Hello,
I'm trying to configure a FastCGI service, but I'm getting AVCs that I
don't understand why happen. It says that httpd_t is trying to connect
to init_t, but the socket has httpd_var_run_t label.
I have other FastCGI socket in the same server with httpd_var_run_t
label, and it works fine.
Is this a systemd bug?
This is my socket and service units:
# cat gitweb.socket
[Unit]
Description=GitWeb socket
[Socket]
SocketMode=0600
SocketUser=nginx
SocketGroup=nginx
ListenStream=/run/nginx/gitweb.sock
Accept=false
[Install]
WantedBy=multi-user.target
# cat gitweb.service
[Unit]
Description=GitWeb service
[Service]
Type=simple
ExecStart=/var/www/git/gitweb.cgi
User=nginx
Group=nginx
StandardInput=socket
# ps -efZ|grep nginx
system_u:system_r:httpd_t:s0 root 5270 1 0 10:01 ?
00:00:00 nginx: master process /usr/sbin/nginx
system_u:system_r:httpd_t:s0 nginx 5271 5270 0 10:01 ?
00:00:01 nginx: worker process
system_u:system_r:httpd_t:s0 nginx 5272 5270 0 10:01 ?
00:00:00 nginx: worker process
system_u:system_r:httpd_t:s0 nginx 5273 5270 0 10:01 ?
00:00:00 nginx: worker process
system_u:system_r:httpd_t:s0 nginx 5274 5270 0 10:01 ?
00:00:00 nginx: worker process
# ls -laZ /run/nginx (I get AVC denied when connecting to this socket)
total 0
drwxr-xr-x. 2 root root system_u:object_r:httpd_var_run_t:s0 60
may 29 09:59 .
drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1040
may 29 10:01 ..
srw-------. 1 nginx nginx system_u:object_r:httpd_var_run_t:s0 0
may 29 09:59 gitweb.sock
# ls -laZ /var/run/php-fpm (This socket works fine with the same label)
total 4
drwxr-xr-x. 2 root root system_u:object_r:httpd_var_run_t:s0 80 ene
1 1970 .
drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1040 may
29 10:01 ..
-rw-r--r--. 1 root root system_u:object_r:httpd_var_run_t:s0 3 ene
1 1970 php-fpm.pid
srw-rw----+ 1 root root system_u:object_r:httpd_var_run_t:s0 0 ene
1 1970
www.sock
Detailed AVC:
Additional Information:
Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:init_t:s0
Target Objects /run/nginx/gitweb.sock [ unix_stream_socket ]
Source nginx
Source Path nginx
Port <Unknown>
Host rpi
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.13.1-126.fc22.noarch
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rpi
Platform Linux rpi 3.18.14-v7-jorti #1 SMP PREEMPT Wed May
27 22:11:40 CEST 2015 armv7l armv7l
Alert Count 1
First Seen 2015-05-29 10:01:42 CEST
Last Seen 2015-05-29 10:01:42 CEST
Local ID 785644e0-eeb9-4afc-8fd1-6f5c524d6dc5
Raw Audit Messages
type=AVC msg=audit(1432886502.500:2574): avc: denied { connectto }
for pid=5271 comm="nginx" path="/run/nginx/gitweb.sock"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
permissive=0
--
Juan Orti
https://miceliux.com
GPG key:
https://miceliux.com/pub/pubkey.asc
GPG fingerprint: 61F0 8272 6882 BCA6 3A35 88F6 B630 4B72 DEEB D08B