From: Paolo Donadeo <p.donadeo@gmail.com>
To: OCaml mailing list <caml-list@inria.fr>,
Ocamlnet mailing list <ocamlnet-devel@lists.sourceforge.net>
Subject: [Caml-list] SELinux and FastCGI netplex applications
Date: Sat, 24 Dec 2011 14:50:13 +0100 [thread overview]
Message-ID: <CAPzAKVB26bCSuu7crc49m=9UnLBjNuQJ9c_k+HDvfJmniYyQMA@mail.gmail.com> (raw)
[-- Attachment #1: Type: text/plain, Size: 2037 bytes --]
Sorry for cross posting in two mailing lists, but I'm going mad with
SELinux on a server of mine equipped with CentOS 6.2.
The problem is to run a FastCGI netplex application in peace with Apache
and SELinux. Apache and the application communicate using a socket,
provided by netplex. In the default Linux environment there are no
problems. Here, the httpd daemon can't write to the socket, and the
application simply never receives requests. The application context is this:
*# ls -laZ
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
devel.donadeo.net*
but when I start the program, ps shows a different story:
*# ./devel.donadeo.net --config-file /var/www/
donadeo.net/devel/blog_prod.conf
# ps faxeZ*
*... [ only relevant processes ] ...
**unconfined_u:system_r:httpd_t:s0 16048 ? Ss 0:00
/usr/sbin/httpd <- Apache
unconfined_u:system_r:httpd_t:s0 20293 ? S 0:00 \_
/usr/sbin/fcgi- <- mod_fastcgi
unconfined_u:system_r:httpd_t:s0 20294 ? S 0:00 \_
/usr/sbin/httpd **<- other 10 Apache workers**
... ... ...
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss 0:00 ./
devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S 0:00 \_
./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
*
while the communication socket is labelled like this:
*# ls -laZ
srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock
*
The first question is: why the hell the executable devel.donadeo.net is
labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the
corresponding process in memory runs with a very low
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"? Of course an
unconfined process cannot write to a socket labelled
"unconfined_u:object_r:httpd_sys_content_t:s0".
Any idea, before I disable SELinux altogether? I like the security
framework, but I don't want to loose my mental sanity for it.
--
*Paolo*
[-- Attachment #2: Type: text/html, Size: 3372 bytes --]
next reply other threads:[~2011-12-24 13:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-12-24 13:50 Paolo Donadeo [this message]
2011-12-24 14:22 ` Török Edwin
2011-12-24 20:54 ` Paolo Donadeo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPzAKVB26bCSuu7crc49m=9UnLBjNuQJ9c_k+HDvfJmniYyQMA@mail.gmail.com' \
--to=p.donadeo@gmail.com \
--cc=caml-list@inria.fr \
--cc=ocamlnet-devel@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).