PHP Shell_exec and sudo commands for SELinux administration

Question

I am trying to build a very simple administration tool for some website in a development environment with SELinux

I need to run chcon with shell_exec or something that will have the same effect. The output states the security context has changed, but a "ls -lZ" shows that the security context has not changed.

$temp =  "chcon -v -R -t httpd_sys_content_t " . $_POST['site'];
echo $temp;
$test = shell_exec($temp);
echo $test;

I have added the apache user to the sudoer list for chcon

apache  ALL=(ALL)       NOPASSWD: /usr/bin/chcon

and changed to code to this

$temp =  "sudo -u apache chcon -v -R -t httpd_sys_content_t " . $_POST['site'];
echo $temp;
$test = shell_exec($temp);
echo $test;

now I receive no out put

I have also created bash script with the following as a work around. The bash script worked from console but when ran from php it doesn't do anything

bash script

#!/bin/bash
sudo -u apache chcon -v -R -t httpd_sys_content_rw_t $1

Altered code

$temp = '/path/to/script/test.sh ' . $_POST['site'];
echo $temp . "<br />";
$test = shell_exec($temp);
echo $test;

Answer 1

After digging around and doing some testing I have found my answers.

Here is some php that will help generate errors so you can chase down fixes

$temp = 'sudo mkdir test 2>&1';
echo $temp . "<br />";
$test = shell_exec($temp);
echo $test;

requiretty in sudoers need to be commented out

#Defaults   requiretty

and an auit2allow policy need to be put in to place.

If audit2allow is not currently installed.

 yum install policycoreutils-python

the following will create the policy that needs to be in place to execute your commands that are allowed in the sudoers list without a password

setenforce 0
echo "" > /var/log/audit/audit.log
/etc/init.d/auditd restart
<execute your php code that requires sudo>
setenforce 1
cat /var/log/audit/audit.log | audit2allow -M httpd_sudo
semodule -i httpd_sudo.pp