I am testing the collectd Exec plugin using sample scripts before using it for my end purpose. But I am facing issues with the sample script itself.
This is the error:
collectd[4585]: exec plugin: Failed to execute ``/home/ec2-user/magic_level.sh'': Permission denied
More info:
$cat /home/ec2-user/magic_level.sh
#!/bin/bash
HOSTNAME="${COLLECTD_HOSTNAME:-localhost}"
INTERVAL="${COLLECTD_INTERVAL:-60}"
while sleep "$INTERVAL"; do
echo "PUTVAL \"$HOSTNAME/exec-magic/gauge-magic_level\" interval=$INTERVAL N:$(date +%N)"
done
$ls -l /home/ec2-user/magic_level.sh
-rwxrwxr-x. 1 ec2-user ec2-user 244 Dec 27 16:28 /home/ec2-user/magic_level.sh
My exec plugin configuration:
<Plugin exec>
Exec "ec2-user" "/home/ec2-user/magic_level.sh"
</Plugin>
Note: I could see that SELINUX is enabled. But I couldn't see any denials for this script in the log
Can someone please help me resolve this
Actually this turned out to be SELINUX blocking it.
exec read system_u:system_r:collectd_t:s0 59 file execute system_u:object_r:shell_exec_t:s0 denied 147851
Initially I didn't see the errors due to my lack of knowledge of SELINUX
Related
i'm facing the next error in a centos 7 server
I take a look to similar questions saying that is because SELinux doesn't allow to httpd to write in my /home folder, i've tried changing the owner of the folder without success; try changing the context (chcon) to httpd_sys_rw_content_t of my /home with the same error; try disabling SELinux and the error persists; and in the file httpd.conf change the User and Group from apache to test this didn't work either. My server is:
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 7.4.1708 (Core)
Release: 7.4.1708
Codename: Core
and
Linux localhost 3.10.0-693.17.1.el7.x86_64 #1 SMP Thu Jan 25 20:13:58 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
When I execute move_uploaded_file() from php -a as user test it works normally, i see that the issue is with the user apache
TLDR:
Do not run setenforce 0 command, this will disable SELinux! You should not disable SELinux for security reasons.
The solution:
You should update policy to make SELinux allow read and write on specific directories:
To allow apcahe to read and write.
chcon -R -t httpd_sys_rw_content_t /path/your_writabl_dir
For read only directories:
chcon -R -t httpd_sys_content_t /path/yourdir
For example you can make your public (document root) directory read only and only allow write on directories that you allow you app to write on:
# Make all read only
chcon -R -t httpd_sys_content_t /var/www/myapp
# Only allow write on uploads dir for example
chcon -R -t httpd_sys_rw_content_t /var/www/myapp/public/uploads
Yesterday I've installed a fresh CentOS 7 VM with Apache, MySQL and PHP 7.0.17.
After that, I installed composer and all other required php-packages.
Then I followed this guide to install Firefly-iii : https://firefly-iii.github.io/using-installing.html.
So far so good. The database is migrated and seeded from the php artisan migrate command.
Now the problem, when I try to access the application from the browser, a 500 error appears. No log rules, nothing.
Alright, this might be an permissions problem. I have changed the owner to apache:apache, no result. Set the storage and bootstrap/cache folder to 777 no result.
Alright... What now. Ah, maybe the user or usergroup is incorrect. I've copied my public/index.php and built in some try catch statement (still no log).
When I open the application in the browser finally some result is returned.
This try/catch:
try {
$response = $kernel->handle(
$request = Illuminate\Http\Request::capture()
);
} catch (Exception $e){
echo $e->getMessage();
echo '<br/>';
echo 'User: '.exec('whoami');
echo '<br/>';
echo 'Group: '.exec('groups');
echo '<br/>';
}
returns the following result:
The stream or file "/var/www/html/application-folder/storage/logs/application-name-2017-04-06.log" could not be opened: failed to open stream: Permission denied
User: apache
Group: apache
After this message I've created the /var/www/html/application-folder/storage/logs/application-name-2017-04-06.log file and changed the permissions to 777.
Here is a little piece of my bash history :
[user#16 logs]$ sudo chmod 777 firefly-iii-2017-04-06.log
[sudo] password for user:
[user#16 logs]$ ls -l
-rwxrwxrwx+ 1 apache apache 5 Apr 6 14:18 firefly-iii-2017-04-06.log
[user#16 logs]$ chmod 777 firefly-iii-2017-04-06.log
chmod: changing permissions of ‘firefly-iii-2017-04-06.log’: Operation not permitted
This error messages is still returning and at this moment I've no idea what else I can try to fix this problem.
Does anyone knows a solution or has anybody else expecting this strange behavior?
