Hello, If I understand documentation correctly, SELinux should prevent php scripts (running via mod_php) from opening remote urls with fopen function by default, that is when httpd_can_network_connect --> off Here are the links that confirm that behavior in the past: http://www.php.net/manual/en/function.fopen.php#56551 https://bugzilla.redhat.com/show_bug.cgi?id=164700 I've installed and updated Fedora 15 with no selinux modifications: [root@localhost ~]# cat /etc/redhat-release Fedora release 15 (Lovelock) [root@localhost ~]# sestatus SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 26 Policy from config file: targeted I've made three tests: [root@localhost ~]# cat /var/www/html/marko1.php <?php $file = fopen ("http://www.example.com";, "r"); if (!$file) { echo "<p>Unable to open remote file.\n"; exit; } while (!feof ($file)) { $line = fgets ($file, 1024); echo ($line); } fclose($file); ?> [root@localhost ~]# cat /var/www/html/marko2.php <?php $file = fopen ("http://10.11.12.13:31254/";, "r"); if (!$file) { echo "<p>Unable to open remote file.\n"; exit; } while (!feof ($file)) { $line = fgets ($file, 1024); echo ($line); } fclose($file); ?> [root@localhost ~]# cat /var/www/html/marko3.php <?php exec ('wget http://www.example.com -O /tmp/example.html'); exec ('wget http://10.11.12.13:31254 -O /tmp/mail.html'); ?> IP 10.11.12.13 is a remote machine, with apache listening on tcp port 31254 and i can reach it with wget running under unconfined root account. My httpd booleans are: [root@localhost ~]# getsebool -a|grep http allow_httpd_anon_write --> off allow_httpd_mod_auth_ntlm_winbind --> off allow_httpd_mod_auth_pam --> off allow_httpd_sys_script_anon_write --> off httpd_builtin_scripting --> on httpd_can_check_spam --> off httpd_can_network_connect --> off httpd_can_network_connect_cobbler --> off httpd_can_network_connect_db --> off httpd_can_network_memcache --> off httpd_can_network_relay --> off httpd_can_sendmail --> off httpd_dbus_avahi --> off httpd_enable_cgi --> on httpd_enable_ftp_server --> off httpd_enable_homedirs --> off httpd_execmem --> off httpd_read_user_content --> off httpd_setrlimit --> off httpd_ssi_exec --> off httpd_tmp_exec --> off httpd_tty_comm --> on httpd_unified --> off httpd_use_cifs --> off httpd_use_gpg --> off httpd_use_nfs --> off named_bind_http_port --> off and semanage -o - gives: boolean -D boolean -1 httpd_builtin_scripting login -D login -a -s unconfined_u -r 's0-s0:c0.c1023' __default__ login -a -s unconfined_u -r 's0-s0:c0.c1023' root login -a -s system_u -r 's0-s0:c0.c1023' system_u user -D port -D interface -D node -D fcontext -D The problem is that opening marko1.php in browser gives me the html found on http://www.example.com and opening marko3.php produces the /tmp/example.html file on server with the html found on http://www.example.com The requests for http://10.11.12.13:31254/ both php's and wget-s, are not successful and are logged logged like: type=AVC msg=audit(1320370308.125:103): avc: denied { name_connect } for pid=1842 comm="wget" dest=31254 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket type=AVC msg=audit(1320370308.980:104): avc: denied { name_connect } for pid=1656 comm="httpd" dest=31254 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket mod_proxy is commented and not enabled (which is default in F15, AFAIK). Am I missing something or has the documentation missed this little fact? ;) -- Marko Uskokovic Mainstream d.o.o. www.mainstream.rs -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
