\u73af\u5883\uff1acentos7 selinux\u5f00\u542f\uff0cphp\u6587\u4ef6\/test\/test.php\uff0cshell\u6587\u4ef6\/test\/test.sh\u7684\u6743\u9650\u662froot\uff0cphp\u548cnginx\u7684\u7528\u6237\u4e0d\u662froot\uff0c\u662ftest\uff0c\/test\/test.php\u6587\u4ef6\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n
<?php
\nsystem(\"sudo \/test\/test.sh\",$status);
\nif($status == 'true') { echo \"\u6210\u529f\uff01\"; }
\nelse { echo \"\u5931\u8d25\uff01\"; }
\n?><\/p><\/blockquote>\n\u95ee\u9898\uff1a\u8bbf\u95eehttp:\/\/localhost\/test\/test.php\uff0c\u53d1\u73b0php\u65e0\u6cd5\u6267\u884ctest.sh<\/p>\n
\u5206\u6790\uff1a<\/p>\n
1\u3001test\u7528\u6237\u6267\u884croot\u6743\u9650\uff0c\u9700\u8981\u505asudo\u6388\u6743\uff0c\u505a\u5982\u4e0b\u64cd\u4f5c\uff0cvi \/etc\/sudoers \u6dfb\u52a0<\/p>\n
test ALL=(root) NOPASSWD: \/test\/test.sh<\/p><\/blockquote>\n
2\u3001\u7528test\u7528\u6237\u767b\u5f55\u5230centos\u7cfb\u7edf\u4e2d\uff0c\u6267\u884csudo \/test\/test.sh\uff0c\u5df2\u7ecf\u6b63\u5e38\uff0c\u4f46\u662fhttp:\/\/localhost\/test\/test.php\u5931\u8d25\uff0c\u5982\u679c\u5173\u6389selinux\uff0c\u5219php\u6267\u884c\u6210\u529f\uff0c\u8bf4\u660e\u662fselinux\u7684\u7f18\u6545\u3002<\/p>\n
\u6267\u884csetenforce 1\u6253\u5f00selinux\uff0c\u53c8\u505a\u5982\u4e0b\u8c03\u8bd5\uff1a
\na, \u628atest.php\u4e2d\u6267\u884c\u7684\u547d\u4ee4\u6539\u6210system(\"\/bin\/whoami\",$status);\u8fd9\u65f6php\u6267\u884c\u6210\u529f\u3002
\nb, \u628a1\u4e2dtest.php\u4e2d\u6267\u884c\u7684\u547d\u4ee4\u6539\u6210system(\"sudo -V\",$status);\u8fd9\u65f6php\u6267\u884c\u6210\u529f\u3002
\nc, \u628a1\u4e2dtest.php\u4e2d\u6267\u884c\u7684\u547d\u4ee4\u6539\u6210system(\"sudo \/bin\/whoami\",$status);\u5728\/etc\/sudoers \u4e2d\u6dfb\u52a0whoami\u7684sudo\u6743\u9650\uff0c\u8fd9\u65f6php\u6267\u884c\u5931\u8d25\u3002
\n\u8bf4\u660ephp\u548cshell\u811a\u672c\u90fd\u6ca1\u6709\u95ee\u9898\uff0cphp\u53ef\u4ee5\u6267\u884cshell\u811a\u672c\u3002\u95ee\u9898\u51fa\u5728php\u6267\u884c\u4e86sudo\uff0c\u4f46\u6ca1\u6709\u83b7\u53d6\u5230root\u6743\u9650\u3002<\/p>\n3\u3001google\u67e5\u627e\u76f8\u5173\u8d44\u6599\uff0c\u6267\u884cgetsebool -a | grep httpd_mod_auth_pam\uff0c\u53d1\u73b0\u4e3aoff\u72b6\u6001\uff0c\u6240\u4ee5\u4e0b\u8fb9\u64cd\u4f5c\u975e\u5e38\u91cd\u8981\uff0c\u6267\u884c\uff1a<\/p>\n
# setsebool -P httpd_mod_auth_pam=1<\/p><\/blockquote>\n
4\u3001\u7ecf\u6d4b\u8bd5\uff0c\u81f3\u6b64php\u5df2\u7ecf\u53ef\u4ee5\u6267\u884c\u90e8\u5206sudo\u547d\u4ee4\u5982sudo whoami\uff0c\u4f46php\u4f9d\u7136\u65e0\u6cd5\u6b63\u5e38\u6267\u884c\u8fd9\u91cc\u7684test.sh\uff0c\u7ee7\u7eedgoogle\uff0c\u505a\u5982\u4e0b\u64cd\u4f5c\uff1a<\/p>\n
# setenforce 0
\n# echo \"\" > \/var\/log\/audit\/audit.log
\n# service auditd restart
\n<\u8bbf\u95ee\u4f60\u7684php\u9875\u9762http:\/\/localhost\/test\/test.php>
\n# setenforce 1
\n# grep denied \/var\/log\/audit\/audit.log
\n# grep avc \/var\/log\/audit\/audit.log<\/p><\/blockquote>\n\u8fd9\u65f6\u5019\u53d1\u73b0\u65e5\u5fd7\u6709\u62a5\u9519\uff1a<\/p>\n
type=AVC msg=audit(1512616099.474:6279928): avc: denied { setrlimit } for pid=24197 comm=\"sudo<\/span>\" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process
