I'm seeing occasional selinux denied messages in my logs that I believe indicate that the httpd process is trying to connect to a tor port:
type=AVC msg=audit(1423247604.799:1966): avc: *denied* { *name_connect* } for pid=25650 comm="*httpd*" dest=*9050* scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:*tor_port_t*:s0 tclass=tcp_socket This server is not directly connected to the Internet. All the HTTP requests are proxied from a server that is connected to the Internet with HAProxy to pass requests back and forth. The web sites on the server are WordPress sites in a few different virtual hosts. None of the sites are very busy. I don't want to turn on the sebool to allow httpd to network connect to just anywhere, and this looks like a good reason not to. My concern is, why is the httpd process is trying to do this at all and that the server may be compromised somehow. Maybe it's just a failed attempt at a hack through a crafted http request? Any suggestions for how to track down the source that's causing these network connection attempts? Thanks, ML /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */