[CentOS] SELinux blocking cgi script from writing to socket (httpd_t)
Is this really supposed to get easier over time? :) Now my audit.log
file shows that SELinux is blocking my cgi script, index.cgi (which is
what's actually served when the user visits the front page of one of our
proxy sites like sugarsurfer.com) from having 'read write to socket
(httpd_t)'. I have no idea what that means, except that I thought that
cgi scripts were supposed to be able to write to stdout so that the web
server could send the data via a socket connection to the end user's
browser, so I don't know why a CGI script would be blocked from writing
to a socket with security context httpd_t.
The only clue that might narrow it down is the line Target
Objectssocket [ udp_socket ]. The sockets that the cgi
scripts usually send output to are of course tcp sockets, so why would
it say udp? The only time one of my cgi scripts might use udp would be
if it were doing a hostname lookup via dns, but the index.cgi script
doesn't do that at any point.
What would the pros do at this point?
***
Summary:
SELinux is preventing index.cgi (httpd_sys_script_t) read write to socket
(httpd_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by index.cgi. It is not expected that this
access is required by index.cgi and this access may signal an intrusion
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Contextsystem_u:system_r:httpd_sys_script_t
Target Contextsystem_u:system_r:httpd_t
Target Objectssocket [ udp_socket ]
Sourceindex.cgi
Source Path Unknown
Port Unknown
Host Unknown
Source RPM Packages
Target RPM Packages
Policy RPMselinux-policy-2.4.6-316.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing ModePermissive
Plugin Name catchall
Host Name g6950-21025.securedservers.com
Platform Linux g6950-21025.securedservers.com
2.6.18-274.12.1.el5 #1 SMP Tue Nov 29
13:37:46 EST
2011 x86_64 x86_64
Alert Count 1
First SeenWed Jan 11 09:34:13 2012
Last Seen Wed Jan 11 09:34:13 2012
Local ID 2adcd43d-7b8b-4e17-bb93-ad11a35f378a
Line Numbers 1
Raw Audit Messages
type=AVC msg=audit(1326303253.473:3626): avc: denied { read write }
for pid=6668 comm=index.cgi path=socket:[415055] dev=sockfs
ino=415055 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=udp_socket
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux blocking cgi script from writing to socket (httpd_t)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/11/2012 01:18 PM, Bennett Haselton wrote:
Is this really supposed to get easier over time? :) Now my
audit.log file shows that SELinux is blocking my cgi script,
index.cgi (which is what's actually served when the user visits the
front page of one of our proxy sites like sugarsurfer.com) from
having 'read write to socket (httpd_t)'. I have no idea what
that means, except that I thought that cgi scripts were supposed to
be able to write to stdout so that the web server could send the
data via a socket connection to the end user's browser, so I don't
know why a CGI script would be blocked from writing to a socket
with security context httpd_t.
The only clue that might narrow it down is the line Target Objects
socket [ udp_socket ]. The sockets that the cgi scripts usually
send output to are of course tcp sockets, so why would it say udp?
The only time one of my cgi scripts might use udp would be if it
were doing a hostname lookup via dns, but the index.cgi script
doesn't do that at any point.
What would the pros do at this point?
***
Summary:
SELinux is preventing index.cgi (httpd_sys_script_t) read write
to socket (httpd_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been
denied but was permitted due to permissive mode.]
SELinux denied access requested by index.cgi. It is not expected
that this access is required by index.cgi and this access may
signal an intrusion attempt. It is also possible that the specific
version or configuration of the application is causing it to
require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see
FAQ (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or
you can disable SELinux protection altogether. Disabling SELinux
protection is not recommended. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
package.
Additional Information:
Source Contextsystem_u:system_r:httpd_sys_script_t
Target Contextsystem_u:system_r:httpd_t Target
Objectssocket [ udp_socket ] Source
index.cgi Source Path Unknown Port Unknown Host Unknown
Source RPM Packages Target RPM Packages Policy RPM
selinux-policy-2.4.6-316.el5 Selinux Enabled True
Policy Type targeted MLS Enabled
True Enforcing ModePermissive Plugin Name
catchall Host Name
g6950-21025.securedservers.com Platform Linux
g6950-21025.securedservers.com 2.6.18-274.12.1.el5 #1 SMP Tue Nov
29 13:37:46 EST 2011 x86_64 x86_64 Alert Count 1
First SeenWed Jan 11 09:34:13 2012 Last Seen
Wed Jan 11 09:34:13 2012 Local ID
2adcd43d-7b8b-4e17-bb93-ad11a35f378a Line Numbers
1
Raw Audit Messages
type=AVC msg=audit(1326303253.473:3626): avc: denied { read write
} for pid=6668 comm=index.cgi path=socket:[415055] dev=sockfs
ino=415055 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=udp_socket
___ CentOS mailing
list CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Looks like a leaked file descriptor, you can probably add a dontaudit
rule.
