问题描述
大家晚上好,
上个月我调试了一台新的 OracleLinux 服务器,并在其上安装了最新的 Chrome 版本。
该项目目前是一个需要生成PDF报告的小型网站。 首先,我创建了一个包含全部内容的 HTML 文件(它只是一个标题图像、一个表格和一个页脚 - 没什么特别的)。 然后,PHP 发出此命令以生成 PDF 文件,然后由用户下载。
$output = shell_exec('/usr/bin/xvfb-run /usr/bin/google-chrome --no-sandBox --headless --disable-gpu --no-margins --print-to-pdf-no-header --print-to-pdf=/location/to/pdffile.pdf /location/to/htmlfile.html ');
当我在命令行上执行操作(复制并粘贴命令)时,这很有效。 但是,当PHP脚本执行该动作时,会产生以下错误并显示在浏览器中;
[0110/224510.775219:ERROR:file_path_watcher_linux.cc(71)] Failed to read /proc/sys/fs/inotify/max_user_watches
[0110/224510.779754:ERROR:udev_watcher.cc(51)] Failed to initialize a udev monitor. # # Fatal error in,line 0 # ignored # # # #FailureMessage Object: 0x7fff1b3fa650#0 0x55d633e63289 [0110/224510.816882:WARNING:crash_handler_host_linux.cc(341)] Could not translate tid,attempt = 1 retry ...
[0110/224510.830491:ERROR:file_path_watcher_linux.cc(71)] Failed to read /proc/sys/fs/inotify/max_user_watches
[0110/224510.918277:WARNING:crash_handler_host_linux.cc(341)] Could not translate tid,attempt = 2 retry ...
[0110/224511.018809:WARNING:crash_handler_host_linux.cc(341)] Could not translate tid,attempt = 3 retry ...
[0110/224511.119405:WARNING:crash_handler_host_linux.cc(365)] Could not translate tid - assuming crashing thread is thread group leader; syscall_supported=1 [0110/224511.121596:ERROR:crash_handler_host_linux.cc(444)] Failed to write crash dump for pid 106039 Cannot upload crash dump: Failed to open --2021-01-10 22:45:11-- https://clients2.google.com/cr/report Resolving clients2.google.com (clients2.google.com)...
[0110/224511.507094:ERROR:headless_shell.cc(391)] Abnormal renderer termination. 172.217.17.142 Connecting to clients2.google.com (clients2.google.com)|172.217.17.142|:443... Failed: Permission denied. Giving up. Unexpected crash report id length Failed to get crash dump id. Report Id:
试图在互联网上找到任何关于这些错误的无用信息,失败了。 所以我进一步查看 /var/log/messages
Chrome 似乎需要各种权限才能将 HTML 打印为 PDF。 SElinux 禁止 Chrome 执行某些操作。 现在我想知道......解决方案是什么? 我可以在下面的错误中简单地执行 SElinux 建议的命令,还是做其他事情更好?如果是这样,是什么? 在互联网上度过了整个周末后,我没有找到有关此的真实信息。
[root@testserver1 bin]# > /var/log/messages
[root@testserver1 bin]# cat /var/log/messages
Jan 10 22:45:10 testserver1 dbus-daemon[1112]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.150' (uid=0 pid=26234 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)
Jan 10 22:45:11 testserver1 kernel: traps: chrome[106039] trap invalid opcode ip:55d636e755d2 sp:7fff1b3fa640 error:0 in chrome[55d6312bf000+7b80000]
Jan 10 22:45:11 testserver1 systemd[1]: Started Process Core Dump (PID 106054/UID 0).
