httpd soap connection over https - selinux - Fedora mailing-lists

23 Sep 2012


      Hello,
I have read on this page 
https://docs.fedoraproject.org/en-US/Fedora/13/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Fixing_Problems-Allowing_Access_audit2allow.html 
:
/Important//
//Modules created with audit2allow may allow more access than required. 
It is recommended that policy created with audit2allow be posted to an 
SELinux list, such as fedora-selinux-list, for review. If you believe 
their is a bug in policy, create a bug in Red Hat Bugzilla./
So here I post my issue first to make sure audit2allow is giving the 
perfect rule to be set and to ask for the best and most secure way to 
allow this.
I have been trying to connect to a remote soap over https on port 443 
from a simple php script.
But selinux set to enforcing has been blocking the connection.
I have tried the three methods separately and each one of them allowed 
the php script to connect correctly to remote soap.
First I need to know which one of the three methods is best (which will 
give less privileges?). Does the audit2allow give a rule with "/more 
access than required/"?
Second, I want to ask if there is a way to allow remote soap for only 
https://www.domain.com and not any other ip address.
Please find php script, selinux log, audit2why output, audit2allow 
output and the three methods I have used to allow connection in postscript.
Thank you very much, I really appreciate your help.
Sincerely yours,
Ahmed Sghaier.
PS :
selinux log :
/# grep '1346290066.999:85' /var/log/audit/audit.log //
//type=AVC msg=audit(1346290066.999:85): avc:  denied  { name_connect } 
for  pid=2021 comm="httpd" dest=1664 
scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket//
//type=SYSCALL msg=audit(1346290066.999:85): arch=c000003e syscall=42 
success=no exit=-13 a0=b a1=7f65a9e33b18 a2=10 a3=40 items=0 ppid=2016 
pid=2021 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 
fsgid=48 tty=(none) ses=3 comm="httpd" exe="/usr/sbin/httpd" 
subj=unconfined_u:system_r:httpd_t:s0 key=(null)/
Method 1 :
/# setsebool -P allow_ypbind 1/
Method 2 :
/# setsebool -P httpd_can_network_connect 1
/Method 3 :
/# grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow -M soap//
//# semodule -i soap.pp/
audit2allow output :
/# grep '1346290066.999:85' /var/log/audit/audit.log | audit2allow //
//#============= httpd_t ==============//
//#!!!! This avc can be allowed using one of the these booleans://
//#     allow_ypbind, httpd_can_network_connect//
//allow httpd_t port_t:tcp_socket name_connect;/
audit2why output :
/# grep '1346290066.999:85' /var/log/audit/audit.log | audit2why //
//type=AVC msg=audit(1346290066.999:85): avc:  denied  { name_connect } 
for  pid=2021 comm="httpd" dest=1664 
scontext=unconfined_u:system_r:httpd_t:s0 
tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket//
//
//        Was caused by://
//        One of the following booleans was set incorrectly.//
//        Description://
//        Allow system to run with NIS//
//
//        Allow access by executing://
//        # setsebool -P allow_ypbind 1//
//        Description://
//        Allow HTTPD scripts and modules to connect to the network 
using TCP.//
//
//        Allow access by executing://
//        # setsebool -P httpd_can_network_connect 1/
php script :
/<?php//
//try {//
//$soap = new SoapClient("https://www.domain.com/soap.wsdl");//
//echo "SoapLoaded\n";//
////login//
//$session = $soap->login("user", "login"...);//
//echo "LoginSuccessfull\n";//
////logout//
//$soap->logout($session);//
//echo "LogoutSuccessfull\n";//
//} catch(SoapFault $fault) {//
//ec//ho $fault;//
//}//
/ /?>//
/