SELinux的故障排除一例

刚刚采用Puppet部署了dokuwiki，不过配置完成后报错：

DokuWiki Setup Error

The datadir ('pages') at /pages is not found, isn't accessible or writable. You should check your config and permission settings. Or maybe you want to run the installer?

尝试关闭了SELinux，之后就正常。可是在测试环境中就没这个问题。系统环境基本一致。

于是查看了下audit.log：

tail -f /var/log/audit/audit.log | grep -i httpd

type=AVC msg=audit(1377479847.165:7269): avc:  denied  { search } for  pid=11160 comm="httpd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377479847.165:7269): arch=40000003 syscall=33 success=no exit=-13 a0=1ebef68 a1=0 a2=1323e18 a3=f items=0 ppid=11149 pid=11160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1122 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1377479847.166:7270): avc:  denied  { search } for  pid=11160 comm="httpd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377479847.166:7270): arch=40000003 syscall=33 success=no exit=-13 a0=1ec5a58 a1=0 a2=1323e18 a3=f items=0 ppid=11149 pid=11160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1122 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1377479847.166:7271): avc:  denied  { search } for  pid=11160 comm="httpd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377479847.166:7271): arch=40000003 syscall=33 success=no exit=-13 a0=1eafc54 a1=0 a2=1323e18 a3=f items=0 ppid=11149 pid=11160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1122 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1377479847.166:7272): avc:  denied  { search } for  pid=11160 comm="httpd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377479847.166:7272): arch=40000003 syscall=33 success=no exit=-13 a0=1eafcb8 a1=0 a2=1323e18 a3=f items=0 ppid=11149 pid=11160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1122 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1377479847.166:7273): avc:  denied  { search } for  pid=11160 comm="httpd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377479847.166:7273): arch=40000003 syscall=33 success=no exit=-13 a0=1eb04e8 a1=0 a2=1323e18 a3=f items=0 ppid=11149 pid=11160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1122 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1377479847.166:7274): avc:  denied  { search } for  pid=11160 comm="httpd" name="/" dev=dm-2 ino=2 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir
type=SYSCALL msg=audit(1377479847.166:7274): arch=40000003 syscall=33 success=no exit=-13 a0=1eb0624 a1=0 a2=1323e18 a3=f items=0 ppid=11149 pid=11160 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1122 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

HOHO，第一次处理SELinux的故障，看到其中的name、dev以及scontext和tcontext，于是在“/”下找找：

[root@localhost /]# ll -Z /
drwxr-xr-x. apache apache system_u:object_r:file_t:s0      wiki

后来发现是因为将wiki的目录建在了“/”下面，并重新挂载了一个分区，重新赋予权限就好了

[root@localhost /]# chcon -t httpd_t /wiki

对SELinux的了解还是太浅，呵呵。