From: "Török Edwin" <edwintorok@gmail.com>
To: caml-list@inria.fr
Subject: Re: [Caml-list] SELinux and FastCGI netplex applications
Date: Sat, 24 Dec 2011 16:22:24 +0200 [thread overview]
Message-ID: <4EF5E020.60302@gmail.com> (raw)
In-Reply-To: <CAPzAKVB26bCSuu7crc49m=9UnLBjNuQJ9c_k+HDvfJmniYyQMA@mail.gmail.com>
On 12/24/2011 03:50 PM, Paolo Donadeo wrote:
> Sorry for cross posting in two mailing lists, but I'm going mad with
> SELinux on a server of mine equipped with CentOS 6.2.
>
> The problem is to run a FastCGI netplex application in peace with Apache
> and SELinux. Apache and the application communicate using a socket,
> provided by netplex. In the default Linux environment there are no
> problems. Here, the httpd daemon can't write to the socket, and the
> application simply never receives requests. The application context is this:
>
> *# ls -laZ
> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> devel.donadeo.net*
>
> but when I start the program, ps shows a different story:
>
> *# ./devel.donadeo.net --config-file /var/www/
> donadeo.net/devel/blog_prod.conf
> # ps faxeZ*
> *... [ only relevant processes ] ...
> **unconfined_u:system_r:httpd_t:s0 16048 ? Ss 0:00
> /usr/sbin/httpd <- Apache
> unconfined_u:system_r:httpd_t:s0 20293 ? S 0:00 \_
> /usr/sbin/fcgi- <- mod_fastcgi
> unconfined_u:system_r:httpd_t:s0 20294 ? S 0:00 \_
> /usr/sbin/httpd **<- other 10 Apache workers**
> ... ... ...
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss 0:00 ./
> devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S 0:00 \_
> ./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
> *
> while the communication socket is labelled like this:
> *# ls -laZ
> srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock
> *
>
> The first question is: why the hell the executable devel.donadeo.net is
> labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the
> corresponding process in memory runs with a very low
> "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"?
Probably because you launched it from an unconfined_t shell, and its not allowed
to transition to httpd_sys_script_exec_t, so it'll stay unconfined.
I think you have to launch it from an init script (which is labeled
as the other init scripts), and then it'll transition to the proper context.
Been a while since I played with SELinux so you may need to take some extra steps here.
Or try using 'runcon', but I don't remember if that'll work from the unconfined context or not.
Best regards,
--Edwin
next prev parent reply other threads:[~2011-12-24 14:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-24 13:50 Paolo Donadeo
2011-12-24 14:22 ` Török Edwin [this message]
2011-12-24 20:54 ` Paolo Donadeo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4EF5E020.60302@gmail.com \
--to=edwintorok@gmail.com \
--cc=caml-list@inria.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).