Bug 151813 - selinux prohibit cgi script to talk with a unix socket
Summary: selinux prohibit cgi script to talk with a unix socket
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
(Show other bugs)
Version: 4.0
Hardware: All Linux
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2005-03-22 16:42 UTC by Peter Bieringer
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-08-25 20:03:40 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Peter Bieringer 2005-03-22 16:42:06 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

Description of problem:
During installation of sqwebmail (5.0.1) I found that selinux policy prohibit cgi scripts to talk with a socket.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. enable selinux policy targeted
2. rebuild and install sqwebmail
3. try to call cgi script via httpd

Actual Results:  Don't work, kernel log tells me

Mar 22 17:05:41 host audit(1111507541.423:0): avc:  denied  { write } for  pid=7924 exe=/var/www/cgi-bin/sqwebmail name=sqwebmail.sock dev=md1 ino=465322 scontext=root:system_r:httpd_sys_script_t tcontext=user_u:object_r:var_t tclass=sock_file

Mar 22 17:14:58 host audit(1111508098.185:0): avc:  denied  { connectto } for  pid=8164 exe=/var/www/cgi-bin/sqwebmail path=/var/sqwebmail.sock scontext=root:system_r:httpd_sys_script_t tcontext=root:system_r:unconfined_t tclass=unix_stream_socket

Expected Results:  Working, if a boolean in 
allow such connects

Additional info:

Solution: extend policy

## sqwebmail
allow httpd_sys_script_t var_t:sock_file write;
allow httpd_sys_script_t unconfined_t:unix_stream_socket connectto;

Would be nice, if such extension can be made controlled by a boolean like for syslog-ng https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=141064

Comment 1 Daniel Walsh 2005-03-22 16:49:18 UTC
First could you update to the policy that is going into U1.


Then see if it works?

Never heard of sqwebmail?  Is it like squirrelmail?

If so we might be able to setup labels to work correctly. 

Comment 2 Peter Bieringer 2005-03-22 17:06:45 UTC
I already extend the policy (had already learnt how to during the syslog-ng
installation) and it's working fine now.

Yes, it's similar, a part of the Courier MTA suite:

Comment 3 Daniel Walsh 2005-03-24 21:49:57 UTC
Could you send me a the changes that you made to policy?

Comment 4 Peter Bieringer 2005-03-25 10:02:44 UTC
Already described above...

## sqwebmail
allow httpd_sys_script_t var_t:sock_file write;
allow httpd_sys_script_t unconfined_t:unix_stream_socket connectto;

sqwebmail uses a frontend cgi which connects via an Unix socket to the always
running backend.

Comment 5 Daniel Walsh 2005-04-07 15:28:35 UTC
To make this more secure we would need policy written for the sqwebmail server,
and it would probably be good to redesign where it listens to the socket.

/var/run is where most of these sockets are created.

Adding this policy would allow any httpd scripts to connectto to any unconfined
process that it can connect to, and write to a sock file created in /var.

So this policy would not get into the main line code.

Note You need to log in before you can comment on or make changes to this bug.