WebApp deployment with SELinux

Bas_ten_Hoeve · October 6, 2013, 12:14pm

I am running a CentOS 6.4 x64 server and run into a SELinux problem. I can get my (very simple) webapp to run ok on httpd without SELinux enabled. However when I enforce security I get ‘Unable to launch application ‘appname’ on port #####’.

Anybody out there who got webapps running with SELinux enabled?

Andre_Kuiper · October 6, 2013, 1:37pm

Maybe here you find your answer:

link text

This chapter explains how you can open a port:

5.4. Allowing Access to a Port
We may want a service such as Apache to be allowed to bind and listen for incoming connections on a non-standard port. By default, the SELinux policy will only allow services access to recognized ports associated with those services. If we wanted to allow Apache to listen on tcp port 81, we can add a rule to allow that using the ‘semanage’ command:

semanage port -a -t http_port_t -p tcp 81

A full list of ports that services are permitted access by SELinux can be obtained with:

semanage port -l

Bas_ten_Hoeve · October 6, 2013, 2:20pm

Andre, thank you for the hint. But the problem is a bit more complex.

I can run my application from the console as root by typing ./appname.cgi; The strangest thing is that from that moment on I can start the application also from within my browser. So I guess root can launch the application on the port and it is kept alive in Apache? But even ‘service httpd restart’ leaves it enabled.
I think it is, because when I edit config.cfg and change the port back to 0, a new port is chosen but unable to launch.

The solution is probably in setting some security features for httpd/apache, but Google-ing has not provided me with an answer yet.

I’ll keep searching…

Greg_O_Lone · October 6, 2013, 2:28pm

Selinux is VERY complex. It’s basically a sandbox system. The best way I’ve found to diagnose these things is to look in the server logs. It will tell you exactly which rule is being violated.

Bas_ten_Hoeve · October 6, 2013, 3:03pm

In the httpd error log I find:
[Sun Oct 06 16:57:29 2013] [error] [client 192.168.1.13] /var/www/cgi-bin/appname/./RBConsoleFramework.so: cannot enable executable stack as shared object requires: Permission denied

The audit log:
type=AVC msg=audit(1381072052.244:86): avc: denied { execstack } for pid=1492 comm=“appname” scontext=unconfined_u:system_r:httpd_sys_script_t:s0 tcontext=unconfined_u:system_r:httpd_sys_script_t:s0 tclass=process
type=SYSCALL msg=audit(1381072052.244:86): arch=40000003 syscall=125 success=no exit=-13 a0=ffb51000 a1=1000 a2=1000007 a3=ffb4f420 items=0 ppid=1491 pid=1492 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1 comm=“appname” exe="/var/www/cgi-bin/appname/appname" subj=unconfined_u:system_r:httpd_sys_script_t:s0 key=(null)

Does anybody recognize this?

Andre_Kuiper · October 6, 2013, 3:45pm

It seems to me that it’s just a matter of permissions. Lookup under which username Apache runs and if that name has access to the WebApp and especially see if all permissions in the Webapp-lib-directory are set right for the Apache-user.
Apache often uses “apache” or “www-data” as username.