Is this really supposed to get easier over time? :) Now my audit.log
file shows that SELinux is blocking my cgi script, index.cgi (which is
what's actually served when the user visits the front page of one of our
proxy sites like sugarsurfer.com) from having '"read write" to socket
(httpd_t)'. I have no idea what that means, except that I thought that
cgi scripts were supposed to be able to write to stdout so that the web
server could send the data via a socket connection to the end user's
browser, so I don't know why a CGI script would be blocked from writing
to a socket with security context httpd_t.
The only clue that might narrow it down is the line "Target
Objects socket [ udp_socket ]". The sockets that the cgi
scripts usually send output to are of course tcp sockets, so why would
it say udp? The only time one of my cgi scripts might use udp would be
if it were doing a hostname lookup via dns, but the index.cgi script
doesn't do that at any point.
What would the pros do at this point?
***
Summary:
SELinux is preventing index.cgi (httpd_sys_script_t) "read write" to socket
(httpd_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by index.cgi. It is not expected that this
access is required by index.cgi and this access may signal an intrusion
attempt.
It is also possible that the specific version or configuration of the
application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context system_u:system_r:httpd_sys_script_t
Target Context system_u:system_r:httpd_t
Target Objects socket [ udp_socket ]
Source index.cgi
Source Path <Unknown>
Port <Unknown>
Host <Unknown>
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-2.4.6-316.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name g6950-21025.securedservers.com
Platform Linux g6950-21025.securedservers.com
2.6.18-274.12.1.el5 #1 SMP Tue Nov 29
13:37:46 EST
2011 x86_64 x86_64
Alert Count 1
First Seen Wed Jan 11 09:34:13 2012
Last Seen Wed Jan 11 09:34:13 2012
Local ID 2adcd43d-7b8b-4e17-bb93-ad11a35f378a
Line Numbers 1
Raw Audit Messages
type=AVC msg=audit(1326303253.473:3626): avc: denied { read write }
for pid=6668 comm="index.cgi" path="socket:[415055]" dev=sockfs
ino=415055 scontext=system_u:system_r:httpd_sys_script_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=udp_socket
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
