[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: FastCGI applications



Paul Howarth wrote:
I've just moved my personal moin wiki from mod_python to FastCGI for performance reasons (it's well worth it!). For people that don't know, FastCGI works by starting up one or more copies of a CGI application and then keeping them running, passing requests from server to application over a socket. This avoids the startup overhead of the CGI application for each request that is necessary with regular CGI.

I needed the policy module below to get it working. I'm not sure what exactly all of the "allows" are allowing, so advice would be welcome (sample AVCs included).

Regarding support for FastCGI in the standard policy, perhaps appropriate rules could be added under a boolean httpd_enable_fastcgi or even added to the features enabled with httpd_enable_cgi?

policy_module(apache, 0.1.0)

require {
        type httpd_sys_script_t;
        type httpd_log_t;
        type httpd_t;
        type devpts_t;
        type var_run_t;
};

# ==========================================================
# Needed for mod_fcgid
# ==========================================================

# This is the FastCGI application doing something to the httpd error log
# ----------------------------------------------------------------------
#type=AVC msg=audit(1147697748.197:15226): avc: denied { ioctl } for pid=15684 comm="python" name="error_log" dev=dm-4 ino=851988 scontext=user_u:system_r:httpd_sys_script_t:s0 tcontext=user_u:object_r:httpd_log_t:s0 tclass=file #type=SYSCALL msg=audit(1147697748.197:15226): arch=40000003 syscall=54 success=no exit=-25 a0=1 a1=5401 a2=bffd4cf8 a3=bffd4d38 items=0 pid=15684 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python" #type=AVC_PATH msg=audit(1147697748.197:15226): path="/var/log/httpd/error_log"
allow httpd_sys_script_t httpd_log_t:file ioctl;
Would dontaudit work?

# This is the FastCGI application listening for FastCGI requests on its socket allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr ioctl listen };

Might be worth creating a new type for this httpd_fastcgi_script_t???

# Not sure what this is doing
# ---------------------------
#type=AVC msg=audit(1147699050.131:15341): avc: denied { ioctl } for pid=16705 comm="httpd" name="2" dev=devpts ino=4 scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file #type=SYSCALL msg=audit(1147699050.131:15341): arch=40000003 syscall=54 success=yes exit=0 a0=0 a1=5401 a2=bff4ee38 a3=bff4ee78 items=0 pid=16705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
#type=AVC_PATH msg=audit(1147699050.131:15341):  path="/dev/pts/2"
allow httpd_t devpts_t:chr_file ioctl;
# perhaps it should be term_ioctl_generic_ptys(httpd_t)
Should probably be dontaudit. term_dontaudit_use_generic_ptys(httpd_t) ioctl not handled by this right now, but it would probably have been prevented if you were not
running in permissive mode.



# mod_fcgid setting attr of its socket dir
# ---------------------------------------- # type=AVC msg=audit(1147697688.037:15216): avc: denied { setattr } for pid=15656 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir # type=SYSCALL msg=audit(1147697688.037:15216): arch=40000003 syscall=212 success=yes exit=0 a0=91aa148 a1=30 a2=ffffffff a3=30 items=1 pid=15656 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd" # type=CWD msg=audit(1147697688.037:15216): cwd="/" # type=PATH msg=audit(1147697688.037:15216): item=0 name="/etc/httpd/run/mod_fcgid" flags=1 inode=458818 dev=fd:04 mode=040755 ouid=48 ogid=48 rdev=00:00
allow httpd_t var_run_t:dir setattr;

What dir is it doing this to? Should this directory be labeled httpd_var_run_t?

Paul.

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]