From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail1-relais-roc.national.inria.fr (mail1-relais-roc.national.inria.fr [192.134.164.82]) by walapai.inria.fr (8.13.6/8.13.6) with ESMTP id pBODp0fv006093 for ; Sat, 24 Dec 2011 14:51:00 +0100 X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AvoAACvY9U7RVdy2mGdsb2JhbABDhQ+eeQGHEoEXCCIBAQEBAQgJDQcUJYILAg8dARsSDAMSAw03AiQBEQEFASIBNIdgmkQKix1IgmuEOT+IcQIFC4NyhnyBFgSCWpIojX09g3s X-IronPort-AV: E=Sophos;i="4.71,403,1320620400"; d="scan'208";a="136718470" Received: from mail-vx0-f182.google.com ([209.85.220.182]) by mail1-smtp-roc.national.inria.fr with ESMTP/TLS/RC4-SHA; 24 Dec 2011 14:50:55 +0100 Received: by vcbfk1 with SMTP id fk1so13896548vcb.27 for ; Sat, 24 Dec 2011 05:50:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type; bh=M6URjq2j/zJG5/XwGSUBY/EpwSbi9lgpxBBrVmQzYsg=; b=Bl7X7VlYlOmlZM9P7x8mw9P1RG+YGabLFswFZmfl1Wme/bW33MRixXwFOi128UBgOr B/R2qg/2rXeGFzhU4jhwbPV1TAhgyQyYYBYG++b1eJZM3O/B3Qy5D/8V5eb9XtRWl3fP kUQJZjENRwaFv+BmZCr/kIbkpTuo/DsrgtD2c= Received: by 10.221.13.196 with SMTP id pn4mr12109839vcb.74.1324734654208; Sat, 24 Dec 2011 05:50:54 -0800 (PST) MIME-Version: 1.0 Received: by 10.52.114.136 with HTTP; Sat, 24 Dec 2011 05:50:13 -0800 (PST) From: Paolo Donadeo Date: Sat, 24 Dec 2011 14:50:13 +0100 Message-ID: To: OCaml mailing list , Ocamlnet mailing list Content-Type: multipart/alternative; boundary=bcaec54fb9e07c595304b4d6d214 Subject: [Caml-list] SELinux and FastCGI netplex applications --bcaec54fb9e07c595304b4d6d214 Content-Type: text/plain; charset=UTF-8 Sorry for cross posting in two mailing lists, but I'm going mad with SELinux on a server of mine equipped with CentOS 6.2. The problem is to run a FastCGI netplex application in peace with Apache and SELinux. Apache and the application communicate using a socket, provided by netplex. In the default Linux environment there are no problems. Here, the httpd daemon can't write to the socket, and the application simply never receives requests. The application context is this: *# ls -laZ -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 devel.donadeo.net* but when I start the program, ps shows a different story: *# ./devel.donadeo.net --config-file /var/www/ donadeo.net/devel/blog_prod.conf # ps faxeZ* *... [ only relevant processes ] ... **unconfined_u:system_r:httpd_t:s0 16048 ? Ss 0:00 /usr/sbin/httpd <- Apache unconfined_u:system_r:httpd_t:s0 20293 ? S 0:00 \_ /usr/sbin/fcgi- <- mod_fastcgi unconfined_u:system_r:httpd_t:s0 20294 ? S 0:00 \_ /usr/sbin/httpd **<- other 10 Apache workers** ... ... ... unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss 0:00 ./ devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S 0:00 \_ ./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf * while the communication socket is labelled like this: *# ls -laZ srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock * The first question is: why the hell the executable devel.donadeo.net is labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the corresponding process in memory runs with a very low "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"? Of course an unconfined process cannot write to a socket labelled "unconfined_u:object_r:httpd_sys_content_t:s0". Any idea, before I disable SELinux altogether? I like the security framework, but I don't want to loose my mental sanity for it. -- *Paolo* --bcaec54fb9e07c595304b4d6d214 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Sorry for cross posting in two mailing lists, but I'm going mad with SE= Linux on a server of mine equipped with CentOS 6.2.

The problem is t= o run a FastCGI netplex application in peace with Apache and SELinux. Apach= e and the application communicate using a socket, provided by netplex. In t= he default Linux environment there are no problems. Here, the httpd daemon = can't write to the socket, and the application simply never receives re= quests. The application context is this:

# ls -laZ
-rwxr-x= r-x. root root system_u:o= bject_r:httpd_sys_script_exec_t:s0 devel.donadeo.net

but when I start the program, ps shows a different story:

# ./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
# ps faxeZ
<= b>... [ only relevant processes ] ...
unconfined_u:system_r:httpd_t:s0 16048 ? =C2=A0 =C2=A0 =C2=A0 Ss = =C2=A0 =C2=A0 0:00 /usr/sbin/httpd =C2=A0 =C2=A0 =C2=A0 =C2=A0<- Apache<= br> unconfined_u:system_r:htt= pd_t:s0 20293 ? =C2=A0 =C2=A0 =C2=A0 S =C2=A0 =C2=A0 =C2=A00:00 =C2= =A0\_ /usr/sbin/fcgi- =C2=A0 =C2=A0<- mod_fastcgi
unconfined_u:system= _r:httpd_t:s0 20294 ? =C2=A0 =C2=A0 =C2=A0 S =C2=A0 =C2=A0 =C2=A00:00 =C2= =A0\_ /usr/sbin/httpd =C2=A0 =C2=A0<- other 10 Apache workers
... ... ...=C2=A0
unco= nfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss =C2=A0 = 0:00 ./devel.donadeo.net --config-= file /var/www/donadeo.n= et/devel/blog_prod.conf
unconfined_u:unconfined_r= :unconfined_t:s0-s0:c0.c1023 21502 ? S =C2=A0 0:00 =C2=A0\_ ./devel.donadeo.net --config-file /var/www= /donadeo.net/devel/blog= _prod.conf

while the communication socket is labelled like this:
= # ls -laZ
srwxr-xr-x. ro= ot root unconfined_u:obje= ct_r:httpd_sys_content_t:s0 server.sock

The first question is: why the hell the executable devel.donadeo.net is labelled with "system_u:obje= ct_r:httpd_sys_script_exec_t:s0" and the corresponding process in memo= ry runs with a very low "unconfined_u:unconfined_r:unconfined_t:s0-s0:= c0.c1023"? Of course an unconfined process cannot write to a socket la= belled "unconfined_u:object_r:httpd_sys_content_t:s0".

Any idea, before I disable SELinux altogether? I like the security fram= ework, but I don't want to loose my mental sanity for it.


--=C2=A0
Paolo
--bcaec54fb9e07c595304b4d6d214--