Please help me, I am completely stuck at this moment and don't know what to do now and how I can solve this problem.
After a little bit of search yesterday I've found this answer : https://stackoverflow.com/a/37258323/1805919
I've tried it on my own server, and at this moment the application is accessible trough the browser.
Prove this is the problem by turning off selinux with the command
setenforce 0
This should allow writing, but you've turned off added security
server-wide. That's bad. Turn SELinux back
setenforce 1
Then finally use SELinux to allow writing of the file by using this
command
chcon -R -t httpd_sys_rw_content_t storage
And you're off!
First of all your server has to be in owner group of application path.
Second you have to set permissions to storage folder. Here is an example how to set permissions on *nix systems:
sudo chmod -R ug+rwx storage bootstrap/cache
Have you tried setting a new application key? Have you also ran your migrations and created the database for the application?
It has been asked a lot of times here, and none of the answers have worked so far for me.
I'm getting the folowing error on apache error_log
could not begin a transaction [500, #13]
Can't open file '/var/www/svn/repo/db/txn-current-lock': Permission denied [500, #13]
when trying to do
svn import -m "Initial" /mnt/logs/ http://localhost/svn/repo/
Info on that file:
ls -l /var/www/repo/db/txn-current-lock
-rwxrwxrwx. 1 apache apache 0 abr 20 12:37 /var/www/svn/repo/db/txn-current-lock
I'm running on CentOS 7.2 and I can access http://localhost/svn/repo tho there's only this there:
repo - Revision 0: /
After fighting with permissions, I decided to just look again at the "howto" and solved the issue. I basically forgot to type:
chcon -R -t httpd_sys_content_t /var/www/svn/repo
chcon -R -t httpd_sys_rw_content_t /var/www/svn/repo
Hope it helps someone else.
I need help.
I've downloaded Apache Flume and installed outside Hadoop, just wanna try netcat logging through console.
I used 1.6.0 version.
Here's my conf https://gist.github.com/ans-4175/297e2b4fc0a67d826b4b
Here's how I started it
bin/flume-ng agent -c conf -f conf/netcat.conf Dflume.root.logger=DEBUG,console -n Agent1
But it's stuck after only printed these output
Info: Sourcing environment configuration script /root/apache-flume/conf/flume-env.sh
Info: Including Hive libraries found via () for Hive access
+ exec /usr/lib/jvm/java-1.7.0-openjdk-amd64/bin/java -Xms100m -Xmx2000m -cp '/root/apache-flume/conf:/root/apache-flume/lib/*:/root/apache-flume/lib/*:/lib/*' -Djava.library.path= org.apache.flume.node.Application -f conf/netcat.conf Dflume.root.logger=DEBUG,console -n Agent1
Any suggestions for simple start and install?
Thanks
dumb me, it should be
bin/flume-ng agent -c conf -f conf/netcat.conf -Dflume.root.logger=DEBUG,console -n Agent1
When rsync is used with jenkins as Execute shell Command on CentOS 6.4, it fails:
[workspace] $ /bin/sh -xe /tmp/hudson3424899639384884888.sh
+ rsync -av /var/lib/jenkins/jobs/myjob/workspace/target/classes/ myuser#myserver.com:/home/myuser/test
rsync: Failed to exec ssh: Permission denied (13)
rsync error: error in IPC code (code 14) at pipe.c(84) [sender=3.0.6]
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in IPC code (code 14) at io.c(600) [sender=3.0.6]
However, it works from the command line:
su jenkins
rsync -av /var/lib/jenkins/jobs/myjob/workspace/target/classes/ myuser#myserver.com:/home/myuser/test
sending incremental file list
sent 17875 bytes received 83 bytes 3990.67 bytes/sec
total size is 1981027 speedup is 110.31
What has to be done to make it work in jenkins as well?
The problem was with SElinux installed on CentOS, which for some reason were blocking ssh for rsync.
Here is a line from /var/log/messages which says the ssh was blocked:
Jun 12 13:45:59 myserver kernel: type=1400 audit(1434109559.911:33346): avc: denied { execute } for pid=11862 comm="rsync" name="ssh" dev=dm-1 ino=11931741 scontext=unconfined_u:system_r:rsync_t:s0 tcontext=system_u:object_r:ssh_exec_t:s0 tclass=file
For now we disabled SElinux on our server, proper solution would be to create custom policy module (1)
I had a similar problem.
In my case jenkins was not executing rsync with the expected user (jenkins) but with another (jboss in my case)
adding 'whoami' to the script and using ssh verbose:
rsync -e "ssh -v" .......
helped to find the problem.
Note, that when you change (add) jenkins user to some group, permission will apply after slave (agent) restart.