Ask Your Question
0

How to allow apache2 st connect to a xvfb server with SEliunx enabled (CentOS 6.5)

asked 2014-05-07 09:33:25 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I am currently developing a web server that uses the R rgl package to visualize results in 3D. The server should of cause run on a headless server and therefore the httpd process needs to be able to access/contact the Xvfb process.

The system works fine if I disable SElunux in the config file (SELINUX=permissive), but I do not want to disable selinux on a productive server! I have invested two days into this problem - I would say I failed to solve this on my own. Please feel free to ask me any questions to the problem.

My audit log:

grep Xvfb /var/log/audit/audit.log

. . . type=AVC msg=audit(1399452535.767:927): avc: denied { name_bind } for pid=18094 comm="Xvfb" src=6007 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1399452535.767:927): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfa06b60 a2=8232ff4 a3=3 items=0 ppid=1 pid=18094 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=46 comm="Xvfb" exe="/usr/bin/Xvfb" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1399452536.767:928): avc: denied { name_bind } for pid=18094 comm="Xvfb" src=6007 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1399452536.767:928): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfa06b60 a2=8232ff4 a3=2 items=0 ppid=1 pid=18094 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=46 comm="Xvfb" exe="/usr/bin/Xvfb" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1399452537.768:929): avc: denied { name_bind } for pid=18094 comm="Xvfb" src=6007 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1399452537.768:929): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfa06b60 a2=8232ff4 a3=1 items=0 ppid=1 pid=18094 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=46 comm="Xvfb" exe="/usr/bin/Xvfb" subj=unconfined_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1399452538.769:930): avc: denied { name_bind } for pid=18094 comm="Xvfb" src=6007 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:xserver_port_t:s0 tclass=tcp_socket type=SYSCALL msg=audit(1399452538.769:930): arch=40000003 syscall=102 success=no exit=-13 a0=2 a1=bfa06b60 a2=8232ff4 a3=0 items=0 ppid=1 pid=18094 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=46 comm="Xvfb" exe="/usr/bin/Xvfb" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

PS: I solved the other SElinux related problems - just the access to the X server - THANK YOU! I hope ... (more)

edit retag flag offensive close merge delete

Comments

Are those audit logs taken when SELINUX=permissive or enforcing ? if 'enforcing', could you turn back to 'permissive' just to collect all AVCs produced during the activity you need to open ?

tonioc gravatar imagetonioc ( 2014-05-07 10:17:21 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2014-05-08 01:56:18 -0500

stefan2502 gravatar image

updated 2014-05-08 01:57:39 -0500

At least the last one was taken in the permissive state. I check how the messages look during the time I ran the software in enforcing state.

Now I recognized, that this might not be the relevant error message, as it is not created any more. Rather this is the true problem: The path is created from a session ID

ausearch -c xdpyinfo


time->Thu May 8 08:44:18 2014 (PERMISSIVE) type=SYSCALL msg=audit(1399531458.438:75): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bfaaccb0 a2=f93164 a3=3 items=0 ppid=1552 pid=1553 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="xdpyinfo" exe="/usr/bin/xdpyinfo" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1399531458.438:75): avc: denied { connectto } for pid=1553 comm="xdpyinfo" path=002F746D702F2E5831312D756E69782F5837 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

time->Thu May 8 08:47:38 2014 (ENFORCING) type=SYSCALL msg=audit(1399531658.332:23): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf942a40 a2=e8e164 a3=4 items=0 ppid=1206 pid=1207 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="xdpyinfo" exe="/usr/bin/xdpyinfo" subj=system_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1399531658.332:23): avc: denied { connectto } for pid=1207 comm="xdpyinfo" path=002F746D702F2E5831312D756E69782F5837 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

time->Thu May 8 08:47:54 2014 (ENFORCING) type=SYSCALL msg=audit(1399531674.245:102): arch=40000003 syscall=102 success=no exit=-13 a0=3 a1=bf97b360 a2=c94164 a3=3 items=0 ppid=1275 pid=1276 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="xdpyinfo" exe="/usr/bin/xdpyinfo" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1399531674.245:102): avc: denied { connectto } for pid=1276 comm="xdpyinfo" path=002F746D702F2E5831312D756E69782F5837 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

edit flag offensive delete link more

Comments

grep 'comm="R"' /var/log/audit/audit.log | grep unix_stream_socket | tail -n1 | audit2why type=AVC msg=audit(1399531656.860:22): avc: denied { connectto } for pid=1194 comm="R" path=002F746D702F2E5831312D756E69782F5837 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

    Was caused by:
            Missing type enforcement (TE) allow rule.

            You can use audit2allow to generate a loadable module to allow this access.

[root@CentOS65 ~]# grep 'comm="R"' /var/log/audit/audit.log | grep unix_stream_socket | tail -n1 | audit2allow

============= httpd_t ==============

allow httpd_t initrc_t:unix_stream_socket connectto;

Lets see if that does help....

stefan2502 gravatar imagestefan2502 ( 2014-05-08 02:23:42 -0500 )edit
0

answered 2014-05-08 03:33:30 -0500

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

Finally fixed the problem using this information: I had to define my own Local Policy Module: (1) Identify the causing problem - in my case the R process started by httpd to connect to the x window system and create a new Policy from that:

grep 'comm="R"' /var/log/audit/audit.log | grep unix_stream_socket | tail -n2 | grep 'comm="R"' /var/log/audit/audit.log | grep unix_stream_socket | tail -n2 | audit2allow -R > httpd_allow_x_connect.te The main part is this comand:

init_stream_connect_script(httpd_t)

Having followed the description on the web page I was root and were located in the folder /root/selinux.local I had lined the SElinux makefile to this folder (ln -s /usr/share/selinux/devel/Makefile .) and the httpd_allow_x_connect.te resided there, too.

make

did built the httpd_allow_x_connect.pp module and

semodule -i httpd_allow_x_connect.pp

Did install it.

Problem solved!

edit flag offensive delete link more

Question Tools

Stats

Asked: 2014-05-07 09:33:25 -0500

Seen: 1,033 times

Last updated: May 08 '14