SELinux article translation Supplement

Source: Internet
Author: User
Tags fpm switches

Originally I just wanted to write a CGI program in Python (Python will run shell scripts, shell scripts have IO operations) performed by the Apache server, resulting in a bunch of permissions issues. After executing the shell obviously/var/www/under a directory belonging to the Apache user and is 755, writing to the file is permission Denied. The CGI child process user is Apache. Previously heard of SELinux, and finally one day was stopped by it. A lot of documents were searched during the problem solving process, which saved the value and prevented the link from failing.

How to

https://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388

5.5 Allowing access to a port port number permission
We may want a service such as Apache-to is allowed to bind and listen for incoming connections on a non-standard port. By default, the SELinux policy would only allow services access to recognized ports associated with those services. If we wanted to allow Apache to listen on TCP port Bayi, we can add a rule to allow that using the ' semanage ' command:
We sometimes allow certain services (such as Apache) to be bound to listen for nonstandard port numbers (80). By default, SELinux only allows services to use the port numbers associated with these services, and if you want to allow Apache to listen on port 81, we need to semanage add a rule using the command.

Add: Man Semanage-port found that we can add a range of port numbers, but the format for range is not clearly stated in the document. Refer to Se,range using horizontal lines, for example semanage port -a -t http_port_t -p tcp 8000-8999 . According to the answer in SE, we must delete range when we add the range:semanage port --delete -t http_port_t -p tcp 8000-8999

A full list of ports. Services is permitted access by SELinux can is obtained with:
The list of all port numbers that can be used by the service can be obtained in the following way

Booleans
    • The following sections are translated into switches

The Boolean explanation: https://www.axivo.com/resources/selinux-booleans-explained.22/

I recently upgraded several servers to CentOS 6.6 release including live Axivo site and to my surprise, all PHP related APs Plications stopped working. After a closer look at servers logs, I noticed several denied AVC and SYSCALL into audit logs related to PHP-FPM and Nginx .

I recently upgraded to CentOS 6.6, but all the PHP-related programs were hung up. After careful review of the server logs, I found multiple AVC and Syscall rejections (errors) associated with PHP-FPM and Nginx in audit logs.

This tutorial would help you identify the audit rules and booleans related to a action or command blocked by Selinux in Re D Hat 6.6+. Start by validating the culprit:
This tutorial will help you find the audit rule and Boolean. First confirm the prisoner:

# ausearch -i -ts recent# ausearch -i -c nginx# ausearch -i -c php-fpm

Next, analyze the policy package:

# ausearch-c Nginx |        Audit2allow-m nginxmodule nginx 1.0;require {type httpd_t; Class Process {Execmem setrlimit};} #============= httpd_t ==============#!!!! This AVC can is allowed using the Boolean ' Httpd_execmem ' Allow httpd_t self:process execmem;#!!!! This AVC are allowed in the current Policyallow httpd_t self:process setrlimit;# ausearch-c php-fpm |       Audit2allow-m php-fpmmodule php-fpm 1.0;require {type mysqld_port_t;       Type httpd_t;       Type memcache_port_t;       Class process Setrlimit; Class Tcp_socket Name_connect;} #============= httpd_t ==============#!!!! This AVC can be allowed using one of the these booleans:# httpd_can_network_relay, Httpd_can_network_memcache, Httpd_c An_network_connectallow httpd_t memcache_port_t:tcp_socket name_connect;#!!!!  This AVC can be allowed using one of the these booleans:# httpd_can_network_connect, Httpd_can_network_connect_dballow httpd_t mysqld_port_t:tcp_socket name_connect;#!!!! This AVC can be allowed using the Boolean ' Httpd_setrlimit ' Allow httpd_t self:process setrlimit; 

The above example shows clearly what Boolean should is enabled. Verify the status of a specific Boolean and enable it, if necessary: The above information clearly indicates that the Boolean needs to be opened. Follow its prompts to verify that it is turned on if it is not open:

# sestatus -b | grep httpd_setrlimithttpd_setrlimit                             off# setsebool -P httpd_setrlimit on# sestatus -b | grep httpd_setrlimithttpd_setrlimit                             on

The

is careful what the Boolean you enable. For example, Httpd_execmem allows NGINX/PHP-FPM to execute programs requiring memory addresses that is both executable an D writeable. Enabling this Boolean isn't recommended from a security standpoint, as it reduces the protection against buffer overflows . Even if I noticed several alerts into audit logs, I-only enabled the following httpd booleans (beside the ones set to on B Y default): Be careful to turn on these switches, such as Httpd_execmem , which allows NGINX/PHP-FPM to execute programs that require memory space to execute and write. For security reasons, it is not recommended to turn on this switch because it reduces overflow protection. Even though I found several warnings in the audit log, I only turned on the following switches:

