I'm seeing occasional selinux denied messages in my logs that I believe
indicate that the httpd process is trying to connect to a tor port:
type=AVC msg=audit(1423247604.799:1966): avc: *denied* { *name_connect* }
for pid=25650 comm="*httpd*" dest=*9050* scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:*tor_port_t*:s0 tclass=tcp_socket
This server is not directly connected to the Internet. All the HTTP
requests are proxied from a server that is connected to the Internet with
HAProxy to pass requests back and forth. The web sites on the server are
WordPress sites in a few different virtual hosts. None of the sites are
very busy.
I don't want to turn on the sebool to allow httpd to network connect to
just anywhere, and this looks like a good reason not to.
My concern is, why is the httpd process is trying to do this at all and
that the server may be compromised somehow. Maybe it's just a failed
attempt at a hack through a crafted http request?
Any suggestions for how to track down the source that's causing these
network connection attempts?
Thanks,
ML
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
