On 12/24/2011 03:50 PM, Paolo Donadeo wrote: > Sorry for cross posting in two mailing lists, but I'm going mad with > SELinux on a server of mine equipped with CentOS 6.2. > > The problem is to run a FastCGI netplex application in peace with Apache > and SELinux. Apache and the application communicate using a socket, > provided by netplex. In the default Linux environment there are no > problems. Here, the httpd daemon can't write to the socket, and the > application simply never receives requests. The application context is this: > > *# ls -laZ > -rwxr-xr-x. root root system_u:object_r:httpd_sys_script_exec_t:s0 > devel.donadeo.net* > > but when I start the program, ps shows a different story: > > *# ./devel.donadeo.net --config-file /var/www/ > donadeo.net/devel/blog_prod.conf > # ps faxeZ* > *... [ only relevant processes ] ... > **unconfined_u:system_r:httpd_t:s0 16048 ? Ss 0:00 > /usr/sbin/httpd <- Apache > unconfined_u:system_r:httpd_t:s0 20293 ? S 0:00 \_ > /usr/sbin/fcgi- <- mod_fastcgi > unconfined_u:system_r:httpd_t:s0 20294 ? S 0:00 \_ > /usr/sbin/httpd **<- other 10 Apache workers** > ... ... ... > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21501 ? Ss 0:00 ./ > devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 21502 ? S 0:00 \_ > ./devel.donadeo.net --config-file /var/www/donadeo.net/devel/blog_prod.conf > * > while the communication socket is labelled like this: > *# ls -laZ > srwxr-xr-x. root root unconfined_u:object_r:httpd_sys_content_t:s0server.sock > * > > The first question is: why the hell the executable devel.donadeo.net is > labelled with "system_u:object_r:httpd_sys_script_exec_t:s0" and the > corresponding process in memory runs with a very low > "unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023"?
Probably because you launched it from an unconfined_t shell, and its not allowed to transition to httpd_sys_script_exec_t, so it'll stay unconfined. I think you have to launch it from an init script (which is labeled as the other init scripts), and then it'll transition to the proper context. Been a while since I played with SELinux so you may need to take some extra steps here. Or try using 'runcon', but I don't remember if that'll work from the unconfined context or not. Best regards, --Edwin -- Caml-list mailing list. Subscription management and archives: https://sympa-roc.inria.fr/wws/info/caml-list Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs
