Bug 244008 - SELinux is preventing generate_test.p (httpd_sys_script_t) "create" to <Unknown> (httpd_sys_script_t)
Summary: SELinux is preventing generate_test.p (httpd_sys_script_t) "create" to <Unkno...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-06-13 10:46 UTC by Ondrej Sevcik
Modified: 2007-11-30 22:07 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-06-13 13:48:52 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Ondrej Sevcik 2007-06-13 10:46:41 UTC
Description of problem:

Perl scipt tries to connect to some URL:
   $ua = LWP::UserAgent->new;
   my $req = HTTP::Request->new(GET => "http://10.34.33.220/test/
$reqfile?id=$i");
   my $res = $ua->request($req);

Result of this operation is here:


Source Context                root:system_r:httpd_sys_script_t
Target Context                root:system_r:httpd_sys_script_t
Target Objects                None [ tcp_socket ]
Affected RPM Packages
Policy RPM                    selinux-policy-2.4.6-74.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.catchall
Host Name                     dhcp-lab-220.englab.brq.redhat.com
Platform                      Linux dhcp-lab-220.englab.brq.redhat.com
                              2.6.18-8.1.4.el5 #1 SMP Fri May 4 22:15:13 EDT
                              2007 i686 i686
Alert Count                   2129
Line Numbers

Raw Audit Messages

avc: denied { create } for comm="generate_test.p" egid=48 euid=48
exe="/usr/bin/perl" exit=-13 fsgid=48 fsuid=48 gid=48 items=0 pid=4067
scontext=root:system_r:httpd_sys_script_t:s0 sgid=48
subj=root:system_r:httpd_sys_script_t:s0 suid=48 tclass=tcp_socket
tcontext=root:system_r:httpd_sys_script_t:s0 tty=(none) uid=48


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-74.el5
selinux-policy-targeted-2.4.6-74.el5
This is perl, v5.8.8 built for i386-linux-thread-multi
Perl is runing as a module in apache 

How reproducible:
100%

Steps to Reproduce:
1. Run perl script with code described above
  
Actual results:
Audit log fragment is listed below.

Expected results:
No create denied messages in audit log

Additional info:
Jun 12 01:21:23 dhcp-lab-220 setroubleshoot:      SELinux is preventing 
generate_test.p (httpd_sys_script_t) "create" to <Unknown> 
(httpd_sys_script_t).      For complete SELinux messages. run sealert -l 
0cbeb5ed-0304-480a-b12d-ec51fb7d8e0e

Comment 1 Ondrej Sevcik 2007-06-13 13:48:52 UTC
setsebool -P httpd_can_network_connect=1

fix this problem.


Note You need to log in before you can comment on or make changes to this bug.