SELinux is preventing $_POST variables on Amazon Linux 2
up vote
-1
down vote
favorite
I began playing with RPM based OSes and I am really impressed.
Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.
$_POST variables work when setenforce is set to permissive.
My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.
I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.
This is my code. It is index.php
<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>
And then on the same page, I write some php.
<?php
if(isset($_POST['hidden_value']){
/* Do the rest of your authentication math */
}
?>
Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.
PS It does redirect, but it redirects with the $_POST variable unset.
linux selinux aws
asked 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
|
show 1 more comment
up vote
-1
down vote
favorite
I began playing with RPM based OSes and I am really impressed.
Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.
$_POST variables work when setenforce is set to permissive.
My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.
I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.
This is my code. It is index.php
<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>
And then on the same page, I write some php.
<?php
if(isset($_POST['hidden_value']){
/* Do the rest of your authentication math */
}
?>
Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.
PS It does redirect, but it redirects with the $_POST variable unset.
linux selinux aws
asked 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
2 days ago
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
2 days ago
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
2 days ago
@ hargut. That folder does not exist in /var/log
– Cookie
2 days ago
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enablehttpd_enable_cgi?
– hargut
2 days ago
|
show 1 more comment
up vote
-1
down vote
favorite
up vote
-1
down vote
favorite
I began playing with RPM based OSes and I am really impressed.
Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.
$_POST variables work when setenforce is set to permissive.
My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.
I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.
This is my code. It is index.php
<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>
And then on the same page, I write some php.
<?php
if(isset($_POST['hidden_value']){
/* Do the rest of your authentication math */
}
?>
Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.
PS It does redirect, but it redirects with the $_POST variable unset.
linux selinux aws
asked 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I began playing with RPM based OSes and I am really impressed.
Amazon Linux doesn't include setroubleshoot in any of their repos. I want to use official repos for everything, otherwise I would just jump ship. I checked the logs and didn't see a "SELinux is preventing" error, but maybe I don't know what to look for.
$_POST variables work when setenforce is set to permissive.
My code works on Debian systems. My website is reachable on Amazon Linux but won't redirect correctly.
I'm using httpd (what RPM calls apache2). apachectl configtest returns Syntax OK.
This is my code. It is index.php
<form action="index.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="hidden" name="hidden_value" value="true">
<input type="submit">
</form>
And then on the same page, I write some php.
<?php
if(isset($_POST['hidden_value']){
/* Do the rest of your authentication math */
}
?>
Index.php redirects to index.php, and the $_POST variables handle the redirects. However, it only works when I set SELinux to permissive. I'd like to arm SELinux.
PS It does redirect, but it redirects with the $_POST variable unset.
linux selinux aws
linux selinux aws
asked 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
asked 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 2 days ago
Cookie
92
asked 2 days ago
Cookie
92
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
2 days ago
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
2 days ago
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
2 days ago
@ hargut. That folder does not exist in /var/log
– Cookie
2 days ago
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enablehttpd_enable_cgi?
– hargut
2 days ago
|
show 1 more comment
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
2 days ago
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
2 days ago
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
2 days ago
@ hargut. That folder does not exist in /var/log
– Cookie
2 days ago
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enablehttpd_enable_cgi?
– hargut
2 days ago
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
2 days ago
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
2 days ago
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
2 days ago
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
2 days ago
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
2 days ago
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
2 days ago
@ hargut. That folder does not exist in /var/log
– Cookie
2 days ago
@ hargut. That folder does not exist in /var/log
– Cookie
2 days ago
1
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable
httpd_enable_cgi?– hargut
2 days ago
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable
httpd_enable_cgi?– hargut
2 days ago
|
show 1 more comment
2 Answers
2
active
oldest
votes
up vote
1
down vote
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
answered 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
0
down vote
Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
edited 2 days ago
Rui F Ribeiro
38.5k1479128
answered 2 days ago
znpy
1344
awesome. Thanks.
