Linux Archive

Linux Archive (http://www.linux-archive.org/)
-   Fedora SELinux Support (http://www.linux-archive.org/fedora-selinux-support/)
-   -   httpd soap connection over https (http://www.linux-archive.org/fedora-selinux-support/706810-httpd-soap-connection-over-https.html)

Ahmed Sghaier 09-24-2012 02:07 AM

httpd soap connection over https
 
Hello,



I have read on this page
:

Important

Modules created with audit2allow may allow more access than
required. It is recommended that policy created with audit2allow
be posted to an SELinux list, such as fedora-selinux-list, for
review. If you believe their is a bug in policy, create a bug in
Red Hat Bugzilla.



So here I post my issue first to make sure audit2allow is giving the
perfect rule to be set and to ask for the best and most secure way
to allow this.



I have been trying to connect to a remote soap over https on port
443 from a simple php script.

But selinux set to enforcing has been blocking the connection.



I have tried the three methods separately and each one of them
allowed the php script to connect correctly to remote soap.



First I need to know which one of the three methods is best (which
will give less privileges?). Does the audit2allow give a rule with "more
access than required"?

Second, I want to ask if there is a way to allow remote soap for
only https://www.domain.com and not any other ip address.



Please find php script, selinux log, audit2why output, audit2allow
output and the three methods I have used to allow connection in
postscript.



Thank you very much, I really appreciate your help.



Sincerely yours,

Ahmed Sghaier.







PS :





selinux log :



# grep '1346290066.999:85' /var/log/audit/audit.log

type=AVC msg=audit(1346290066.999:85): avc:* denied* {
name_connect } for* pid=2021 comm="httpd" dest=1664
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket

type=SYSCALL msg=audit(1346290066.999:85): arch=c000003e
syscall=42 success=no exit=-13 a0=b a1=7f65a9e33b18 a2=10 a3=40
items=0 ppid=2016 pid=2021 auid=0 uid=48 gid=48 euid=48 suid=48
fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=3 comm="httpd"
exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0
key=(null)





Method 1 :

# setsebool -P allow_ypbind 1





Method 2 :

# setsebool -P httpd_can_network_connect 1





Method 3 :

# grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow
-M soap

# semodule -i soap.pp





audit2allow output :



# grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow


#============= httpd_t ==============

#!!!! This avc can be allowed using one of the these
booleans:

#**** allow_ypbind, httpd_can_network_connect

allow httpd_t port_t:tcp_socket name_connect;





audit2why output :



# grep '1346290066.999:85' /var/log/audit/audit.log | audit2why

type=AVC msg=audit(1346290066.999:85): avc:* denied* {
name_connect } for* pid=2021 comm="httpd" dest=1664
scontext=unconfined_u:system_r:httpd_t:s0
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket



******* Was caused by:

******* One of the following booleans was set incorrectly.

******* Description:

******* Allow system to run with NIS



******* Allow access by executing:

******* # setsebool -P allow_ypbind 1

******* Description:

******* Allow HTTPD scripts and modules to connect to the
network using TCP.



******* Allow access by executing:

******* # setsebool -P httpd_can_network_connect 1





php script :



<?php

try {

$soap = new SoapClient("https://www.domain.com/soap.wsdl");

echo "SoapLoaded
";

//login

$session = $soap->login("user", "login"...);

echo "LoginSuccessfull
";

//logout

$soap->logout($session);

echo "LogoutSuccessfull
";


} catch(SoapFault $fault) {

echo $fault;


}


?>





--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux

Dominick Grift 09-24-2012 01:44 PM

httpd soap connection over https
 
On Mon, 2012-09-24 at 03:07 +0100, Ahmed Sghaier wrote:

> selinux log :
>
> # grep '1346290066.999:85' /var/log/audit/audit.log
> type=AVC msg=audit(1346290066.999:85): avc: denied { name_connect }
> for pid=2021 comm="httpd" dest=1664
> scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket
> type=SYSCALL msg=audit(1346290066.999:85): arch=c000003e syscall=42
> success=no exit=-13 a0=b a1=7f65a9e33b18 a2=10 a3=40 items=0 ppid=2016
> pid=2021 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd"
> subj=unconfined_u:system_r:httpd_t:s0 key=(null)
>
>
> Method 1 :
> # setsebool -P allow_ypbind 1
>
>
> Method 2 :
> # setsebool -P httpd_can_network_connect 1
>
>
> Method 3 :
> # grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow -M
> soap
> # semodule -i soap.pp

Here is a little cheat that can be a optimal solution in many cases

httpd is allowed to connect to dns ports for nsswitch support

you can label tcp:1664 a dns_port_t which will allow http to connect to
it:

semanage port -a -t dns_port_t -p tcp 1664

that way you dont need to toggle any booleans or extend httpd policy

not the prettiest solution but it works and it is efficient

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux


All times are GMT. The time now is 02:16 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.