AVC denied when connecting to a socket

Miroslav Grepl mgrepl at redhat.com
Mon Jun 1 14:59:59 UTC 2015 

On 05/29/2015 10:32 AM, Juan Orti Alcaine wrote:
> Hello,
> 
> I'm trying to configure a FastCGI service, but I'm getting AVCs that I
> don't understand why happen. It says that httpd_t is trying to connect
> to init_t, but the socket has httpd_var_run_t label.
> 
> I have other FastCGI socket in the same server with httpd_var_run_t
> label, and it works fine.
> 
> Is this a systemd bug?
> 
> This is my socket and service units:
> 
> # cat gitweb.socket
> [Unit]
> Description=GitWeb socket
> 
> [Socket]
> SocketMode=0600
> SocketUser=nginx
> SocketGroup=nginx
> ListenStream=/run/nginx/gitweb.sock
> Accept=false
> 
> [Install]
> WantedBy=multi-user.target
> 
> # cat gitweb.service
> [Unit]
> Description=GitWeb service
> 
> [Service]
> Type=simple
> ExecStart=/var/www/git/gitweb.cgi
> User=nginx
> Group=nginx
> StandardInput=socket
> 
> # ps -efZ|grep nginx
> system_u:system_r:httpd_t:s0    root      5270     1  0 10:01 ?
> 00:00:00 nginx: master process /usr/sbin/nginx
> system_u:system_r:httpd_t:s0    nginx     5271  5270  0 10:01 ?
> 00:00:01 nginx: worker process
> system_u:system_r:httpd_t:s0    nginx     5272  5270  0 10:01 ?
> 00:00:00 nginx: worker process
> system_u:system_r:httpd_t:s0    nginx     5273  5270  0 10:01 ?
> 00:00:00 nginx: worker process
> system_u:system_r:httpd_t:s0    nginx     5274  5270  0 10:01 ?
> 00:00:00 nginx: worker process
> 
> # ls -laZ /run/nginx  (I get AVC denied when connecting to this socket)
> total 0
> drwxr-xr-x.  2 root  root  system_u:object_r:httpd_var_run_t:s0   60
> may 29 09:59 .
> drwxr-xr-x. 34 root  root  system_u:object_r:var_run_t:s0       1040
> may 29 10:01 ..
> srw-------.  1 nginx nginx system_u:object_r:httpd_var_run_t:s0    0
> may 29 09:59 gitweb.sock
> 
> # ls -laZ /var/run/php-fpm  (This socket works fine with the same label)
Do you have the same unit file here?
> total 4
> drwxr-xr-x.  2 root root system_u:object_r:httpd_var_run_t:s0   80 ene
>  1  1970 .
> drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0       1040 may
> 29 10:01 ..
> -rw-r--r--.  1 root root system_u:object_r:httpd_var_run_t:s0    3 ene
>  1  1970 php-fpm.pid
> srw-rw----+  1 root root system_u:object_r:httpd_var_run_t:s0    0 ene
>  1  1970 www.sock
> 
> 
> Detailed AVC:
> 
> Additional Information:
> Source Context                system_u:system_r:httpd_t:s0
> Target Context                system_u:system_r:init_t:s0
> Target Objects                /run/nginx/gitweb.sock [ unix_stream_socket ]
> Source                        nginx
> Source Path                   nginx
> Port                          <Unknown>
> Host                          rpi
> Source RPM Packages
> Target RPM Packages
> Policy RPM                    selinux-policy-3.13.1-126.fc22.noarch
> Selinux Enabled               True
> Policy Type                   targeted
> Enforcing Mode                Enforcing
> Host Name                     rpi
> Platform                      Linux rpi 3.18.14-v7-jorti #1 SMP PREEMPT Wed May
>                               27 22:11:40 CEST 2015 armv7l armv7l
> Alert Count                   1
> First Seen                    2015-05-29 10:01:42 CEST
> Last Seen                     2015-05-29 10:01:42 CEST
> Local ID                      785644e0-eeb9-4afc-8fd1-6f5c524d6dc5
> 
> Raw Audit Messages
> type=AVC msg=audit(1432886502.500:2574): avc:  denied  { connectto }
> for  pid=5271 comm="nginx" path="/run/nginx/gitweb.sock"
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> permissive=0
> 


-- 
Miroslav Grepl
Senior Software Engineer, SELinux Solutions
Red Hat, Inc.

More information about the selinux mailing list