\ntype=AVC msg=audit(1512616099.516:6279929): avc: denied { execmem } for pid=24213 comm=\"java<\/span>\" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process<\/p><\/blockquote>\n\u8bf7\u6ce8\u610f\u7ea2\u8272\u90e8\u5206\uff0csudo\u548cjava\uff0c\u56e0\u4e3atest.sh\u6587\u4ef6\u91cc\u6211\u5199\u7684\u662fjava\u4ee3\u7801\uff0c\u6240\u4ee5\u6709java\u62a5\u9519\uff0c\u5982\u679c\u4f60\u65e5\u5fd7\u6709\u62a5\u5176\u4ed6\u7684\u9519\u8bef\uff0c\u6bd4\u5982php-fpm\u7b49\uff0c\u5c31\u6839\u636e\u62a5\u9519\u8fdb\u884c\u6a21\u5757\u5b89\u88c5\uff0c\u6240\u4ee5\uff0c\u4e0b\u4e00\u6b65\uff0c\u505a\u5982\u4e0b\u64cd\u4f5c\uff1a<\/p>\n
# cat \/var\/log\/audit\/audit.log | audit2allow -M sudo<\/p><\/blockquote>\n
\u63d0\u793a<\/p>\n
******************** IMPORTANT ***********************
\nTo make this policy package active, execute:<\/p>\nsemodule -i sudo.pp<\/p><\/blockquote>\n
\u6839\u636e\u63d0\u793a\u7ee7\u7eed\u6267\u884c\uff1a<\/p>\n
# semodule -i sudo.pp<\/p><\/blockquote>\n
\u53c8\u63d0\u793a\uff1a<\/p>\n
libsemanage.semanage_direct_install_info: Overriding sudo module at lower priority 100 with module at priority 400.<\/p><\/blockquote>\n
\u81f3\u6b64\uff0c\u95ee\u9898\u6709\u70b9\u660e\u4e86\u4e86\uff0csudo\u6a21\u5757\u7684\u6743\u9650\u4e0d\u591f\uff0c\u8fd9\u4e2a\u64cd\u4f5c\u7528\u66f4\u9ad8\u6743\u9650\u7684sudo\u6a21\u5757\u8986\u76d6\u4e86\u539f\u6765\u4f4e\u6743\u9650\u7684sudo\u6a21\u5757\uff01<\/span><\/p>\n
\u6700\u540e\u6267\u884c\uff1a
\n# cat \/var\/log\/audit\/audit.log | audit2allow -M java
\n# semodule -i java.pp<\/p><\/blockquote>\n\u6267\u884c# getenforce\u786e\u8ba4\u662fEnforcing\u72b6\u6001\uff0c\u518d\u53bb\u6d4b\u8bd5http:\/\/localhost\/test\/test.php\uff0c\u53d1\u73b0\u5df2\u7ecf\u6b63\u5e38\u4e86\uff0c\u5230\u8fd9\u91cc\u5c31\u5168\u90e8OK\u4e86\uff01<\/p>\n
PS\uff1a
\n1\u3001\u5982\u679c\u662f\u65e5\u5fd7\u4e2d\u63d0\u793aphp-fpm\u6743\u9650\u9519\u8bef\uff0c\u5c31\u6267\u884c# cat \/var\/log\/audit\/audit.log | audit2allow -M php-fpm\u548c# semodule -i php-fpm.pp
\n2\u3001\u6700\u521d\u662f\u7b80\u5355\u7684\u4fee\u6539\u4e86\u6587\u4ef6\u6743\u9650# chcon -R -t usr_t \/test\/\uff0c\u53d1\u73b0\u5176\u5b9e\u662f\u6ca1\u7528\u7684\u3002
\n3\u3001\u53c2\u8003\u8d44\u6599\u4e2d\u7528\u5230\u4e86semodule -i httpd_sudo\uff0c\u4f46\u662f\u6211\u53d1\u73b0\u8fd9\u4e2a\u5b89\u88c5\u548c\u5220\u9664\u6389\uff0c\u90fd\u6ca1\u4ec0\u4e48\u5f71\u54cd\uff0c\u53ef\u80fd\u662f\u7cfb\u7edf\u4e2d\u5177\u4f53\u7684\u914d\u7f6e\u6709\u533a\u522b\u5427\u3002
\n4\u3001\u89e3\u51b3\u6b64\u7c7b\u95ee\u9898\uff0c\u67e5\u627e\u8d44\u6599\u5fc5\u987b\u7528google\uff0c\u8bbf\u95ee\u4e0d\u4e86\u5916\u7f51\uff0c\u90a3\u5c31\u6ca1\u529e\u6cd5\u4e86\uff0cbaidu\u5c31\u7b97\u4e86\u5427\u3002<\/p>\n\u518d\u9644\u52a0\u8c03\u8bd5\u4e2d\u5e38\u7528\u7684\u51e0\u4e2a\u547d\u4ee4\uff1a
\n# semodule -e sudo\u00a0 \/\/enable\uff0c\u6ce8\u610f\u662fsudo\uff0c\u4e0d\u662fsudo.pp
\n# semodule -r sudo\u00a0 \/\/remove
\n# semodule -R\u00a0 \/\/Refresh
\n# setenforce 1\u00a0 \/\/\u6253\u5f00selinux
\n# setenforce 0\u00a0 \/\/\u5173\u95edselinux
\n# getenforce\u00a0 \/\/\u67e5\u770bselinux\u72b6\u6001
\n#\u00a0yum install policycoreutils \/\/\u5982\u679c\u6ca1\u6709selinux\u76f8\u5173\u547d\u4ee4\uff0c\u8981\u5b89\u88c5\u6240\u5c5e\u5305<\/p>\n