[CentOS] SELinux blocking cgi script from "writing to socket (httpd_t)"

Daniel J Walsh dwalsh at redhat.com
Wed Jan 11 19:53:40 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/11/2012 02:50 PM, 夜神 岩男 wrote:
> On 01/12/2012 03:48 AM, Daniel J Walsh wrote:
> 
>> In Fedora we currently dontaudit this leak.
>> 
>> audit2allow -i /tmp/t
>> 
>> 
>> #============= httpd_sys_script_t ============== #!!!! This avc
>> has a dontaudit rule in the current policy
>> 
>> allow httpd_sys_script_t httpd_t:udp_socket { read write };
> 
> Pow. Reasonable answer, and it isn't so hard to run that command --
> its just difficult to understand why its necessary if you don't
> know anything about the environment, and mystifying if you know the
> command but nothing about what's going on. 
> _______________________________________________ CentOS mailing
> list CentOS at centos.org 
> http://lists.centos.org/mailman/listinfo/centos

The following explaines leaked file descriptors.

http://danwalsh.livejournal.com/6117.html?thread=23525

In RHEL6 and Fedora you can run avc messages through audit2allow and
it will tell you whether or not there is policy effecting the AVC.

setroubleshoot can also be helpful in these circumstances.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8N6MQACgkQrlYvE4MpobOsJACeIf9ubCB7kBDQFTITJ7hYRXlc
QJIAoMPdXne6a+nVUBBBakeyd0bjkBfs
=8fnf
-----END PGP SIGNATURE-----



More information about the CentOS mailing list