AVC denied when connecting to a socket
Miroslav Grepl
mgrepl at redhat.com
Mon Jun 1 14:59:59 UTC 2015
On 05/29/2015 10:32 AM, Juan Orti Alcaine wrote:
> Hello,
>
> I'm trying to configure a FastCGI service, but I'm getting AVCs that I
> don't understand why happen. It says that httpd_t is trying to connect
> to init_t, but the socket has httpd_var_run_t label.
>
> I have other FastCGI socket in the same server with httpd_var_run_t
> label, and it works fine.
>
> Is this a systemd bug?
>
> This is my socket and service units:
>
> # cat gitweb.socket
> [Unit]
> Description=GitWeb socket
>
> [Socket]
> SocketMode=0600
> SocketUser=nginx
> SocketGroup=nginx
> ListenStream=/run/nginx/gitweb.sock
> Accept=false
>
> [Install]
> WantedBy=multi-user.target
>
> # cat gitweb.service
> [Unit]
> Description=GitWeb service
>
> [Service]
> Type=simple
> ExecStart=/var/www/git/gitweb.cgi
> User=nginx
> Group=nginx
> StandardInput=socket
>
> # ps -efZ|grep nginx
> system_u:system_r:httpd_t:s0 root 5270 1 0 10:01 ?
> 00:00:00 nginx: master process /usr/sbin/nginx
> system_u:system_r:httpd_t:s0 nginx 5271 5270 0 10:01 ?
> 00:00:01 nginx: worker process
> system_u:system_r:httpd_t:s0 nginx 5272 5270 0 10:01 ?
> 00:00:00 nginx: worker process
> system_u:system_r:httpd_t:s0 nginx 5273 5270 0 10:01 ?
> 00:00:00 nginx: worker process
> system_u:system_r:httpd_t:s0 nginx 5274 5270 0 10:01 ?
> 00:00:00 nginx: worker process
>
> # ls -laZ /run/nginx (I get AVC denied when connecting to this socket)
> total 0
> drwxr-xr-x. 2 root root system_u:object_r:httpd_var_run_t:s0 60
> may 29 09:59 .
> drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1040
> may 29 10:01 ..
> srw-------. 1 nginx nginx system_u:object_r:httpd_var_run_t:s0 0
> may 29 09:59 gitweb.sock
>
> # ls -laZ /var/run/php-fpm (This socket works fine with the same label)
Do you have the same unit file here?
> total 4
> drwxr-xr-x. 2 root root system_u:object_r:httpd_var_run_t:s0 80 ene
> 1 1970 .
> drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1040 may
> 29 10:01 ..
> -rw-r--r--. 1 root root system_u:object_r:httpd_var_run_t:s0 3 ene
> 1 1970 php-fpm.pid
> srw-rw----+ 1 root root system_u:object_r:httpd_var_run_t:s0 0 ene
> 1 1970 www.sock
>
>
> Detailed AVC:
>
> Additional Information:
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_u:system_r:init_t:s0
> Target Objects /run/nginx/gitweb.sock [ unix_stream_socket ]
> Source nginx
> Source Path nginx
> Port <Unknown>
> Host rpi
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.13.1-126.fc22.noarch
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Host Name rpi
> Platform Linux rpi 3.18.14-v7-jorti #1 SMP PREEMPT Wed May
> 27 22:11:40 CEST 2015 armv7l armv7l
> Alert Count 1
> First Seen 2015-05-29 10:01:42 CEST
> Last Seen 2015-05-29 10:01:42 CEST
> Local ID 785644e0-eeb9-4afc-8fd1-6f5c524d6dc5
>
> Raw Audit Messages
> type=AVC msg=audit(1432886502.500:2574): avc: denied { connectto }
> for pid=5271 comm="nginx" path="/run/nginx/gitweb.sock"
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> permissive=0
>
--
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.
More information about the selinux
mailing list