Sorry for cross posting in two mailing lists, but I'm going mad with SELinux on a server of mine equipped with CentOS 6.2. The problem is to run a FastCGI netplex application in peace with Apache and SELinux. Apache and the application communicate using a socket, provided by netplex. In the default Linux environment there are no problems. Here, the httpd daemon can't write to the socket, and the application simply never receives requests. The application context is this: *# ls -laZ -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 devel.donadeo.net* but when I start the program, ps shows a different story: *# ./devel.donadeo.net --config-file /var/www/ donadeo.net/devel/blog_prod.conf # ps faxeZ* *... [ only relevant processes ] ... **unconfined_u:system_r:httpd_t:s0 16048 ? Ss 0:00 /usr/sbin/httpd <- Apache unconfined_u:system_r:httpd_t:s0 20293 ? S 0:00 \_ /usr/sbin/fcgi- <- mod_fastcgi unconfined_u:system_r:httpd_t:s0 20294 ? S 0:00 \_ /usr/sbin/httpd **<- other 10 Apache workers** ... ... ... unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss 0:00 ./ devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S 0:00 \_ ./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf * while the communication socket is labelled like this: *# ls -laZ srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock * The first question is: why the hell the executable devel.donadeo.net is labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the corresponding process in memory runs with a very low "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"? Of course an unconfined process cannot write to a socket labelled "unconfined_u:object_r:httpd_sys_content_t:s0". Any idea, before I disable SELinux altogether? I like the security framework, but I don't want to loose my mental sanity for it. -- *Paolo*