last login: Thu Feb 4 13:53:20 2016 from gateway
[vagrant@localhost ~]$ lsmod | grep -i vbox
vboxsf 39741 1
vboxvideo 12658 0
vboxguest 297222 2 vboxsf
drm 349210 2 vboxvideo
[vagrant@localhost ~]$ lsmod | grep -io vboxguest | xargs modinfo | grep -iw
version
version: 5.0.12 |
I forgot to mention (just fixed the main issue body), that I have repointed the document root, via [vagrant@localhost html]$ pwd
/var/www/html
[vagrant@localhost html] sudo vi index.html
[vagrant@localhost html]$ ls -Z
-rw-r--r--. root root unconfined_u:object_r:httpd_sys_content_t:s0 index.html I may consider symlinking from |
We may consider using the audit2allow module, to create custom policies. These custom policies can be created on the current vagrant centos vm, then possibly moved to the original virtualbox VM, which will allow us to regenerate the custom vagrant base box, with the policies loaded. Specifically, we will attempt to allow apache access to
Now, a Type Enforcement file,
Note: we will install |
When I run ...
type=AVC msg=audit(**********.***:****): avc: denied { getattr } for pid=****
comm="httpd" path="/vagrant/webroot/index.php" dev="vboxsf" ino=** scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:vmblock_t:s0 tclass=file
Was caused by:
Missing type enforcement (TE) allow rule.
You can use audit2allow to generate a loadable module to allow this access
... Note: the many repeated entries, have different However, [vagrant@localhost webroot]$ pwd
/vagrant/webroot
[vagrant@localhost webroot]$ ls -aZ
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 .
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 ..
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 authorize.php
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 config
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 cron.php
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 error_redirect.php
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 .htaccess
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 includes
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 index.php
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 install.php
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 misc
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 modules
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 profiles
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 publication
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 scripts
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 sites
drwxr-xr-x. vagrant apache system_u:object_r:vmblock_t:s0 themes
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 update.php
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 web.config
-rw-rw-r--. vagrant apache system_u:object_r:vmblock_t:s0 xmlrpc.php |
We attempted to create our own Type Enforcement rule: [vagrant@localhost webroot]$ pwd
/vagrant/webroot
[vagrant@localhost webroot]$ sudo audit2allow -a
#============= httpd_t ==============
allow httpd_t vmblock_t:file getattr;
#============= unconfined_t ==============
allow unconfined_t init_t:service { enable disable };
[vagrant@localhost webroot]$ sudo audit2allow -a -M httpd_t
******************** IMPORTANT ***********************
To make this policy package active, execute:
semodule -i httpd_t.pp
[vagrant@localhost webroot]$ sudo semodule -i httpd_t.pp
[vagrant@localhost webroot]$ sudo audit2allow -a
#============= httpd_t ==============
allow httpd_t vmblock_t:file read;
#!!!! This avc is allowed in the current policy
allow httpd_t vmblock_t:file getattr;
#============= unconfined_t ==============
#!!!! This avc is allowed in the current policy
allow unconfined_t init_t:service { enable disable }; Then, we |
We will disable the selinux policy, we created above, then remove the corresponding file(s): [vagrant@localhost webroot]$ semodule -d httpd_t
[vagrant@localhost webroot]$ rm httpd_t.pp httpd_t.te Then, we'll set selinux to permissive mode: [vagrant@localhost webroot]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28
[vagrant@localhost webroot]$ sudo setenforce permissive
[vagrant@localhost webroot]$ sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: permissive
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28 this will allow us to install drupal, to allow the This also means that I need to temporarily change the
