[CentOS] SELinux blocking cgi script from "writing to socket (httpd_t)"
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 11 18:48:35 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/11/2012 01:18 PM, Bennett Haselton wrote:
> Is this really supposed to get easier over time? :) Now my
> audit.log file shows that SELinux is blocking my cgi script,
> index.cgi (which is what's actually served when the user visits the
> front page of one of our proxy sites like sugarsurfer.com) from
> having '"read write" to socket (httpd_t)'. I have no idea what
> that means, except that I thought that cgi scripts were supposed to
> be able to write to stdout so that the web server could send the
> data via a socket connection to the end user's browser, so I don't
> know why a CGI script would be blocked from writing to a socket
> with security context httpd_t.
>
> The only clue that might narrow it down is the line "Target Objects
> socket [ udp_socket ]". The sockets that the cgi scripts usually
> send output to are of course tcp sockets, so why would it say udp?
> The only time one of my cgi scripts might use udp would be if it
> were doing a hostname lookup via dns, but the index.cgi script
> doesn't do that at any point.
>
> What would the pros do at this point?
>
> ***
>
> Summary:
>
> SELinux is preventing index.cgi (httpd_sys_script_t) "read write"
> to socket (httpd_t).
>
> Detailed Description:
>
> [SELinux is in permissive mode, the operation would have been
> denied but was permitted due to permissive mode.]
>
> SELinux denied access requested by index.cgi. It is not expected
> that this access is required by index.cgi and this access may
> signal an intrusion attempt. It is also possible that the specific
> version or configuration of the application is causing it to
> require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see
> FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or
> you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
> package.
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_sys_script_t
> Target Context system_u:system_r:httpd_t Target
> Objects socket [ udp_socket ] Source
> index.cgi Source Path <Unknown> Port <Unknown> Host <Unknown>
> Source RPM Packages Target RPM Packages Policy RPM
> selinux-policy-2.4.6-316.el5 Selinux Enabled True
> Policy Type targeted MLS Enabled
> True Enforcing Mode Permissive Plugin Name
> catchall Host Name
> g6950-21025.securedservers.com Platform Linux
> g6950-21025.securedservers.com 2.6.18-274.12.1.el5 #1 SMP Tue Nov
> 29 13:37:46 EST 2011 x86_64 x86_64 Alert Count 1
> First Seen Wed Jan 11 09:34:13 2012 Last Seen
> Wed Jan 11 09:34:13 2012 Local ID
> 2adcd43d-7b8b-4e17-bb93-ad11a35f378a Line Numbers
> 1
>
> Raw Audit Messages
>
> type=AVC msg=audit(1326303253.473:3626): avc: denied { read write
> } for pid=6668 comm="index.cgi" path="socket:[415055]" dev=sockfs
> ino=415055 scontext=system_u:system_r:httpd_sys_script_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=udp_socket
>
> _______________________________________________ CentOS mailing
> list CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Looks like a leaked file descriptor, you can probably add a dontaudit
rule.
In Fedora we currently dontaudit this leak.
audit2allow -i /tmp/t
#============= httpd_sys_script_t ==============
#!!!! This avc has a dontaudit rule in the current policy
allow httpd_sys_script_t httpd_t:udp_socket { read write };
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8N2YMACgkQrlYvE4MpobPnYACg0avTPwuj0XSYKOJIKIIw5Q6J
N5EAoLptqsCytbXtWc7R0EvECbwQJm29
=luHO
-----END PGP SIGNATURE-----
More information about the CentOS
mailing list