httpd mod_auth_pam winbind

Daniel J Walsh dwalsh at redhat.com
Fri Apr 2 15:33:30 UTC 2010 

On 04/02/2010 12:38 AM, Vadym Chepkov wrote:
> Hi,
>
> I have selinux-policy-targeted-2.4.6-255.el5_4.4
>
> allow_httpd_mod_auth_pam -->  on
> httpd_can_network_connect -->  on
>
> httpd with mod_auth_pam via winbind
>
> get the following avc when in "permissive" mode
>
>
> type=SYSCALL msg=audit(1270181973.950:37): arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9 a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:37): avc:  denied  { create } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> type=SYSCALL msg=audit(1270181973.950:38): arch=c000003e syscall=44 success=yes exit=124 a0=13 a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:38): avc:  denied  { nlmsg_relay } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
> type=AVC msg=audit(1270181973.950:38): avc:  denied  { write } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> type=SYSCALL msg=audit(1270181973.950:39): arch=c000003e syscall=45 success=yes exit=36 a0=13 a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:39): avc:  denied  { read } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> audit2allow suggests simple:
> allow httpd_t self:netlink_audit_socket { nlmsg_relay write create read };
>
> Is something missing in the policy or I missed some other boolean?
>
>    
No this could be considered a bug.  Basically pam is trying to send an 
audit message to the audit.log.

YOu can add this access,  it would allow the appache process to attempt 
to send audit messages.  Since the httpd is running as non root, it 
might not have the capabilities necessary to send them

Open a bug report on this, since we probably should dontaudit these 
calls if the boolean to allow pam is turned on.
> Thank you.
>
> Sincerely yours,
>    Vadym Chepkov
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>

More information about the selinux mailing list