to the following, with a successive
|
We created our policy, loaded it, then enabled it: [vagrant@localhost webroot]$ sudo grep httpd_t /var/log/audit/audit.log | audit2allow -M httpd_t
[vagrant@localhost webroot]$ sudo semodule -i httpd_t.pp
[vagrant@localhost webroot]$ sudo semodule -e httpd_t Then, we enabled selinux: [vagrant@localhost webroot]$ sudo setenforce enforcing
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: targeted
Current mode: enforcing
Mode from config file: enforcing
Policy MLS status: enabled
Policy deny_unknown status: allowed
Max kernel policy version: 28 and, notice that the policies are being implemented: [vagrant@localhost ~]$ sudo audit2allow -a
#============= httpd_t ==============
#!!!! This avc is allowed in the current policy
allow httpd_t postfix_etc_t:file { read getattr open };
#!!!! This avc is allowed in the current policy
allow httpd_t postfix_master_t:unix_stream_socket connectto;
#!!!! This avc is allowed in the current policy
allow httpd_t postfix_public_t:sock_file { write getattr };
#!!!! This avc is allowed in the current policy
allow httpd_t postfix_spool_t:dir { write remove_name add_name };
#!!!! This avc is allowed in the current policy
allow httpd_t postfix_spool_t:file { rename write getattr setattr read create open };
#!!!! This avc is allowed in the current policy
allow httpd_t unreserved_port_t:tcp_socket name_connect;
#!!!! This avc is allowed in the current policy
allow httpd_t vmblock_t:dir { write rmdir setattr read remove_name create add_name };
#!!!! This avc is allowed in the current policy
allow httpd_t vmblock_t:file { write getattr setattr read create open };
#============= unconfined_t ==============
allow unconfined_t init_t:service { enable disable }; The big trivial take-away, remember to enable the policy rule created via |
Now, we can access our drupal webpage with selinux enabled: The selinux configurations are persistent, across |
Thank you for opening an issue. I read through the thread, and it sounds like you were able to get things enabled, and it looks like the issue was related to selinux and httpd, not Vagrant. Is that correct? |
Hi @sethvargo, Yes sir. I wasn't sure initially, where this issue would lead me. Thank you! |
Finally, How to solve this error.I also have 403 forbidden error . |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I have a centos 7.2 instance, and attempted to change the system context on the mounted
vagrant/
directory, in order to allowhttpd
to serve php based pages. The motivation for this, is because I have repointed the document root, via/etc/httpd/conf/httpd.conf
to/vagrant/webroot
, from the default/var/www/html
.Note: this issue is predicated on drupal-demonstration, with selinux manually enabled, since the default vagrant box implemented, has it disabled.
Before proceeding I reviewed the system context of my local project root:
[root@localhost /]# ls -lZ /vagrant drwxrwxrwx. vagrant vagrant system_u:object_r:vmblock_t:s0 log drwxrwxrwx. vagrant vagrant system_u:object_r:vmblock_t:s0 puppet drwxrwxrwx. vagrant vagrant system_u:object_r:vmblock_t:s0 src -rwxrwxrwx. vagrant vagrant system_u:object_r:vmblock_t:s0 vagrant -rwxrwxrwx. vagrant vagrant system_u:object_r:vmblock_t:s0 Vagrantfile drwxrwxrwx. vagrant vagrant system_u:object_r:vmblock_t:s0 webroot
So, I attempted to recursively change the system context on the
vagrant/
directory:[root@localhost /]# chcon -R -t httpd_sys_content_t vagrant chcon: failed to change context of ‘COMMIT_EDITMSG’ to ‘system_u:object_r:httpd_sys_content_t:s0’: Operation not supported chcon: failed to change context of ‘config’ to ‘system_u:object_r:httpd_sys_content_t:s0’: Operation not supported chcon: failed to change context of ‘description’ to ‘system_u:object_r:httpd_sys_content_t:s0’: Operation not supported ...
Note: we terminated the above
chcon
command, while it was running, because there are a lot of files nested in thevagrant/
directory.Since, I am unable to change the system context on the
vagrant/
directory, if I delete, or move/etc/httpd/conf.d/welcome.conf
, I get the following403
error:Note: though, this was attempted on Centos 7.x, it probably applies to Redhat 7.x.
The text was updated successfully, but these errors were encountered: