Random ...
 
December 2017
S M T W T F S
          1 2
3 4 5 6 7 8 9
10 11 12 13 14 15 16
17 18 19 20 21 22 23
24 25 26 27 28 29 30
31            
Tags ...
Links



Linux++:::: Too much security?
Posted at 09.Jul,2007 18:05  Comments 0 / Trackbacks 0 / Like this post!
Technorati tag(s):

I was setting up squid, apache and zope on a new box running centos 5.

Installing and running individual applications is no problem. The problem arises when I wanted to chain the three apps together:

  squid -> apache -> zope

In /var/log/httpd/error_log:

  (13)Permission denied: proxy: HTTP: attempt to connect to 127.0.0.1:8080 (*) failed

In /var/log/messages:

 SELinux is preventing the http daemon from connecting to the itself or the relay ports      For complete SELinux messages. run sealert -l 5818ae3c-1b70-47d3-a890-c00c0bda4547

And i ran :

 sealert -l 5818ae3c-1b70-47d3-a890-c00c0bda4547

and got these:

  sealert -l 5818ae3c-1b70-47d3-a890-c00c0bda4547
  Summary
    SELinux is preventing the http daemon from connecting to the  itself or the
    relay ports

  Detailed Description
    SELinux has denied the http daemon from connecting to itself or  the relay
    ports. An http script is trying to do a network connect to an http/ftp port.
    If you did not setup httpd to network connections, this could  signal a
    intrusion attempt.

  Allowing Access
    If you want httpd to connect to httpd/ftp ports you need to turn on the
    httpd_can_network_relay boolean: "setsebool -P  httpd_can_network_relay=1"

    The following command will allow this access:
    setsebool -P httpd_can_network_relay=1

  Additional Information

  Source Context                root:system_r:httpd_t
  Target Context                system_u:object_r:http_cache_port_t
  Target Objects                None [ tcp_socket ]
  Affected RPM Packages         httpd-2.2.3-6.el5.centos.1   [application]
  Policy RPM                    selinux-policy-2.4.6-30.el5
  Selinux Enabled               True
  Policy Type                   targeted
  MLS Enabled                   True
  Enforcing Mode                Enforcing
  Plugin Name                   plugins.httpd_can_network_relay
  Host Name                     localhost.localdomain
  Platform                      Linux localhost.localdomain 2.6.18-8.1.4.el5 #1
                              SMP Thu May 17 03:26:03 EDT 2007 i686 i686
  Alert Count                   2
  Line Numbers

  Raw Audit Messages

  avc: denied { name_connect } for comm="httpd" dest=8080  egid=48 euid=48
  exe="/usr/sbin/httpd" exit=-13 fsgid=48 fsuid=48 gid=48  items=0 pid=15539
  scontext=root:system_r:httpd_t:s0 sgid=48   subj=root:system_r:httpd_t:s0 suid=48
  tclass=tcp_socket tcontext=system_u:object_r:http_cache_port_t:s0 tty=(none)
  uid=48

Obviously, I need to change the policy to enable proxy requests from apache to zope.

That brings me to this, how paranoid should I be? I can disable selinux and won't be bothered by these again.

However, selinux has changed a bit since the last time I dealed with it (fc3). So I guessed I'll try it a bit more before deciding whether to disable it or not.


Bookmark and Share

Is this entry helpful? Comments/Donate/Click some google ads.  
Trackback is http://myzope.kedai.com.my/blogs/kedai/142/tbping 

Comments
Post a comment