httpd soap connection over https

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

I have read on this page :
Important
Modules created with audit2allow may allow more access than required. It is recommended that policy created with audit2allow be posted to an SELinux list, such as fedora-selinux-list, for review. If you believe their is a bug in policy, create a bug in Red Hat Bugzilla.

So here I post my issue first to make sure audit2allow is giving the perfect rule to be set and to ask for the best and most secure way to allow this.

I have been trying to connect to a remote soap over https on port 443 from a simple php script.
But selinux set to enforcing has been blocking the connection.

I have tried the three methods separately and each one of them allowed the php script to connect correctly to remote soap.

First I need to know which one of the three methods is best (which will give less privileges?). Does the audit2allow give a rule with "more access than required"?
Second, I want to ask if there is a way to allow remote soap for only https://www.domain.com and not any other ip address.

Please find php script, selinux log, audit2why output, audit2allow output and the three methods I have used to allow connection in postscript.

Thank you very much, I really appreciate your help.

Sincerely yours,
Ahmed Sghaier.



PS :


selinux log :

# grep '1346290066.999:85' /var/log/audit/audit.log
type=AVC msg=audit(1346290066.999:85): avc:  denied  { name_connect } for  pid=2021 comm="httpd" dest=1664 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1346290066.999:85): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7f65a9e33b18 a2=10 a3=40 items=0 ppid=2016 pid=2021 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)


Method 1 :
# setsebool -P allow_ypbind 1


Method 2 :
# setsebool -P httpd_can_network_connect 1


Method 3 :
# grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow -M soap
# semodule -i soap.pp


audit2allow output :

# grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     allow_ypbind, httpd_can_network_connect
allow httpd_t port_t:tcp_socket name_connect;


audit2why output :

# grep '1346290066.999:85' /var/log/audit/audit.log | audit2why
type=AVC msg=audit(1346290066.999:85): avc:  denied  { name_connect } for  pid=2021 comm="httpd" dest=1664 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

        Was caused by:
        One of the following booleans was set incorrectly.
        Description:
        Allow system to run with NIS

        Allow access by executing:
        # setsebool -P allow_ypbind 1
        Description:
        Allow HTTPD scripts and modules to connect to the network using TCP.

        Allow access by executing:
        # setsebool -P httpd_can_network_connect 1


php script :

<?php
try {
$soap = new SoapClient("https://www.domain.com/soap.wsdl");
echo "SoapLoaded\n";
//login
$session = $soap->login("user", "login"...);
echo "LoginSuccessfull\n";
//logout
$soap->logout($session);
echo "LogoutSuccessfull\n";
} catch(SoapFault $fault) {
echo $fault;
}
?>

--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux