Support for security such as Firewalls and securing linux
-
i15
- Posts: 3
- Joined: 2015/11/27 13:50:29
Post
by i15 » 2015/11/27 13:52:39
Hi. I have Drupal 7 on RHEL 7 and it looks like SELinux blocks crontab.
aureport -a showes
Code: Select all
90. 11/27/2015 01:32:35 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10061
91. 11/27/2015 01:42:35 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10062
92. 11/27/2015 01:52:43 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10063
93. 11/27/2015 02:02:48 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10069
94. 11/27/2015 02:13:02 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10081
95. 11/27/2015 02:23:02 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10082
96. 11/27/2015 02:33:03 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10083
97. 11/27/2015 02:43:03 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10084
98. 11/27/2015 02:53:09 httpd system_u:system_r:httpd_t:s0 87 file unlink system_u:object_r:httpd_log_t:s0 denied 10094
Looks like it is the same 10 minutes period when Ultimate cron try to start.
I am pretty sure the problem with SELinux, but I cant find any understandable solution.
-
TrevorH
- Site Admin
- Posts: 33202
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2015/11/27 14:37:46
Those don't look like crontab problems. Post the output from ausearch -a 10094 for example
-
i15
- Posts: 3
- Joined: 2015/11/27 13:50:29
Post
by i15 » 2015/11/27 17:34:04
TrevorH wrote:Those don't look like crontab problems. Post the output from ausearch -a 10094 for example
Like that?
Code: Select all
# ausearch -a 10094
----
time->Fri Nov 27 02:53:09 2015
type=SYSCALL msg=audit(1448592789.092:10094): arch=c000003e syscall=87 success=no exit=-13 a0=7fcb1b7dc118 a1=7fcb1b7dc118 a2=7fcb1b225da0 a3=5657c595 items=0 ppid=14948 pid=1485 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1448592789.092:10094): avc: denied { unlink } for pid=1485 comm="httpd" name="stats_log_global" dev="sda1" ino=50528229 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
-
TrevorH
- Site Admin
- Posts: 33202
- Joined: 2009/09/24 10:40:56
- Location: Brighton, UK
Post
by TrevorH » 2015/11/27 18:09:31
type=AVC msg=audit(1448592789.092:10094): avc: denied { unlink } for pid=1485 comm="httpd" name="stats_log_global" dev="sda1" ino=50528229 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
That says your apache httpd process tried to delete a file called stats_log_global from whatever filesystem is on /dev/sda1. The file is on inode number 50528229. It's not allowed to do that. Intentionally. The idea is to stop httpd from deleting log files that might contain information useful to track down someone attempting to hack your web server. Not cron at all, unless your cron job is making a request to http to do whatever it's meant to be trying to do.
-
i15
- Posts: 3
- Joined: 2015/11/27 13:50:29
Post
by i15 » 2015/11/27 20:31:22
TrevorH wrote:
type=AVC msg=audit(1448592789.092:10094): avc: denied { unlink } for pid=1485 comm="httpd" name="stats_log_global" dev="sda1" ino=50528229 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_log_t:s0 tclass=file
That says your apache httpd process tried to delete a file called stats_log_global from whatever filesystem is on /dev/sda1. The file is on inode number 50528229. It's not allowed to do that. Intentionally. The idea is to stop httpd from deleting log files that might contain information useful to track down someone attempting to hack your web server. Not cron at all, unless your cron job is making a request to http to do whatever it's meant to be trying to do.
I found only one file lie that. And it is for mod_pagespeed.
Now I agree, it is not cron, especially because I changed the interval time from 10 to 15 minutes and logs did not change.
But we found one more problem
-
Attachments
-
- Screen Shot 2015-11-27 at 3.30.34 PM.png (118.41 KiB) Viewed 2322 times