httpd and tcp_connect
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 24 13:58:14 UTC 2007
Wart wrote:
> I'm receiving the following avc denial from a game package that's
> under review[1]:
>
> Jan 21 10:55:49 localhost kernel: audit(1169405749.338:3): avc:
> denied { name_connect } for pid=2661 comm="httpd" dest=19382
> scontext=user_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
>
> The package includes a php-based web application and a python daemon
> backend. The php webapp communicates with the python daemon through
> tcp sockets.
>
> From the avc denial it appears that this communication fails because
> httpd is not allowed to establish tcp connections. This seems like a
> valid security restriction, except in this case I do want to allow it.
>
> How can I configure the httpd policy to allow tcp connections, but
> only to localhost and only on the python daemon's ports (19380-19383)?
>
> --Wart
Ok this can be fixed in multiple different ways.
One would be to allow httpd to connect to any port
setsebool -P httpd_can_network_connect=1
This would lessen your security, since httpd would now be able to
connect to any port
Another would be to add the ports to http_port_t via semanage
semanage port -a -t http_port_t -p tcp 19380-19383
This would be better in that http is allowed to connect to http_port_t
by default, but now it can also bind to these additional ports.
The best solution would be to make a loadable policy module, and define
a new port, something like
Create a te file like the following
#cat webapp.te
policy_module(webapp, 1.0);
require {
type httpd_t;
};
type webapp_port_t;
allow httpd_t webapp_port_t:tcp_socket name_connect;
# make -f /usr/share/selinux/targeted/include/Makefile webapp.pp
# semodule -i webapp.pp
# semanage port -a -t webapp_port_t -p tcp 19380-19383
> [1] https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=219972
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list