FastCGI applications

Daniel J Walsh dwalsh at redhat.com
Mon May 15 18:23:13 UTC 2006 

Paul Howarth wrote:
> I've just moved my personal moin wiki from mod_python to FastCGI for 
> performance reasons (it's well worth it!). For people that don't know, 
> FastCGI works by starting up one or more copies of a CGI application 
> and then keeping them running, passing requests from server to 
> application over a socket. This avoids the startup overhead of the CGI 
> application for each request that is necessary with regular CGI.
>
> I needed the policy module below to get it working. I'm not sure what 
> exactly all of the "allows" are allowing, so advice would be welcome 
> (sample AVCs included).
>
> Regarding support for FastCGI in the standard policy, perhaps 
> appropriate rules could be added under a boolean httpd_enable_fastcgi 
> or even added to the features enabled with httpd_enable_cgi?
>
> policy_module(apache, 0.1.0)
>
> require {
>         type httpd_sys_script_t;
>         type httpd_log_t;
>         type httpd_t;
>         type devpts_t;
>         type var_run_t;
> };
>
> # ==========================================================
> # Needed for mod_fcgid
> # ==========================================================
>
> # This is the FastCGI application doing something to the httpd error log
> # ----------------------------------------------------------------------
> #type=AVC msg=audit(1147697748.197:15226): avc:  denied  { ioctl } for 
> pid=15684 comm="python" name="error_log" dev=dm-4 ino=851988 
> scontext=user_u:system_r:httpd_sys_script_t:s0 
> tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
> #type=SYSCALL msg=audit(1147697748.197:15226): arch=40000003 
> syscall=54 success=no exit=-25 a0=1 a1=5401 a2=bffd4cf8 a3=bffd4d38 
> items=0 pid=15684 auid=4294967295 uid=48 gid=48 euid=48 suid=48 
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> #type=AVC_PATH msg=audit(1147697748.197:15226): 
> path="/var/log/httpd/error_log"
> allow httpd_sys_script_t httpd_log_t:file ioctl;
Would dontaudit work?
>
> # This is the FastCGI application listening for FastCGI requests on 
> its socket
> allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr 
> ioctl listen };
>
Might be worth creating a new type for this httpd_fastcgi_script_t???

> # Not sure what this is doing
> # ---------------------------
> #type=AVC msg=audit(1147699050.131:15341): avc:  denied  { ioctl } for 
> pid=16705 comm="httpd" name="2" dev=devpts ino=4 
> scontext=user_u:system_r:httpd_t:s0 
> tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file
> #type=SYSCALL msg=audit(1147699050.131:15341): arch=40000003 
> syscall=54 success=yes exit=0 a0=0 a1=5401 a2=bff4ee38 a3=bff4ee78 
> items=0 pid=16705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
> #type=AVC_PATH msg=audit(1147699050.131:15341):  path="/dev/pts/2"
> allow httpd_t devpts_t:chr_file ioctl;
> # perhaps it should be term_ioctl_generic_ptys(httpd_t)
Should probably be dontaudit.  term_dontaudit_use_generic_ptys(httpd_t)  
ioctl not handled by this right now, but it would probably have been 
prevented if you were not
running in permissive mode.


>
> # mod_fcgid setting attr of its socket dir
> # ---------------------------------------- # type=AVC 
> msg=audit(1147697688.037:15216): avc:  denied  { setattr } for 
> pid=15656 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818 
> scontext=user_u:system_r:httpd_t:s0 
> tcontext=system_u:object_r:var_run_t:s0 tclass=dir # type=SYSCALL 
> msg=audit(1147697688.037:15216): arch=40000003 syscall=212 success=yes 
> exit=0 a0=91aa148 a1=30 a2=ffffffff a3=30 items=1 pid=15656 
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
> # type=CWD msg=audit(1147697688.037:15216):  cwd="/" # type=PATH 
> msg=audit(1147697688.037:15216): item=0 
> name="/etc/httpd/run/mod_fcgid" flags=1  inode=458818 dev=fd:04 
> mode=040755 ouid=48 ogid=48 rdev=00:00
> allow httpd_t var_run_t:dir setattr;
>
What dir is it doing this to?  Should this directory be labeled 
httpd_var_run_t?
>
> Paul.
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list