– Cookie
2 days ago
add a comment |
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
answered 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
1
down vote
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
answered 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
up vote
1
down vote
up vote
1
down vote
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
answered 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Thanks to Ulrich Schwarz and hargut for pointing me in the right direction. It was in fact a boolean. I enabled httpd_enable_cgi as suggested, and it still didn't work. Then I looked at the list of booleans using
sudo getsebool -a | grep httpd
That's how I found out that there is a boolean called
httpd_can_network_connect_db
and that it was turned off.
I turned it on by using
sudo setsebool httpd_can_network_connect_db=1
If anyone uses MySql and is migrating from Debian to a Security Enhanced system, this is prerequisite. So much to learn about SELinux. Thanks again.
answered 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 2 days ago
answered 2 days ago
Cookie
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 2 days ago
Cookie
92
answered 2 days ago
Cookie
92
92
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Cookie is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
add a comment |
up vote
0
down vote
Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
edited 2 days ago
Rui F Ribeiro
38.5k1479128
answered 2 days ago
znpy
1344
awesome. Thanks.
– Cookie
2 days ago
add a comment |
up vote
0
down vote
Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
edited 2 days ago
Rui F Ribeiro
38.5k1479128
answered 2 days ago
znpy
1344
awesome. Thanks.
– Cookie
2 days ago
add a comment |
up vote
0
down vote
up vote
0
down vote
Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
edited 2 days ago
Rui F Ribeiro
38.5k1479128
answered 2 days ago
znpy
1344
Make sure to check /var/log/audit/audit.log for selinux warnings. It might suggest what policy to enable.
Otherwise, you can set SELinux in permissive mode and then use the aforementioned logfile to build a custom policy encompassing all the needs of your application. In order to do this, set SELinux in permissive mode, use all the features of your code and then use the audit2allow to generate a custom policy.
You can then bundle and distribute the policy file with your code so that SELinux will allow all and only the special permissions that your code needs:
# generate a custom policy
grep "AVC" /var/log/audit/audit.log | audit2allow -M yourapp
# install that policy
semodule -i yourapp.pp
Whatever you do, don't go in production with SELinux turned off!
Consider watching this awesome intro to SELinux: https://www.youtube.com/watch?v=_WOKRaM-HI4
edited 2 days ago
Rui F Ribeiro
38.5k1479128
answered 2 days ago
znpy
1344
edited 2 days ago
Rui F Ribeiro
38.5k1479128
edited 2 days ago
Rui F Ribeiro
38.5k1479128
edited 2 days ago
Rui F Ribeiro
38.5k1479128
38.5k1479128
answered 2 days ago
znpy
1344
answered 2 days ago
znpy
1344
answered 2 days ago
znpy
1344
1344
awesome. Thanks.
– Cookie
2 days ago
add a comment |
awesome. Thanks.
– Cookie
2 days ago
awesome. Thanks.
– Cookie
2 days ago
awesome. Thanks.
– Cookie
2 days ago
add a comment |
Cookie is a new contributor. Be nice, and check out our Code of Conduct.
Cookie is a new contributor. Be nice, and check out our Code of Conduct.
Cookie is a new contributor. Be nice, and check out our Code of Conduct.
Cookie is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f486530%2fselinux-is-preventing-post-variables-on-amazon-linux-2%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Have you tested with the authentication routines actually removed? It might be php/httpd trying to access directories it's not allowed to.
– Ulrich Schwarz
2 days ago
Please post the SELinux messages from /var/log/audit/audit.log when trying to access the variable. This will provide a more clear picture.
– hargut
2 days ago
@ Mr. Schwarz How do I discover whether this is the case?
– Cookie
2 days ago
@ hargut. That folder does not exist in /var/log
– Cookie
2 days ago
1
Here is an overview on the available http related SELinux booleans: dwalsh.fedorapeople.org/SELinux/httpd_selinux.html Did you already enable
httpd_enable_cgi?– hargut
2 days ago