3

I dont want to disable Selinux but I am having problems with it. I am using FFMPEG (located in /var/www/tester/ffmpeg and owned by apache)

[root@betaX tester]# ls -Z /var/www/html/tester/ffmpeg/
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffmpeg
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffmpeg-10bit
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffprobe
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 ffserver
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 manpages
drwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 model
-rwxr-xr-x. apache apache unconfined_u:object_r:httpd_sys_rw_content_t:s0 qt-faststart

But everytime I try to run ffmpeg

{ffmpeg-cmd} -i {input} -vcodec libx264 -s {ffmpeg-vsize} -threads 16 -movflags faststart {output}.mp4

I am getting permission denied error.

[root@betaX tester]# tail -f /var/log/httpd/error_log
sh: /var/www/html/tester/ffmpeg/ffmpeg: Permission denied

I want to disable Selinux only for Apache since it will cost me a lot of time, is there any method doing that on Centos 7.x? I found a solution in Fedora but I dont have any folder or file called /etc/selinux/targeted/booleans.

Any clue or suggestions?

Current settings

[root@betaX tester]# /usr/sbin/getsebool -a | grep httpd
httpd_anon_write --> off
httpd_builtin_scripting --> on
httpd_can_check_spam --> off
httpd_can_connect_ftp --> off
httpd_can_connect_ldap --> off
httpd_can_connect_mythtv --> off
httpd_can_connect_zabbix --> off
httpd_can_network_connect --> off
httpd_can_network_connect_cobbler --> off
httpd_can_network_connect_db --> off
httpd_can_network_memcache --> off
httpd_can_network_relay --> off
httpd_can_sendmail --> off
httpd_dbus_avahi --> off
httpd_dbus_sssd --> off
httpd_dontaudit_search_dirs --> off
httpd_enable_cgi --> off
httpd_enable_ftp_server --> off
httpd_enable_homedirs --> off
httpd_execmem --> on
httpd_graceful_shutdown --> on
httpd_manage_ipa --> off
httpd_mod_auth_ntlm_winbind --> off
httpd_mod_auth_pam --> off
httpd_read_user_content --> off
httpd_run_ipa --> off
httpd_run_preupgrade --> off
httpd_run_stickshift --> off
httpd_serve_cobbler_files --> off
httpd_setrlimit --> off
httpd_ssi_exec --> on
httpd_sys_script_anon_write --> off
httpd_tmp_exec --> off
httpd_tty_comm --> off
httpd_unified --> off
httpd_use_cifs --> off
httpd_use_fusefs --> off
httpd_use_gpg --> off
httpd_use_nfs --> off
httpd_use_openstack --> off
httpd_use_sasl --> off
httpd_verify_dns --> off
Lunatic Fnatic
  • 237
  • 1
  • 6
  • 11
  • 1
    What do you want to achieve? Do you want apache process to be able to execute the binary? Or do you want root to be able to do so? Or both?!? How apache is supposed to use the binary? The point is that "httpd_sys_rw_content_t" context type does not allow execution of binaries. This may probably help: https://stackoverflow.com/questions/15395845/tell-selinux-to-give-apache-execute-access-to-php-files-outside-document-root – dsmsk80 Oct 02 '17 at 16:14

2 Answers2

5

Your issue is caused by incorrectly labeled executables.

Relabel them to http_sys_script_exec_t (see semanage fcontext and restorecon):

semanage fcontext -a -t http_sys_script_exec_t '/var/www/html/tester/ffmpeg/.*'
restorecon -Rv /var/www/html/tester/ffmpeg/

For completeness sake, here's how to just disable SELinux for apache (using semanage permissive):

semanage permissive -a httpd_t
fuero
  • 9,591
  • 1
  • 35
  • 40
0

You could use sealert in order to fix your permission denied. 

# sealert -a /var/log/audit/audit.log
l10nn
  • 1
  • 1