[CentOS] SELinux blocking cgi script from "writing to socket (httpd_t)"

Bennett Haselton

bennett at peacefire.org
Wed Jan 11 18:18:30 UTC 2012


Is this really supposed to get easier over time? :)  Now my audit.log 
file shows that SELinux is blocking my cgi script, index.cgi (which is 
what's actually served when the user visits the front page of one of our 
proxy sites like sugarsurfer.com) from having '"read write" to socket 
(httpd_t)'.  I have no idea what that means, except that I thought that 
cgi scripts were supposed to be able to write to stdout so that the web 
server could send the data via a socket connection to the end user's 
browser, so I don't know why a CGI script would be blocked from writing 
to a socket with security context httpd_t.

The only clue that might narrow it down is the line "Target 
Objects                socket [ udp_socket ]".  The sockets that the cgi 
scripts usually send output to are of course tcp sockets, so why would 
it say udp?  The only time one of my cgi scripts might use udp would be 
if it were doing a hostname lookup via dns, but the index.cgi script 
doesn't do that at any point.

What would the pros do at this point?

***

Summary:

SELinux is preventing index.cgi (httpd_sys_script_t) "read write" to socket
(httpd_t).

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

SELinux denied access requested by index.cgi. It is not expected that this
access is required by index.cgi and this access may signal an intrusion 
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can 
disable
SELinux protection altogether. Disabling SELinux protection is not 
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:httpd_sys_script_t
Target Context                system_u:system_r:httpd_t
Target Objects                socket [ udp_socket ]
Source                        index.cgi
Source Path <Unknown>
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-316.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   catchall
Host Name                     g6950-21025.securedservers.com
Platform                      Linux g6950-21025.securedservers.com
                               2.6.18-274.12.1.el5 #1 SMP Tue Nov 29 
13:37:46 EST
                               2011 x86_64 x86_64
Alert Count                   1
First Seen                    Wed Jan 11 09:34:13 2012
Last Seen                     Wed Jan 11 09:34:13 2012
Local ID                      2adcd43d-7b8b-4e17-bb93-ad11a35f378a
Line Numbers                  1

Raw Audit Messages

type=AVC msg=audit(1326303253.473:3626): avc:  denied  { read write } 
for  pid=6668 comm="index.cgi" path="socket:[415055]" dev=sockfs 
ino=415055 scontext=system_u:system_r:httpd_sys_script_t:s0 
tcontext=system_u:system_r:httpd_t:s0 tclass=udp_socket




More information about the CentOS mailing list