Jan 10 22:45:11 testserver1 dbus-daemon[1112]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jan 10 22:45:11 testserver1 systemd-coredump[106057]: Process 106039 (chrome) of user 48 dumped core.#012#012Stack trace of thread 106039:#012#0 0x000055d636e755d2 n/a (chrome)#012#1 0x000055d636e7270e n/a (chrome)#012#2 0x000055d6331e2ce1 n/a (chrome)#012#3 0x000055d6331efcef n/a (chrome)#012#4 0x000055d63311e086 n/a (chrome)#012#5 0x000055d63311ec19 n/a (chrome)#012#6 0x000055d6334eb437 n/a (chrome)#012#7 0x000055d63301a159 n/a (chrome)#012#8 0x000055d636e7785a n/a (chrome)#012#9 0x000055d636d6df47 n/a (chrome)#012#10 0x000055d636d6e6d3 n/a (chrome)#012#11 0x000055d636e9f4d6 n/a (chrome)#012#12 0x000055d6385bf1c2 n/a (chrome)#012#13 0x000055d6385af82e n/a (chrome)#012#14 0x000055d6385b1d0f n/a (chrome)#012#15 0x000055d638d3add0 n/a (chrome)#012#16 0x000055d633d7d3e2 n/a (chrome)#012#17 0x000055d633d7b659 n/a (chrome)#012#18 0x000055d633dcae1c n/a (chrome)#012#19 0x000055d633dcac51 n/a (chrome)#012#20 0x000055d633dc94d5 n/a (chrome)#012#21 0x000055d63160676d ChromeMain (chrome)#012#22 0x00007ff0a7daf7a3 __libc_start_main (libc.so.6)#012#23 0x000055d6312bfa6a _start (chrome)#012#012Stack trace of thread 106042:#012#0 0x00007ff0a7e89257 epoll_wait (libc.so.6)#012#1 0x000055d633f9efeb n/a (chrome)#012#2 0x000055d633f9c9cb n/a (chrome)#012#3 0x000055d633e83a4b n/a (chrome)#012#4 0x000055d633e3572a n/a (chrome)#012#5 0x000055d633e0b811 n/a (chrome)#012#6 0x000055d633e4792d n/a (chrome)#012#7 0x000055d633e4e809 n/a (chrome)#012#8 0x000055d633e73b94 n/a (chrome)#012#9 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#10 0x00007ff0a7e88f23 __clone (libc.so.6)#012#012Stack trace of thread 106043:#012#0 0x00007ff0ada50708 pthread_cond_timedwait@@GLIBC_2.3.2 (libpthread.so.0)#012#1 0x000055d633e6fbd1 n/a (chrome)#012#2 0x000055d633e70243 n/a (chrome)#012#3 0x000055d633e489bf n/a (chrome)#012#4 0x000055d633e485ad n/a (chrome)#012#5 0x000055d633e73b94 n/a (chrome)#012#6 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#7 0x00007ff0a7e88f23 __clone (libc.so.6)#012#012Stack trace of thread 106044:#012#0 0x00007ff0a7e89257 epoll_wait (libc.so.6)#012#1 0x000055d633f9efeb n/a (chrome)#012#2 0x000055d633f9c9cb n/a (chrome)#012#3 0x000055d633e83a4b n/a (chrome)#012#4 0x000055d633e3572a n/a (chrome)#012#5 0x000055d633e0b811 n/a (chrome)#012#6 0x000055d633e4e809 n/a (chrome)#012#7 0x000055d633e73b94 n/a (chrome)#012#8 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#9 0x00007ff0a7e88f23 __clone (libc.so.6)#012#012Stack trace of thread 106045:#012#0 0x00007ff0ada5031c pthread_cond_wait@@GLIBC_2.3.2 (libpthread.so.0)#012#1 0x000055d633e6fa3d n/a (chrome)#012#2 0x000055d633e70396 n/a (chrome)#012#3 0x000055d633e7000e n/a (chrome)#012#4 0x000055d633de6487 n/a (chrome)#012#5 0x000055d633e3572a n/a (chrome)#012#6 0x000055d633e0b811 n/a (chrome)#012#7 0x000055d633e4e809 n/a (chrome)#012#8 0x000055d633e73b94 n/a (chrome)#012#9 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#10 0x00007ff0a7e88f23 __clone (libc.so.6)#012#012Stack trace of thread 106051:#012#0 0x00007ff0ada50708 pthread_cond_timedwait@@GLIBC_2.3.2 (libpthread.so.0)#012#1 0x000055d633e6fbd1 n/a (chrome)#012#2 0x000055d633e70243 n/a (chrome)#012#3 0x000055d633e4875c n/a (chrome)#012#4 0x000055d633e485ad n/a (chrome)#012#5 0x000055d633e73b94 n/a (chrome)#012#6 0x00007ff0ada4a16a start_thread (libpthread.so.0)#012#7 0x00007ff0a7e88f23 __clone (libc.so.6)
Jan 10 22:45:11 testserver1 systemd[1]: systemd-coredump@31-106054-0.service: Succeeded.