In Fedora we currently dontaudit this leak.
audit2allow -i /tmp/t
#= httpd_sys_script_t ==
# This avc has a dontaudit rule in the current policy
allow httpd_sys_script_t httpd_t:udp_socket { read write };
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8N2YMACgkQrlYvE4MpobPnYACg0avTPwuj0XSYKOJIKIIw5Q6J
N5EAoLptqsCytbXtWc7R0EvECbwQJm29
=luHO
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux blocking cgi script from writing to socket (httpd_t)
On 01/12/2012 03:18 AM, Bennett Haselton wrote: Is this really supposed to get easier over time? :) Now my audit.log file shows that SELinux is blocking my cgi script, index.cgi (which is what's actually served when the user visits the front page of one of our proxy sites like sugarsurfer.com) from having 'read write to socket (httpd_t)'. I have no idea what that means, except that I thought that cgi scripts were supposed to be able to write to stdout so that the web server could send the data via a socket connection to the end user's browser, so I don't know why a CGI script would be blocked from writing to a socket with security context httpd_t. Your cgi script isn't allowed to write to the socket file. The context httpd_t isn't touchable by your executable. Is your index.cgi script custom or something from a distro package? In any case you can find a way to deliberately make this audit message show up (sounds like you have), try to vary it a few times to get a good base of audit information, and then use audit2allow to inspect the last several lines of your audit file. From this you can have audit2allow create and package a new policy that explicitely permits just this access and nothing else. See if you get any more AVC denials (9 out of 10 times this will be the end of it). If no more AVC notices and everything works well, turn SELinux back to enforcing and test a bit. Usually for custom scripts (of any depth, really) this is all that's needed. I have to do the same thing every time I decide to do something weird like run a new version of Django on top of Postgres 9.1 from source with all my other custom database-using apps asking for things from other servers, etc. Even with that much messaging going around its pretty easy to pin the situation down. You will need policycoreutils-python installed and you'll want to read over the manpages for audit2allow and any other tool that you find interesting, but its pretty easy now that you've got sane output to go by, know where/what your audit file is, and what a security context is. The only clue that might narrow it down is the line Target Objectssocket [ udp_socket ]. The sockets that the cgi scripts usually send output to are of course tcp sockets, so why would it say udp? The only time one of my cgi scripts might use udp would be if it were doing a hostname lookup via dns, but the index.cgi script doesn't do that at any point. No idea why it would need to talk to a UDP socket if you're absolutely certain that it doesn't need to, but it could be something else related that needs to do a lookup (Apache set to resolve names for logs, for example?). What would the pros do at this point? Aside from checking the policy that the audit tools come up with, it would be reasonable to run a test on the script in a clean environment (minimal install of the OS with just enough web server (Apache) setup to let the script execute) and see what is happening in the audit log (and anywhere else you're curious about -- database, other processes, file system acces, etc.). If you're really paranoid (and a pro is paid to be, so...) it would be good to check the contents of the packets being passed in and out of the test environment to make sure you fully understand what is expected, then compare that against what you see coming from the production server. In *any* case, putting together a quick SELinux policy that let's your app run and lets you turn SELinux back on is better in the interim than simply letting the system sit with a permissive policy while you do your homework. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux blocking cgi script from writing to socket (httpd_t)
On 01/12/2012 03:48 AM, Daniel J Walsh wrote:
In Fedora we currently dontaudit this leak.
audit2allow -i /tmp/t
#= httpd_sys_script_t ==
# This avc has a dontaudit rule in the current policy
allow httpd_sys_script_t httpd_t:udp_socket { read write };
Pow. Reasonable answer, and it isn't so hard to run that command -- its
just difficult to understand why its necessary if you don't know
anything about the environment, and mystifying if you know the command
but nothing about what's going on.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] SELinux blocking cgi script from writing to socket (httpd_t)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 01/11/2012 02:50 PM, 夜神 岩男 wrote:
On 01/12/2012 03:48 AM, Daniel J Walsh wrote:
In Fedora we currently dontaudit this leak.
audit2allow -i /tmp/t
#= httpd_sys_script_t == # This avc
has a dontaudit rule in the current policy
allow httpd_sys_script_t httpd_t:udp_socket { read write };
Pow. Reasonable answer, and it isn't so hard to run that command --
its just difficult to understand why its necessary if you don't
know anything about the environment, and mystifying if you know the
command but nothing about what's going on.
___ CentOS mailing
list CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
The following explaines leaked file descriptors.
http://danwalsh.livejournal.com/6117.html?thread=23525
In RHEL6 and Fedora you can run avc messages through audit2allow and
it will tell you whether or not there is policy effecting the AVC.
setroubleshoot can also be helpful in these circumstances.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8N6MQACgkQrlYvE4MpobOsJACeIf9ubCB7kBDQFTITJ7hYRXlc
QJIAoMPdXne6a+nVUBBBakeyd0bjkBfs
=8fnf
-END PGP SIGNATURE-
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
