Hello,
I'm trying to configure a FastCGI service, but I'm getting AVCs that I don't understand why happen. It says that httpd_t is trying to connect to init_t, but the socket has httpd_var_run_t label.
I have other FastCGI socket in the same server with httpd_var_run_t label, and it works fine.
Is this a systemd bug?
This is my socket and service units:
# cat gitweb.socket [Unit] Description=GitWeb socket
[Socket] SocketMode=0600 SocketUser=nginx SocketGroup=nginx ListenStream=/run/nginx/gitweb.sock Accept=false
[Install] WantedBy=multi-user.target
# cat gitweb.service [Unit] Description=GitWeb service
[Service] Type=simple ExecStart=/var/www/git/gitweb.cgi User=nginx Group=nginx StandardInput=socket
# ps -efZ|grep nginx system_u:system_r:httpd_t:s0 root 5270 1 0 10:01 ? 00:00:00 nginx: master process /usr/sbin/nginx system_u:system_r:httpd_t:s0 nginx 5271 5270 0 10:01 ? 00:00:01 nginx: worker process system_u:system_r:httpd_t:s0 nginx 5272 5270 0 10:01 ? 00:00:00 nginx: worker process system_u:system_r:httpd_t:s0 nginx 5273 5270 0 10:01 ? 00:00:00 nginx: worker process system_u:system_r:httpd_t:s0 nginx 5274 5270 0 10:01 ? 00:00:00 nginx: worker process
# ls -laZ /run/nginx (I get AVC denied when connecting to this socket) total 0 drwxr-xr-x. 2 root root system_u:object_r:httpd_var_run_t:s0 60 may 29 09:59 . drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1040 may 29 10:01 .. srw-------. 1 nginx nginx system_u:object_r:httpd_var_run_t:s0 0 may 29 09:59 gitweb.sock
# ls -laZ /var/run/php-fpm (This socket works fine with the same label) total 4 drwxr-xr-x. 2 root root system_u:object_r:httpd_var_run_t:s0 80 ene 1 1970 . drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1040 may 29 10:01 .. -rw-r--r--. 1 root root system_u:object_r:httpd_var_run_t:s0 3 ene 1 1970 php-fpm.pid srw-rw----+ 1 root root system_u:object_r:httpd_var_run_t:s0 0 ene 1 1970 www.sock
Detailed AVC:
Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects /run/nginx/gitweb.sock [ unix_stream_socket ] Source nginx Source Path nginx Port <Unknown> Host rpi Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-126.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rpi Platform Linux rpi 3.18.14-v7-jorti #1 SMP PREEMPT Wed May 27 22:11:40 CEST 2015 armv7l armv7l Alert Count 1 First Seen 2015-05-29 10:01:42 CEST Last Seen 2015-05-29 10:01:42 CEST Local ID 785644e0-eeb9-4afc-8fd1-6f5c524d6dc5
Raw Audit Messages type=AVC msg=audit(1432886502.500:2574): avc: denied { connectto } for pid=5271 comm="nginx" path="/run/nginx/gitweb.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
On 05/29/2015 10:32 AM, Juan Orti Alcaine wrote:
Hello,
I'm trying to configure a FastCGI service, but I'm getting AVCs that I don't understand why happen. It says that httpd_t is trying to connect to init_t, but the socket has httpd_var_run_t label.
I have other FastCGI socket in the same server with httpd_var_run_t label, and it works fine.
Is this a systemd bug?
This is my socket and service units:
# cat gitweb.socket [Unit] Description=GitWeb socket
[Socket] SocketMode=0600 SocketUser=nginx SocketGroup=nginx ListenStream=/run/nginx/gitweb.sock Accept=false
[Install] WantedBy=multi-user.target
# cat gitweb.service [Unit] Description=GitWeb service
[Service] Type=simple ExecStart=/var/www/git/gitweb.cgi User=nginx Group=nginx StandardInput=socket
# ps -efZ|grep nginx system_u:system_r:httpd_t:s0 root 5270 1 0 10:01 ? 00:00:00 nginx: master process /usr/sbin/nginx system_u:system_r:httpd_t:s0 nginx 5271 5270 0 10:01 ? 00:00:01 nginx: worker process system_u:system_r:httpd_t:s0 nginx 5272 5270 0 10:01 ? 00:00:00 nginx: worker process system_u:system_r:httpd_t:s0 nginx 5273 5270 0 10:01 ? 00:00:00 nginx: worker process system_u:system_r:httpd_t:s0 nginx 5274 5270 0 10:01 ? 00:00:00 nginx: worker process
# ls -laZ /run/nginx (I get AVC denied when connecting to this socket) total 0 drwxr-xr-x. 2 root root system_u:object_r:httpd_var_run_t:s0 60 may 29 09:59 . drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1040 may 29 10:01 .. srw-------. 1 nginx nginx system_u:object_r:httpd_var_run_t:s0 0 may 29 09:59 gitweb.sock
# ls -laZ /var/run/php-fpm (This socket works fine with the same label)
Do you have the same unit file here?
total 4 drwxr-xr-x. 2 root root system_u:object_r:httpd_var_run_t:s0 80 ene 1 1970 . drwxr-xr-x. 34 root root system_u:object_r:var_run_t:s0 1040 may 29 10:01 .. -rw-r--r--. 1 root root system_u:object_r:httpd_var_run_t:s0 3 ene 1 1970 php-fpm.pid srw-rw----+ 1 root root system_u:object_r:httpd_var_run_t:s0 0 ene 1 1970 www.sock
Detailed AVC:
Additional Information: Source Context system_u:system_r:httpd_t:s0 Target Context system_u:system_r:init_t:s0 Target Objects /run/nginx/gitweb.sock [ unix_stream_socket ] Source nginx Source Path nginx Port <Unknown> Host rpi Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.13.1-126.fc22.noarch Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name rpi Platform Linux rpi 3.18.14-v7-jorti #1 SMP PREEMPT Wed May 27 22:11:40 CEST 2015 armv7l armv7l Alert Count 1 First Seen 2015-05-29 10:01:42 CEST Last Seen 2015-05-29 10:01:42 CEST Local ID 785644e0-eeb9-4afc-8fd1-6f5c524d6dc5
Raw Audit Messages type=AVC msg=audit(1432886502.500:2574): avc: denied { connectto } for pid=5271 comm="nginx" path="/run/nginx/gitweb.sock" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket permissive=0
selinux@lists.fedoraproject.org