[Caml-list] SELinux and FastCGI netplex applications

Sat, 24 Dec 2011 05:51:12 -0800 

Sorry for cross posting in two mailing lists, but I'm going mad with
SELinux on a server of mine equipped with CentOS 6.2.

The problem is to run a FastCGI netplex application in peace with Apache
and SELinux. Apache and the application communicate using a socket,
provided by netplex. In the default Linux environment there are no
problems. Here, the httpd daemon can't write to the socket, and the
application simply never receives requests. The application context is this:

*# ls -laZ
-rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0
devel.donadeo.net*

but when I start the program, ps shows a different story:

*# ./devel.donadeo.net --config-file /var/www/
donadeo.net/devel/blog_prod.conf
# ps faxeZ*
*... [ only relevant processes ] ...
**unconfined_u:system_r:httpd_t:s0 16048 ?       Ss     0:00
/usr/sbin/httpd        <- Apache
unconfined_u:system_r:httpd_t:s0 20293 ?       S      0:00  \_
/usr/sbin/fcgi-    <- mod_fastcgi
unconfined_u:system_r:httpd_t:s0 20294 ?       S      0:00  \_
/usr/sbin/httpd    **<- other 10 Apache workers**
... ... ...
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss   0:00 ./
devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S   0:00  \_
./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf
*
while the communication socket is labelled like this:
*# ls -laZ
srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock
*

The first question is: why the hell the executable devel.donadeo.net is
labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the
corresponding process in memory runs with a very low
"unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"? Of course an
unconfined process cannot write to a socket labelled
"unconfined_u:object_r:httpd_sys_content_t:s0".

Any idea, before I disable SELinux altogether? I like the security
framework, but I don't want to loose my mental sanity for it.


-- 
*Paolo*

-- 
Caml-list mailing list.  Subscription management and archives:
https://sympa-roc.inria.fr/wws/info/caml-list
Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
Bug reports: http://caml.inria.fr/bin/caml-bugs

Reply via email to