本來我只是想用python寫個CGI程序（Python中會運行shell腳本，shell腳本有IO操作）由Apache服務器執行的，結果牽出一堆的權限問題。執行shell的之後明明/var/www/下某個目錄屬於apache用戶而且是755的，寫入文件卻Permission Denied。CGI子進程用戶都是apache。以前聽說過SELinux，終於有一天被它攔住了。解決問題的過程中搜索了很多文檔，把有價值的保存下來，防止鏈接失效。

How To

https://wiki.centos.org/HowTos/SELinux#head-ad837f60830442ae77a81aedd10c20305a811388

5.5 Allowing Access to a Port 端口號權限
We may want a service such as Apache to be allowed to bind and listen for incoming connections on a non-standard port. By default, the SELinux policy will only allow services access to recognized ports associated with those services. If we wanted to allow Apache to listen on tcp port 81, we can add a rule to allow that using the ‘semanage‘ command:
我們有時候允許某些服務（例如Apache）綁定監聽非標準的端口號（80）。默認情況下，SELinux僅允許服務使用這些服務關聯的端口號，如果希望允許Apache監聽81端口，我們需要使用semanage

# semanage port -a -t http_port_t -p tcp 81 

補充：man semanage-port 發現我們能添加端口號範圍，但是文檔中對於range的格式沒有明確說明。參考SE，range使用橫線分隔，例如semanage port -a -t http_port_t -p tcp 8000-8999。根據SE中的回答，我們刪除range的時候必須是添加時的range：semanage port --delete -t http_port_t -p tcp 8000-8999

A full list of ports that services are permitted access by SELinux can be obtained with:
服務能使用的所有端口號列表能通過如下方式獲得

# semanage port -l 

Booleans

• 以下部分翻譯成開關

Boolean的解釋：https://www.axivo.com/resources/selinux-booleans-explained.22/

I recently upgraded several servers to CentOS 6.6 release including live AXIVO site and to my surprise, all PHP related applications stopped working. After a closer look at servers logs, I noticed several denied AVC and SYSCALL into audit logs related to PHP-FPM and Nginx.

最近我升級到了CentOS 6.6，然而所有PHP相關的程序都掛了。在仔細查看了服務器日誌之後，我在audit logs中發現了多個與PHP-FPM和nginx相關的AVC和SYSCALL拒絕（錯誤）。

This tutorial will help you identify the audit rules and Booleans related to an action or command blocked by Selinux in Red Hat 6.6+. Start by validating who is the culprit:
這個教程將幫助你找到那個audit規則和Boolean。首先確認犯人：

# ausearch -i -ts recent
# ausearch -i -c nginx
# ausearch -i -c php-fpm

Next, analyze the policy package:

# ausearch -c nginx | audit2allow -m nginx
module nginx 1.0;
require {
        type httpd_t;
        class process { execmem setrlimit };
}
#============= httpd_t ==============
#!!!! This avc can be allowed using the boolean ‘httpd_execmem‘
allow httpd_t self:process execmem;
#!!!! This avc is allowed in the current policy
allow httpd_t self:process setrlimit;

# ausearch -c php-fpm | audit2allow -m php-fpm
module php-fpm 1.0;
require {
       type mysqld_port_t;
       type httpd_t;
       type memcache_port_t;
       class process setrlimit;
       class tcp_socket name_connect;
}
#============= httpd_t ==============
#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_relay, httpd_can_network_memcache, httpd_can_network_connect
allow httpd_t memcache_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using one of the these booleans:
#     httpd_can_network_connect, httpd_can_network_connect_db
allow httpd_t mysqld_port_t:tcp_socket name_connect;
#!!!! This avc can be allowed using the boolean ‘httpd_setrlimit‘
allow httpd_t self:process setrlimit;

The above example shows clearly what Boolean should be enabled. Verify the status of a specific Boolean and enable it, if necessary:上面的信息很明確的說明了那個Boolean需要被打開。按照它的提示，驗證是否打開，如果沒有則打開：

# sestatus -b | grep httpd_setrlimit
httpd_setrlimit                             off
# setsebool -P httpd_setrlimit on
# sestatus -b | grep httpd_setrlimit
httpd_setrlimit                             on

Be careful what Boolean you enable. For example, httpd_execmem allows Nginx/PHP-FPM to execute programs requiring memory addresses that are both executable and writeable. Enabling this Boolean is not recommended from a security standpoint, as it reduces the protection against buffer overflows. Even if I noticed several alerts into audit logs, I only enabled the following httpd Booleans (beside the ones set to On by default):請小心打開這些開關，例如httpd_execmem允許nginx/PHP-FPM執行程序，而且這些程序需要能夠執行和寫入的內存空間。出於安全考慮，不推薦打開這個開關，因為它降低了溢出的保護。即使我發現了多個audit日誌中的警告，但我還是只開啟了下面幾個開關：

