[CentOS] SELinux blocking cgi script from "writing to socket (httpd_t)"

Daniel J Walsh dwalsh at redhat.com
Wed Jan 11 18:48:35 UTC 2012

Hash: SHA1

On 01/11/2012 01:18 PM, Bennett Haselton wrote:
> Is this really supposed to get easier over time? :)  Now my
> audit.log file shows that SELinux is blocking my cgi script,
> index.cgi (which is what's actually served when the user visits the
> front page of one of our proxy sites like sugarsurfer.com) from
> having '"read write" to socket (httpd_t)'.  I have no idea what
> that means, except that I thought that cgi scripts were supposed to
> be able to write to stdout so that the web server could send the
> data via a socket connection to the end user's browser, so I don't
> know why a CGI script would be blocked from writing to a socket
> with security context httpd_t.
> The only clue that might narrow it down is the line "Target Objects
> socket [ udp_socket ]".  The sockets that the cgi scripts usually
> send output to are of course tcp sockets, so why would it say udp?
> The only time one of my cgi scripts might use udp would be if it
> were doing a hostname lookup via dns, but the index.cgi script 
> doesn't do that at any point.
> What would the pros do at this point?
> ***
> Summary:
> SELinux is preventing index.cgi (httpd_sys_script_t) "read write"
> to socket (httpd_t).
> Detailed Description:
> [SELinux is in permissive mode, the operation would have been
> denied but was permitted due to permissive mode.]
> SELinux denied access requested by index.cgi. It is not expected
> that this access is required by index.cgi and this access may
> signal an intrusion attempt. It is also possible that the specific
> version or configuration of the application is causing it to
> require additional access.
> Allowing Access:
> You can generate a local policy module to allow this access - see
> FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or
> you can disable SELinux protection altogether. Disabling SELinux
> protection is not recommended. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
> package.
> Additional Information:
> Source Context                system_u:system_r:httpd_sys_script_t 
> Target Context                system_u:system_r:httpd_t Target
> Objects                socket [ udp_socket ] Source
> index.cgi Source Path <Unknown> Port <Unknown> Host <Unknown> 
> Source RPM Packages Target RPM Packages Policy RPM
> selinux-policy-2.4.6-316.el5 Selinux Enabled               True 
> Policy Type                   targeted MLS Enabled
> True Enforcing Mode                Permissive Plugin Name
> catchall Host Name
> g6950-21025.securedservers.com Platform                      Linux
> g6950-21025.securedservers.com 2.6.18-274.12.1.el5 #1 SMP Tue Nov
> 29 13:37:46 EST 2011 x86_64 x86_64 Alert Count                   1 
> First Seen                    Wed Jan 11 09:34:13 2012 Last Seen
> Wed Jan 11 09:34:13 2012 Local ID
> 2adcd43d-7b8b-4e17-bb93-ad11a35f378a Line Numbers
> 1
> Raw Audit Messages
> type=AVC msg=audit(1326303253.473:3626): avc:  denied  { read write
> } for  pid=6668 comm="index.cgi" path="socket:[415055]" dev=sockfs
>  ino=415055 scontext=system_u:system_r:httpd_sys_script_t:s0 
> tcontext=system_u:system_r:httpd_t:s0 tclass=udp_socket
> _______________________________________________ CentOS mailing
> list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos
Looks like a leaked file descriptor, you can probably add a dontaudit

In Fedora we currently dontaudit this leak.

audit2allow -i /tmp/t

#============= httpd_sys_script_t ==============
#!!!! This avc has a dontaudit rule in the current policy

allow httpd_sys_script_t httpd_t:udp_socket { read write };

Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/


More information about the CentOS mailing list