Selinux Booleans Explained

Understand and manage Booleans or related audit rules in Selinux

  1. Floren
    I recently upgraded several servers to CentOS 6.6 release including live AXIVO site and to my surprise, all PHP related applications stopped working. After a closer look at servers logs, I noticed several denied AVC and SYSCALL into audit logs related to PHP-FPM and Nginx.

    This tutorial will help you identify the audit rules and Booleans related to an action or command blocked by Selinux in Red Hat 6.6+. Start by validating who is the culprit:
    Next, analyze the policy package:
    # ausearch -c nginx | audit2allow -m nginx
    module nginx 1.0;
    require {
            type httpd_t;
            class process { execmem setrlimit };
    }
    #============= httpd_t ==============
    #!!!! This avc can be allowed using the boolean 'httpd_execmem'
    allow httpd_t self:process execmem;
    #!!!! This avc is allowed in the current policy
    allow httpd_t self:process setrlimit;
    
    # ausearch -c php-fpm | audit2allow -m php-fpm
    module php-fpm 1.0;
    require {
           type mysqld_port_t;
           type httpd_t;
           type memcache_port_t;
           class process setrlimit;
           class tcp_socket name_connect;
    }
    #============= httpd_t ==============
    #!!!! This avc can be allowed using one of the these booleans:
    #     httpd_can_network_relay, httpd_can_network_memcache, httpd_can_network_connect
    allow httpd_t memcache_port_t:tcp_socket name_connect;
    #!!!! This avc can be allowed using one of the these booleans:
    #     httpd_can_network_connect, httpd_can_network_connect_db
    allow httpd_t mysqld_port_t:tcp_socket name_connect;
    #!!!! This avc can be allowed using the boolean 'httpd_setrlimit'
    allow httpd_t self:process setrlimit;
    The above example shows clearly what Boolean should be enabled. Verify the status of a specific Boolean and enable it, if necessary:
    # sestatus -b | grep httpd_setrlimit
    httpd_setrlimit                             off
    # setsebool -P httpd_setrlimit on
    # sestatus -b | grep httpd_setrlimit
    httpd_setrlimit                             on
    Be careful what Boolean you enable. For example, httpd_execmem allows Nginx/PHP-FPM to execute programs requiring memory addresses that are both executable and writeable. Enabling this Boolean is not recommended from a security standpoint, as it reduces the protection against buffer overflows. Even if I noticed several alerts into audit logs, I only enabled the following httpd Booleans (beside the ones set to On by default):
    • httpd_can_network_connect - allows Nginx connections to Network using TCP
    • httpd_can_sendmail - allows Nginx to send mail, commonly related to PHP Sendmail
    • httpd_enable_cgi - allows Nginx to run PHP CGI related programs
    • httpd_setrlimit - allows Nginx to adjust the number of file descriptors
    To list all Nginx related Booleans, run:
    I did not enabled httpd_can_network_relay because is needed only when Nginx is set as a forward/remote proxy. I also kept httpd_can_network_connect_db and httpd_can_network_memcache disabled because I already allow connections with httpd_can_network_connect.

    You could also generate and install a non-base policy package:
    # ausearch -c nginx | audit2allow -M nginx
    # semodule -i nginx.pp
    # chmod 0600 /etc/selinux/targeted/modules/active/modules/nginx.pp
    # ausearch -c php-fpm | audit2allow -M php-fpm
    # semodule -i php-fpm.pp
    # chmod 0600 /etc/selinux/targeted/modules/active/modules/php-fpm.pp
    This is useful when no Booleans are defined, for example the Postfix postdrop denials.
    MattW likes this.