* [Caml-list] SELinux and FastCGI netplex applications
@ 2011-12-24 13:50 Paolo Donadeo
2011-12-24 14:22 ` Török Edwin
0 siblings, 1 reply; 3+ messages in thread
From: Paolo Donadeo @ 2011-12-24 13:50 UTC (permalink / raw)
To: OCaml mailing list, Ocamlnet mailing list
[-- Attachment #1: Type: text/plain, Size: 2037 bytes --]
Sorry for cross posting in two mailing lists, but I'm going mad with
SELinux on a server of mine equipped with CentOS 6.2.
The problem is to run a FastCGI netplex application in peace with Apache
and SELinux. Apache and the application communicate using a socket,
provided by netplex. In the default Linux environment there are no
problems. Here, the httpd daemon can't write to the socket, and the
application simply never receives requests. The application context is this:
*# ls -laZ
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
devel.donadeo.net*
but when I start the program, ps shows a different story:
*# ./devel.donadeo.net --config-file /var/www/
donadeo.net/devel/blog_prod.conf
# ps faxeZ*
*... [ only relevant processes ] ...
**unconfined_u:system_r:httpd_t:s0 16048 ? Ss 0:00
/usr/sbin/httpd <- Apache
unconfined_u:system_r:httpd_t:s0 20293 ? S 0:00 \_
/usr/sbin/fcgi- <- mod_fastcgi
unconfined_u:system_r:httpd_t:s0 20294 ? S 0:00 \_
/usr/sbin/httpd **<- other 10 Apache workers**
... ... ...
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss 0:00 ./
devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S 0:00 \_
./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
*
while the communication socket is labelled like this:
*# ls -laZ
srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock
*
The first question is: why the hell the executable devel.donadeo.net is
labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the
corresponding process in memory runs with a very low
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"? Of course an
unconfined process cannot write to a socket labelled
"unconfined_u:object_r:httpd_sys_content_t:s0".
Any idea, before I disable SELinux altogether? I like the security
framework, but I don't want to loose my mental sanity for it.
--
*Paolo*
[-- Attachment #2: Type: text/html, Size: 3372 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Caml-list] SELinux and FastCGI netplex applications
2011-12-24 13:50 [Caml-list] SELinux and FastCGI netplex applications Paolo Donadeo
@ 2011-12-24 14:22 ` Török Edwin
2011-12-24 20:54 ` Paolo Donadeo
0 siblings, 1 reply; 3+ messages in thread
From: Török Edwin @ 2011-12-24 14:22 UTC (permalink / raw)
To: caml-list
On 12/24/2011 03:50 PM, Paolo Donadeo wrote:
> Sorry for cross posting in two mailing lists, but I'm going mad with
> SELinux on a server of mine equipped with CentOS 6.2.
>
> The problem is to run a FastCGI netplex application in peace with Apache
> and SELinux. Apache and the application communicate using a socket,
> provided by netplex. In the default Linux environment there are no
> problems. Here, the httpd daemon can't write to the socket, and the
> application simply never receives requests. The application context is this:
>
> *# ls -laZ
> -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
> devel.donadeo.net*
>
> but when I start the program, ps shows a different story:
>
> *# ./devel.donadeo.net --config-file /var/www/
> donadeo.net/devel/blog_prod.conf
> # ps faxeZ*
> *... [ only relevant processes ] ...
> **unconfined_u:system_r:httpd_t:s0 16048 ? Ss 0:00
> /usr/sbin/httpd <- Apache
> unconfined_u:system_r:httpd_t:s0 20293 ? S 0:00 \_
> /usr/sbin/fcgi- <- mod_fastcgi
> unconfined_u:system_r:httpd_t:s0 20294 ? S 0:00 \_
> /usr/sbin/httpd **<- other 10 Apache workers**
> ... ... ...
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss 0:00 ./
> devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S 0:00 \_
> ./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
> *
> while the communication socket is labelled like this:
> *# ls -laZ
> srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock
> *
>
> The first question is: why the hell the executable devel.donadeo.net is
> labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the
> corresponding process in memory runs with a very low
> "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"?
Probably because you launched it from an unconfined_t shell, and its not allowed
to transition to httpd_sys_script_exec_t, so it'll stay unconfined.
I think you have to launch it from an init script (which is labeled
as the other init scripts), and then it'll transition to the proper context.
Been a while since I played with SELinux so you may need to take some extra steps here.
Or try using 'runcon', but I don't remember if that'll work from the unconfined context or not.
Best regards,
--Edwin
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Caml-list] SELinux and FastCGI netplex applications
2011-12-24 14:22 ` Török Edwin
@ 2011-12-24 20:54 ` Paolo Donadeo
0 siblings, 0 replies; 3+ messages in thread
From: Paolo Donadeo @ 2011-12-24 20:54 UTC (permalink / raw)
To: OCaml mailing list
Thanks Edwin! Starting from an init script solved the problem.
--
Paolo
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-12-24 20:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-12-24 13:50 [Caml-list] SELinux and FastCGI netplex applications Paolo Donadeo
2011-12-24 14:22 ` Török Edwin
2011-12-24 20:54 ` Paolo Donadeo
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).