    • Httpd_can_network_connect-allows Nginx connections to network using TCP allows Nginx to connect to networks using TCP
    • Httpd_can_sendmail-allows nginx to send mail, commonly related to PHP sendmail allow Nginx to send mail, general and PHP SendMail related
    • Httpd_enable_cgi-allows Nginx to run PHP CGI related programs allow Nginx to run PHP CGI related programs
    • Httpd_setrlimit-allows Nginx To adjust the number of the file descriptors allows Nginx to adjust the upper limit of the descriptor

To list all Nginx related Booleans, run: Lists all Nginx-related Boolean

I did not enabled Httpd_can_network_relay because are needed only if Nginx is set as a forward/remote proxy. I also kept httpd_can_network_connect_db and httpd_can_network_memcache disabled because I already allow connections with Httpd_can_network_connect. I do not have httpd_can_network_relay enabled because it is only necessary to be an agent. Also keep httpd_can_network_connect_db and Httpd_can_network_memcache closed because I've opened the Httpd_can_network_connect

Could also generate and install a Non-base policy package:

# ausearch -c nginx | audit2allow -M nginx# semodule -i nginx.pp# chmod 0600 /etc/selinux/targeted/modules/active/modules/nginx.pp# ausearch -c php-fpm | audit2allow -M php-fpm# semodule -i php-fpm.pp# chmod 0600 /etc/selinux/targeted/modules/active/modules/php-fpm.pp

This was useful when no booleans was defined, for example the Postfix postdrop denials.

To view boolean information

Https://danwalsh.livejournal.com/64779.html

Use semanage the commands to view these Boolean descriptions

> semanage boolean -l | grep httpd_can_network_connecthttpd_can_network_connect_db   (off  ,  off)  Allow HTTPD scripts and modules to connect to databases over the network.httpd_can_network_connect      (off  ,  off)  Allow HTTPD scripts and modules to connect to the network using TCP.

The best way to do this is sesearch to view and, on the seinfo newer system (FEDORA/RHEL7), use the sepolicy command. In addition there are some man page already have: man httpd_selinux . sesearchand seinfo need to install the package setools-cmdline . sepolicyin the policycoreutils-python package.

Boolean httpd_can_network_connect_db
sesearch -A -s httpd_t -b httpd_can_network_connect_db -p name_connect   allow httpd_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ;   allow httpd_t mssql_port_t : tcp_socket name_connect ;   allow httpd_t oracle_port_t : tcp_socket name_connect ;   allow httpd_t mysqld_port_t : tcp_socket { recv_msg send_msg name_connect } ;   allow httpd_t gds_db_port_t : tcp_socket name_connect ;

sesearchhttpd_can_network_connect_dbWhat happens after you print out the settings: httpd_can_network_connect_db after you turn on the switch, the httpd_t will be able to connect on the labeled postgresql_port_t/mssql_port_t/oracle_port_t/mysqld_port_t/gds_db The port number of the _port_t. seinfoturn these port types into port definitions ( semanage port -l also rows) by command:

> seinfo  --port | grep -e postgresql_port_t -e mysqld_port_t -e oracle_port_t -e gds_db_port_t | grep tcp    portcon tcp 3050 system_u:object_r:gds_db_port_t:s0    portcon tcp 1186 system_u:object_r:mysqld_port_t:s0    portcon tcp 3306 system_u:object_r:mysqld_port_t:s0    portcon tcp 63132-63164 system_u:object_r:mysqld_port_t:s0    portcon tcp 1521 system_u:object_r:oracle_port_t:s0    portcon tcp 2483 system_u:object_r:oracle_port_t:s0    portcon tcp 2484 system_u:object_r:oracle_port_t:s0    portcon tcp 5432 system_u:object_r:postgresql_port_t:s0> sepolicy network -t postgresql_port_tpostgresql_port_t: tcp: 5432
Boolean Httpd_can_network_connect
> sesearch -A -s httpd_t -b httpd_can_network_connect -p name_connectFound 1 semantic av rules:   allow httpd_t port_type : tcp_socket name_connect ;

The above command shows that Httpd_can_network_connect allows httpd_t to connect to all TCP sockets types that has the Por T_type attribute.
Httpd_can_network_connect allows httpd to connect all TCP sockets with Port_type properties.

> seinfo -aport_type -x | wc -l245

Using Seinfo above would show you port_type are the attribute of all ports types, meaning that turning on the Httpd_can _network_connect Boolean, allows the httpd_t domain to connect to all TCP network ports.
The Seinfo command shows that Port_type is a property of all port types, so turning on this switch means that http_t can connect to all TCP network ports.

Bottom Line httpd_can_network_connect_db allows httpd_t-connect to a additional ports while HTTPD_CAN_NETW Ork_connect adds thousands.
Conclusion: HTTPD_CAN_NETWORK_CONNECT_DB allows httpd_t to connect more than 10 ports, while Httpd_can_network_connect is thousands of (basically all of them)

SELinux article translation Supplement

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.