httpd経由のrubyスクリプト内でtelnet接続ができない
SELinuxの設定変更でいけた備忘録
$ sudo less /var/log/audit/audit.log
type=AVC msg=audit(1484675595.692:111): avc: denied { name_connect } for pid=1753 comm=”bgp-query” dest=2605 scontext=system_u:system_r:httpd_sys_script_t:s0 tcontext=system_u:object_r:bgp_port_t:s0 tclass=tcp_socket
type=SYSCALL msg=audit(1484675595.692:111): arch=c000003e syscall=42 success=no exit=-13 a0=3 a1=1401590 a2=1c a3=7fff01a96e30 items=0 ppid=1561 pid=1753 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm=”bgp-query” exe=”/usr/bin/ruby” subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
$ sesearch -A -C -s httpd_sys_script_t -t bgp_port_t -c tcp_socket
Found 5 semantic av rules:
DT allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg } ; [ allow_ypbind ]
ET allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg name_connect } ; [ httpd_enable_cgi httpd_can_network_connect && ]
DT allow httpd_sys_script_t port_type : tcp_socket { recv_msg send_msg } ; [ httpd_enable_cgi allow_ypbind && ]
DT allow httpd_sys_script_t reserved_port_type : tcp_socket name_connect ; [ allow_ypbind ]
DT allow httpd_sys_script_t reserved_port_type : tcp_socket name_connect ; [ httpd_enable_cgi allow_ypbind && ]
sudo setsebool -P httpd_can_network_connect on
でいけた。
参考文献
※1 http://www.kakiro-web.com/linux/selinux-2.html