From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail4-relais-sop.national.inria.fr (mail4-relais-sop.national.inria.fr [192.134.164.105]) by walapai.inria.fr (8.13.6/8.13.6) with ESMTP id pBOEMUHH006992 for ; Sat, 24 Dec 2011 15:22:30 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AgUBAGXf9U7RVde2imdsb2JhbABDhQ+nIwgiAQEBCgkNBxIGIYFyAQEBBBICDx0BGxIMAwwGBQsNAgIFIQICDwISEQEFARwTCAIeoiEKix1IgmuEOz+IcQIFC4Ekgk6EeIIEgRYElQKHBIZ5PYN8 X-IronPort-AV: E=Sophos;i="4.71,403,1320620400"; d="scan'208";a="124558419" Received: from mail-ey0-f182.google.com ([209.85.215.182]) by mail4-smtp-sop.national.inria.fr with ESMTP/TLS/RC4-SHA; 24 Dec 2011 15:22:29 +0100 Received: by eaaf13 with SMTP id f13so16952196eaa.27 for ; Sat, 24 Dec 2011 06:22:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=NB+RPM+SlM9kYWo4H2usdmWx8xOKyI8mTvlnOWZCqX4=; b=bL/Va3JxOw0fTm5H5IOJaru6PtEq826lpJnHhrTUWKbMRtIq3Y3Dw6EPv0+HXFbGA6 etzGSatXG+bPrYzoHX63Co8HsglmhqwOqhXHuCb/UgTjNDL2+skO0qePGl8isjPfaGC2 jeewjq6qR2VwzbffKob2P4eRtYu0PSUaPEqFY= Received: by 10.213.15.145 with SMTP id k17mr6991311eba.47.1324736547847; Sat, 24 Dec 2011 06:22:27 -0800 (PST) Received: from ?IPv6:2a02:2f02:1022:6000:1e6f:65ff:fe23:db0d? ([2a02:2f02:1022:6000:1e6f:65ff:fe23:db0d]) by mx.google.com with ESMTPS id s16sm63570482eef.2.2011.12.24.06.22.25 (version=SSLv3 cipher=OTHER); Sat, 24 Dec 2011 06:22:26 -0800 (PST) Message-ID: <4EF5E020.60302@gmail.com> Date: Sat, 24 Dec 2011 16:22:24 +0200 From: =?UTF-8?B?VMO2csO2ayBFZHdpbg==?= User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.24) Gecko/20111114 Icedove/3.1.16 MIME-Version: 1.0 To: caml-list@inria.fr References: In-Reply-To: X-Enigmail-Version: 1.1.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [Caml-list] SELinux and FastCGI netplex applications On 12/24/2011 03:50 PM, Paolo Donadeo wrote: > Sorry for cross posting in two mailing lists, but I'm going mad with > SELinux on a server of mine equipped with CentOS 6.2. > > The problem is to run a FastCGI netplex application in peace with Apache > and SELinux. Apache and the application communicate using a socket, > provided by netplex. In the default Linux environment there are no > problems. Here, the httpd daemon can't write to the socket, and the > application simply never receives requests. The application context is this: > > *# ls -laZ > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 > devel.donadeo.net* > > but when I start the program, ps shows a different story: > > *# ./devel.donadeo.net --config-file /var/www/ > donadeo.net/devel/blog_prod.conf > # ps faxeZ* > *... [ only relevant processes ] ... > **unconfined_u:system_r:httpd_t:s0 16048 ? Ss 0:00 > /usr/sbin/httpd <- Apache > unconfined_u:system_r:httpd_t:s0 20293 ? S 0:00 \_ > /usr/sbin/fcgi- <- mod_fastcgi > unconfined_u:system_r:httpd_t:s0 20294 ? S 0:00 \_ > /usr/sbin/httpd **<- other 10 Apache workers** > ... ... ... > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss 0:00 ./ > devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S 0:00 \_ > ./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf > * > while the communication socket is labelled like this: > *# ls -laZ > srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock > * > > The first question is: why the hell the executable devel.donadeo.net is > labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the > corresponding process in memory runs with a very low > "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"? Probably because you launched it from an unconfined_t shell, and its not allowed to transition to httpd_sys_script_exec_t, so it'll stay unconfined. I think you have to launch it from an init script (which is labeled as the other init scripts), and then it'll transition to the proper context. Been a while since I played with SELinux so you may need to take some extra steps here. Or try using 'runcon', but I don't remember if that'll work from the unconfined context or not. Best regards, --Edwin