SELinux is preventing $_POST variables on Amazon Linux 2
Clash Royale CLAN TAG#URR8PPP
up vote
-1
down vote
favorite
I began playing with RPM based OSes and I am really impressed.
Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.
$_POST variables work when setenforce is set to permissive.
My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.
I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.
This is my code. It is index.php
<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>
And then on the same page, I write some php.
<?php
if(isset($_POST['hidden_value'])
/* Do the rest of your authentication math */
?>
Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.
PS It does redirect, but it redirects with the $_POST variable unset.
linux selinux aws
|
show 1 more comment
up vote
-1
down vote
favorite
I began playing with RPM based OSes and I am really impressed.
Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.
$_POST variables work when setenforce is set to permissive.
My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.
I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.
This is my code. It is index.php
<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>
And then on the same page, I write some php.
<?php
if(isset($_POST['hidden_value'])
/* Do the rest of your authentication math */
?>
Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.
PS It does redirect, but it redirects with the $_POST variable unset.
linux selinux aws
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
Dec 7 at 8:12
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
Dec 7 at 8:16
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
Dec 7 at 8:16
@ hargut. That folder does not exist in /var/log
– Cookie
Dec 7 at 8:19
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enablehttpd_enable_cgi
?
– hargut
Dec 7 at 8:20
|
show 1 more comment
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I began playing with RPM based OSes and I am really impressed.
Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.
$_POST variables work when setenforce is set to permissive.
My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.
I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.
This is my code. It is index.php
<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>
And then on the same page, I write some php.
<?php
if(isset($_POST['hidden_value'])
/* Do the rest of your authentication math */
?>
Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.
PS It does redirect, but it redirects with the $_POST variable unset.
linux selinux aws
I began playing with RPM based OSes and I am really impressed.
Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.
$_POST variables work when setenforce is set to permissive.
My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.
I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.
This is my code. It is index.php
<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>
And then on the same page, I write some php.
<?php
if(isset($_POST['hidden_value'])
/* Do the rest of your authentication math */
?>
Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.
PS It does redirect, but it redirects with the $_POST variable unset.
linux selinux aws
linux selinux aws
edited Dec 7 at 8:14
asked Dec 7 at 8:08
Cookie
92
92
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
Dec 7 at 8:12
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
Dec 7 at 8:16
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
Dec 7 at 8:16
@ hargut. That folder does not exist in /var/log
– Cookie
Dec 7 at 8:19
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enablehttpd_enable_cgi
?
– hargut
Dec 7 at 8:20
|
show 1 more comment
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
Dec 7 at 8:12
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
Dec 7 at 8:16
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
Dec 7 at 8:16
@ hargut. That folder does not exist in /var/log
– Cookie
Dec 7 at 8:19
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enablehttpd_enable_cgi
?
– hargut
Dec 7 at 8:20
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
Dec 7 at 8:12
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
Dec 7 at 8:12
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
Dec 7 at 8:16
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
Dec 7 at 8:16
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
Dec 7 at 8:16
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
Dec 7 at 8:16
@ hargut. That folder does not exist in /var/log
– Cookie
Dec 7 at 8:19
@ hargut. That folder does not exist in /var/log
– Cookie
Dec 7 at 8:19
1
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable
httpd_enable_cgi
?– hargut
Dec 7 at 8:20
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable
httpd_enable_cgi
?– hargut
Dec 7 at 8:20
|
show 1 more comment
2 Answers
2
active
oldest
votes
up vote
1
down vote
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
add a comment |
up vote
0
down vote
Make sure to check /var/log/audit/audit.log
for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
awesome. Thanks.
– Cookie
Dec 7 at 9:12
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486530%2fselinux-is-preventing-post-variables-on-amazon-linux-2%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
add a comment |
up vote
1
down vote
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
add a comment |
up vote
1
down vote
up vote
1
down vote
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
edited Dec 7 at 9:10
answered Dec 7 at 8:59
Cookie
92
92
add a comment |
add a comment |
up vote
0
down vote
Make sure to check /var/log/audit/audit.log
for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
awesome. Thanks.
– Cookie
Dec 7 at 9:12
add a comment |
up vote
0
down vote
Make sure to check /var/log/audit/audit.log
for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
awesome. Thanks.
– Cookie
Dec 7 at 9:12
add a comment |
up vote
0
down vote
up vote
0
down vote
Make sure to check /var/log/audit/audit.log
for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
Make sure to check /var/log/audit/audit.log
for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
edited Dec 7 at 12:20
Rui F Ribeiro
38.6k1479128
38.6k1479128
answered Dec 7 at 9:04
znpy
1344
1344
awesome. Thanks.
– Cookie
Dec 7 at 9:12
add a comment |
awesome. Thanks.
– Cookie
Dec 7 at 9:12
awesome. Thanks.
– Cookie
Dec 7 at 9:12
awesome. Thanks.
– Cookie
Dec 7 at 9:12
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486530%2fselinux-is-preventing-post-variables-on-amazon-linux-2%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
Dec 7 at 8:12
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
Dec 7 at 8:16
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
Dec 7 at 8:16
@ hargut. That folder does not exist in /var/log
– Cookie
Dec 7 at 8:19
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable
httpd_enable_cgi
?– hargut
Dec 7 at 8:20