-1

I am getting the following SELinux denied lines in my log file when I attempt to redirect a user to Paypal to checkout. Would you please help me understand what it means and what exceptions I should add to SELinux to allow these?

type=AVC msg=audit(1591554743.559:10135): avc:  denied  { name_connect } for  pid=3389 comm="httpd" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1591554743.559:10135): arch=c000003e syscall=42 success=no exit=-13 a0=19 a1=7f6a14077238 a2=10 a3=26 items=0 ppid=981 pid=3389 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=PROCTITLE msg=audit(1591554743.559:10135): proctitle=2F7573722F7362696E2F6874747064002D44464F524547524F554E44 

type=AVC msg=audit(1591554758.933:10140): avc:  denied  { name_connect } for  pid=5728 comm="php-fpm" dest=80 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:http_port_t:s0 tclass=tcp_socket permissive=0
type=SYSCALL msg=audit(1591554758.933:10140): arch=c000003e syscall=42 success=no exit=-13 a0=b a1=7f2e0555cf50 a2=10 a3=1bd7a524e1bda8 items=0 ppid=977 pid=5728 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="php-fpm" exe="/usr/sbin/php-fpm" subj=system_u:system_r:httpd_t:s0 key=(null)ARCH=x86_64 SYSCALL=connect AUID="unset" UID="apache" GID="apache" EUID="apache" SUID="apache" FSUID="apache" EGID="apache" SGID="apache" FSGID="apache"
type=PROCTITLE msg=audit(1591554758.933:10140): proctitle=7068702D66706D3A20706F6F6C20777777

From my research, it looks like "When enabled in ENFORCING mode, by default, SELinux prevents Apache web server from establishing network connections. On the machine hosting Apache web server, configure SELinux it to allow httpd network connections" RedHat

# /usr/sbin/setsebool httpd_can_network_connect 1

I just wanted to learn more about how much this actually opens up from a security standpoint and if it is adding too broad of an exception.

Also, if there is any way to limit by domains on this boolean rule.

Thank you all very much for your help :)

J W
  • 11
  • 1
  • 3
  • https://serverfault.com/search?q=+avc%3A++denied++%7B+name_connect+%7D+ – user9517 Jun 07 '20 at 20:37
  • @user9517 Thank you for the link :) I've read many of those already. I just wanted to see what this setsebool actually does and if it would be too large of an exception to open up and if there is any way to limit the httpd can network connect to a list of whitelisted domains. setsebool -P httpd_can_network_connect=1 – J W Jun 07 '20 at 20:42
  • You need to clarify in your question what research you have already carried out, what you have discovered and what you actually want. to know... a bit like you did in your comment. – user9517 Jun 07 '20 at 20:50
  • @user9517 That is a great point. I will edit my question to further clarify the research process that I have done and been more specific on my question. I appreciate your feedback :D I will definitely keep that in my mind for the future. – J W Jun 07 '20 at 20:55
  • What documentation or code are you following for the Paypal integration? Requiring a non-default security toggle to forward to a payment processor seems not ideal. – John Mahowald Jun 07 '20 at 23:17
  • Hey john I am actually using Magento 2 and it requires curl to redirect to PayPal or fetch from USPS. I’m not sure if there is a way around this. – J W Jun 08 '20 at 00:07
  • You could still use a more restrictive boolean to open things up, such as `httpd_can_network_relay` which only allowed outgoing HTTP(s), FTP, gopher and memcached. – Michael Hampton Jun 11 '20 at 19:47

2 Answers2

5

how much this actually opens up from a security standpoint

A lot. As you may have guessed it allows httpd_t to talk to any remote servers. There is no specification for which website it is, and it can be a malicious one.

and if it is adding too broad of an exception

It does, but it's a somewhat necessary evil.

To understand how it can be dangerous: with the boolean off, PHP code is unable talk to remote websites (as if curl_ functions were disabled).

If a website was hacked and the attacker now can change some files, they often will seek to add payload from other websites or establish a reverse shell, which wouldn't be possible.

With the boolean enabled, it will be possible.

The same applies to all cases of fetching any untrusted PHP code from third parties. E.g. consider your website was not hacked, to begin with.

You have installed some rare module for your CMS, but little did you know that it had some obfuscated code that pretends to be a license, to fetch malware/do crypto-mining when it's being run, from the author's website.

if there is any way to limit by domains on this boolean rule.

It looks like it's only possible to limit by IP addresses. I'm not sure about specific implementation though.

Danila Vershinin
  • 5,286
  • 5
  • 17
  • 21
  • Thanks to this comment I didn't turn on httpd_can_connect_network, which according to Dan Welsh's blog opens up thousands of ports. Anyone else reading this, see my further research into this here: https://learn.redhat.com/t5/General/SELinux-config-for-Django-Apache-MariaDB-Fedora38-stack/m-p/34343 – Ahmad Bilal Jun 30 '23 at 03:28
1

The SELinux setting httpd_can_network_connect should be off by default. This setting will not prevent your server from connecting to PayPal checkout. There is some other problem in the server that is preventing it from connecting to PayPal but you will need to provide more details.

RSG
  • 11
  • 1
  • 1
    I'm aware that new users are not allowed to comment on others' questions. While totally valid, your remark would rather qualify as a comment, though. Please keep that in mind for the future. – Phillip -Zyan K Lee- Stockmann Sep 25 '20 at 08:19