• httpd_can_network_connect - allows Nginx connections to Network using TCP 允許Nginx使用TCP連接網絡
• httpd_can_sendmail - allows Nginx to send mail, commonly related to PHP Sendmail 允許Nginx發送郵件，一般和PHP Sendmail相關
• httpd_enable_cgi - allows Nginx to run PHP CGI related programs 允許Nginx運行PHP CGI相關程序
• httpd_setrlimit - allows Nginx to adjust the number of file descriptors 允許Nginx調整文件描述符上限

To list all Nginx related Booleans, run:列出所有Nginx相關的Boolean

# sestatus -b | grep httpd 

I did not enabled httpd_can_network_relay because is needed only when Nginx is set as a forward/remote proxy. I also kept httpd_can_network_connect_db and httpd_can_network_memcache disabled because I already allow connections with httpd_can_network_connect.我沒有啟用httpd_can_network_relay，因為只有做代理時才需要。另外將httpd_can_network_connect_db和httpd_can_network_memcache保持關閉因為我已經打開了httpd_can_network_connect

You could also generate and install a non-base policy package:

# ausearch -c nginx | audit2allow -M nginx
# semodule -i nginx.pp
# chmod 0600 /etc/selinux/targeted/modules/active/modules/nginx.pp
# ausearch -c php-fpm | audit2allow -M php-fpm
# semodule -i php-fpm.pp
# chmod 0600 /etc/selinux/targeted/modules/active/modules/php-fpm.pp

This is useful when no Booleans are defined, for example the Postfix postdrop denials.

查看Boolean的信息

https://danwalsh.livejournal.com/64779.html

使用 semanage命令查看這些boolean的描述

> semanage boolean -l | grep httpd_can_network_connect
httpd_can_network_connect_db   (off  ,  off)  Allow HTTPD scripts and modules to connect to databases over the network.
httpd_can_network_connect      (off  ,  off)  Allow HTTPD scripts and modules to connect to the network using TCP.

最好的方法是查看sesearch和seinfo，在較新的系統 (Fedora/RHEL7)上則使用sepolicy命令。另外有部分man page已經有了：man httpd_selinux。sesearch和seinfo需要安裝包setools-cmdline。sepolicy在policycoreutils-python包。

boolean httpd_can_network_connect_db

sesearch -A -s httpd_t -b httpd_can_network_connect_db -p name_connect
   allow httpd_t postgresql_port_t : tcp_socket { recv_msg send_msg name_connect } ;
   allow httpd_t mssql_port_t : tcp_socket name_connect ;
   allow httpd_t oracle_port_t : tcp_socket name_connect ;
   allow httpd_t mysqld_port_t : tcp_socket { recv_msg send_msg name_connect } ;
   allow httpd_t gds_db_port_t : tcp_socket name_connect ;

sesearch打印出設置httpd_can_network_connect_db之後發生了什麽：打開httpd_can_network_connect_db開關之後，httpd_t將能連接上標記為postgresql_port_t/mssql_port_t/oracle_port_t/mysqld_port_t/gds_db_port_t的端口號。通過seinfo命令將這些端口類型轉成端口定義（semanage port -l也行）：

> seinfo  --port | grep -e postgresql_port_t -e mysqld_port_t -e oracle_port_t -e gds_db_port_t | grep tcp
    portcon tcp 3050 system_u:object_r:gds_db_port_t:s0
    portcon tcp 1186 system_u:object_r:mysqld_port_t:s0
    portcon tcp 3306 system_u:object_r:mysqld_port_t:s0
    portcon tcp 63132-63164 system_u:object_r:mysqld_port_t:s0
    portcon tcp 1521 system_u:object_r:oracle_port_t:s0
    portcon tcp 2483 system_u:object_r:oracle_port_t:s0
    portcon tcp 2484 system_u:object_r:oracle_port_t:s0
    portcon tcp 5432 system_u:object_r:postgresql_port_t:s0

> sepolicy network -t postgresql_port_t
postgresql_port_t: tcp: 5432

boolean httpd_can_network_connect

> sesearch -A -s httpd_t -b httpd_can_network_connect -p name_connect
Found 1 semantic av rules:
   allow httpd_t port_type : tcp_socket name_connect ;

The above command shows that httpd_can_network_connect allows httpd_t to connect to all tcp socket types that have the port_type attribute.
httpd_can_network_connect允許httpd連接所有具備port_type屬性的tcp socket。

> seinfo -aport_type -x | wc -l
245

Using seinfo above would show you that port_type is the attribute of all port types, meaning that turning on the httpd_can_network_connect boolean, allows the httpd_t domain to connect to ALL tcp network ports.
seinfo命令顯示port_type是所有端口類型的屬性，所以打開這個開關就表示http_t能連接所有tcp網絡端口。

Bottom Line httpd_can_network_connect_db allows httpd_t to connect to an additional 10 ports while httpd_can_network_connect adds thousands.
結論：httpd_can_network_connect_db允許httpd_t連接10多個端口，而httpd_can_network_connect是幾千個（基本上所有的吧）

SELinux文章翻譯補充