Jan 10 22:45:11 testserver1 dbus-daemon[1112]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.3219' (uid=995 pid=106033 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper)
Jan 10 22:45:12 testserver1 dbus-daemon[1112]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Jan 10 22:45:13 testserver1 setroubleshoot[106033]: SELinux is preventing /usr/bin/bash from write access on the directory /dev/fd/63. For complete SELinux messages run: sealert -l 472c7d4e-7e04-47a1-9dae-17cd3c696468
Jan 10 22:45:13 testserver1 setroubleshoot[106033]: SELinux is preventing /usr/bin/bash from write access on the directory /dev/fd/63.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that bash should be allowed write access on the 63 directory by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'google-chrome' --raw | audit2allow -M my-googlechrome#012# semodule -X 300 -i my-googlechrome.pp#012
Jan 10 22:45:13 testserver1 setroubleshoot[106033]: Failed to retrieve rpm info for /proc/sys/fs/inotify/max_user_watches
Jan 10 22:45:14 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from read access on the file /proc/sys/fs/inotify/max_user_watches. For complete SELinux messages run: sealert -l 1c33cba5-b4df-430d-9bdb-dec10b11639f
Jan 10 22:45:14 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from read access on the file /proc/sys/fs/inotify/max_user_watches.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed read access on the max_user_watches file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -X 300 -i my-ThreadPoolForeg.pp#012
Jan 10 22:45:15 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the execmem access on a process. For complete SELinux messages run: sealert -l 2c8783bf-dec7-454d-997e-6a2c1dfbb240
Jan 10 22:45:15 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the execmem access on a process.#012#012***** Plugin allow_execmem (53.1 confidence) suggests *********************#012#012If you kNow why chrome needs to map a memory region that is both executable and writable and understand that this is a potential security problem.#012Then you can allow the mapping by switching one of the following booleans: httpd_execmem#012Do#012follow the advice of the catchall_boolean plugin,otherwise contact your security administrator and report this issue#012#012***** Plugin catchall_boolean (42.6 confidence) suggests ******************#012#012If you want to allow httpd to execmem#012Then you must tell SELinux about this by enabling the 'httpd_execmem' boolean.#012#012Do#012setsebool -P httpd_execmem 1#012#012***** Plugin catchall (5.76 confidence) suggests **************************#012#012If you believe that chrome should be allowed execmem access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:16 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:16 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:16 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:16 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:17 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:17 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:18 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:18 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:19 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:19 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
Jan 10 22:45:19 testserver1 setroubleshoot[106033]: Failed to retrieve rpm info for /proc/sys/fs/inotify/max_user_watches
Jan 10 22:45:20 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from read access on the file /proc/sys/fs/inotify/max_user_watches. For complete SELinux messages run: sealert -l 1c33cba5-b4df-430d-9bdb-dec10b11639f
Jan 10 22:45:20 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from read access on the file /proc/sys/fs/inotify/max_user_watches.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed read access on the max_user_watches file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'ThreadPoolForeg' --raw | audit2allow -M my-ThreadPoolForeg#012# semodule -X 300 -i my-ThreadPoolForeg.pp#012
Jan 10 22:45:21 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process. For complete SELinux messages run: sealert -l 87b4832d-2497-4a8f-a5b6-7c0124a90cf8
Jan 10 22:45:21 testserver1 setroubleshoot[106033]: SELinux is preventing /opt/google/chrome/chrome from using the ptrace access on a process.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that chrome should be allowed ptrace access on processes labeled httpd_t by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for Now by executing:#012# ausearch -c 'chrome' --raw | audit2allow -M my-chrome#012# semodule -X 300 -i my-chrome.pp#012
[root@testserver1 bin]#
感谢任何帮助。
解决方法
我觉得自己像个白痴...我应该扩大我的搜索范围。不要只查找我的特定错误,而是查找通用错误和解决方案。所以我无所事事地度过了一个周末。
我猜这个解决方案适用于任何人,我在这里找到了这个 URL: https://www.serverlab.ca/tutorials/linux/administration-linux/troubleshooting-selinux-centos-red-hat/
它解释了如何排查和修复这些错误。 使用 Yum 安装 setroubleshoot 包。
sudo yum install setroubleshoot setools
因为我想从一个新的日志文件开始,我旋转了audit.log;
sudo service auditd rotate
然后...做任何你做的事情来产生错误。
之后,启动刚刚安装的疑难解答包;
sudo sealert -a /var/log/audit/audit.log
它提供了一份报告,其中包含发现的所有错误以及修复它们的方法。 该报告将按置信度对错误和修复进行排序。 我的方法是,以 100% 的置信度修复错误。
然后再次轮换日志,再试一次我想做的事情,看看它是否有效,如果无效,则生成一个新报告。 等