FastCGI applications

Paul Howarth paul at city-fan.org
Mon May 15 19:58:40 UTC 2006


On Mon, 2006-05-15 at 14:23 -0400, Daniel J Walsh wrote:
> Paul Howarth wrote:
> > I've just moved my personal moin wiki from mod_python to FastCGI for 
> > performance reasons (it's well worth it!). For people that don't know, 
> > FastCGI works by starting up one or more copies of a CGI application 
> > and then keeping them running, passing requests from server to 
> > application over a socket. This avoids the startup overhead of the CGI 
> > application for each request that is necessary with regular CGI.
> >
> > I needed the policy module below to get it working. I'm not sure what 
> > exactly all of the "allows" are allowing, so advice would be welcome 
> > (sample AVCs included).
> >
> > Regarding support for FastCGI in the standard policy, perhaps 
> > appropriate rules could be added under a boolean httpd_enable_fastcgi 
> > or even added to the features enabled with httpd_enable_cgi?
> >
> > policy_module(apache, 0.1.0)
> >
> > require {
> >         type httpd_sys_script_t;
> >         type httpd_log_t;
> >         type httpd_t;
> >         type devpts_t;
> >         type var_run_t;
> > };
> >
> > # ==========================================================
> > # Needed for mod_fcgid
> > # ==========================================================
> >
> > # This is the FastCGI application doing something to the httpd error log
> > # ----------------------------------------------------------------------
> > #type=AVC msg=audit(1147697748.197:15226): avc:  denied  { ioctl } for 
> > pid=15684 comm="python" name="error_log" dev=dm-4 ino=851988 
> > scontext=user_u:system_r:httpd_sys_script_t:s0 
> > tcontext=user_u:object_r:httpd_log_t:s0 tclass=file
> > #type=SYSCALL msg=audit(1147697748.197:15226): arch=40000003 
> > syscall=54 success=no exit=-25 a0=1 a1=5401 a2=bffd4cf8 a3=bffd4d38 
> > items=0 pid=15684 auid=4294967295 uid=48 gid=48 euid=48 suid=48 
> > fsuid=48 egid=48 sgid=48 fsgid=48 comm="python" exe="/usr/bin/python"
> > #type=AVC_PATH msg=audit(1147697748.197:15226): 
> > path="/var/log/httpd/error_log"
> > allow httpd_sys_script_t httpd_log_t:file ioctl;
> Would dontaudit work?

It appears to, yes.

> > # This is the FastCGI application listening for FastCGI requests on 
> > its socket
> > allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr 
> > ioctl listen };
> >
> Might be worth creating a new type for this httpd_fastcgi_script_t???

Probably, yes. I found after turning on enforcing mode that I needed:

# This is the FastCGI application listening for FastCGI requests on its
socket and communicating
allow httpd_sys_script_t httpd_t:unix_stream_socket { accept getattr
ioctl listen read write };

> > # Not sure what this is doing
> > # ---------------------------
> > #type=AVC msg=audit(1147699050.131:15341): avc:  denied  { ioctl } for 
> > pid=16705 comm="httpd" name="2" dev=devpts ino=4 
> > scontext=user_u:system_r:httpd_t:s0 
> > tcontext=user_u:object_r:devpts_t:s0 tclass=chr_file
> > #type=SYSCALL msg=audit(1147699050.131:15341): arch=40000003 
> > syscall=54 success=yes exit=0 a0=0 a1=5401 a2=bff4ee38 a3=bff4ee78 
> > items=0 pid=16705 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 
> > egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
> > #type=AVC_PATH msg=audit(1147699050.131:15341):  path="/dev/pts/2"
> > allow httpd_t devpts_t:chr_file ioctl;
> > # perhaps it should be term_ioctl_generic_ptys(httpd_t)
> Should probably be dontaudit.  term_dontaudit_use_generic_ptys(httpd_t)  
> ioctl not handled by this right now, but it would probably have been 
> prevented if you were not
> running in permissive mode.

dontaudit seems to be OK here too.

> > # mod_fcgid setting attr of its socket dir
> > # ---------------------------------------- # type=AVC 
> > msg=audit(1147697688.037:15216): avc:  denied  { setattr } for 
> > pid=15656 comm="httpd" name="mod_fcgid" dev=dm-4 ino=458818 
> > scontext=user_u:system_r:httpd_t:s0 
> > tcontext=system_u:object_r:var_run_t:s0 tclass=dir # type=SYSCALL 
> > msg=audit(1147697688.037:15216): arch=40000003 syscall=212 success=yes 
> > exit=0 a0=91aa148 a1=30 a2=ffffffff a3=30 items=1 pid=15656 
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
> > fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
> > # type=CWD msg=audit(1147697688.037:15216):  cwd="/" # type=PATH 
> > msg=audit(1147697688.037:15216): item=0 
> > name="/etc/httpd/run/mod_fcgid" flags=1  inode=458818 dev=fd:04 
> > mode=040755 ouid=48 ogid=48 rdev=00:00
> > allow httpd_t var_run_t:dir setattr;
> >
> What dir is it doing this to?  Should this directory be labeled 
> httpd_var_run_t?

Yes, it should. /etc/httpd/run is a symlink to /var/run; I've created a
directory /var/run/mod_fcgid, which gets labelled var_run_t by default,
and mod_fcgid creates and uses sockets in that directory to communicate
with FastCGI applications, and these sockets get labelled
httpd_var_run_t, which I think is OK. If you can think of a better place
for this directory, let me know.

Paul.




More information about the fedora-selinux-list mailing list