httpd mod_auth_pam winbind

Daniel J Walsh dwalsh at redhat.com
Mon Apr 5 13:49:14 UTC 2010 

On 04/05/2010 09:32 AM, Vadym Chepkov wrote:
> --- On Mon, 4/5/10, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>
>    
>> From: Daniel J Walsh<dwalsh at redhat.com>
>> Subject: Re: httpd mod_auth_pam winbind
>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>> Cc: selinux at lists.fedoraproject.org
>> Date: Monday, April 5, 2010, 8:11 AM
>> On 04/02/2010 12:58 PM, Vadym Chepkov
>> wrote:
>>      
>>> --- On Fri, 4/2/10, Daniel J Walsh<dwalsh at redhat.com>
>>>        
>> wrote:
>>      
>>>
>>>        
>>>> From: Daniel J Walsh<dwalsh at redhat.com>
>>>> Subject: Re: httpd mod_auth_pam winbind
>>>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>>>> Cc: selinux at lists.fedoraproject.org
>>>> Date: Friday, April 2, 2010, 11:33 AM
>>>> On 04/02/2010 12:38 AM, Vadym Chepkov
>>>> wrote:
>>>>
>>>>          
>>>>> Hi,
>>>>>
>>>>> I have
>>>>>            
>> selinux-policy-targeted-2.4.6-255.el5_4.4
>>      
>>>>> allow_httpd_mod_auth_pam
>>>>>            
>> -->    on
>>      
>>>>> httpd_can_network_connect
>>>>>            
>> -->    on
>>      
>>>>> httpd with mod_auth_pam via winbind
>>>>>
>>>>> get the following avc when in "permissive"
>>>>>            
>> mode
>>      
>>>>>
>>>>> type=SYSCALL msg=audit(1270181973.950:37):
>>>>>
>>>>>            
>>>> arch=c000003e syscall=41 success=yes exit=19 a0=10
>>>>          
>> a1=3 a2=9
>>      
>>>> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295
>>>>          
>> uid=48
>>      
>>>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
>>>>          
>> fsgid=48
>>      
>>>> tty=(none) ses=4294967295 comm="httpd"
>>>>          
>> exe="/usr/sbin/httpd"
>>      
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>          
>>>>> type=AVC msg=audit(1270181973.950:37): avc:
>>>>>
>>>>>            
>>>> denied  { create } for  pid=2039
>>>>          
>> comm="httpd"
>>      
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>          
>>>>> type=SYSCALL msg=audit(1270181973.950:38):
>>>>>
>>>>>            
>>>> arch=c000003e syscall=44 success=yes exit=124
>>>>          
>> a0=13
>>      
>>>> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032
>>>>          
>> pid=2039
>>      
>>>> auid=4294967295 uid=48 gid=48 euid=48 suid=48
>>>>          
>> fsuid=48
>>      
>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>          
>> ses=4294967295
>>      
>>>> comm="httpd" exe="/usr/sbin/httpd"
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>          
>>>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>>>
>>>>>            
>>>> denied  { nlmsg_relay } for  pid=2039
>>>>          
>> comm="httpd"
>>      
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>          
>>>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>>>
>>>>>            
>>>> denied  { write } for  pid=2039
>>>>          
>> comm="httpd"
>>      
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>          
>>>>> type=SYSCALL msg=audit(1270181973.950:39):
>>>>>
>>>>>            
>>>> arch=c000003e syscall=45 success=yes exit=36
>>>>          
>> a0=13
>>      
>>>> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032
>>>>          
>> pid=2039
>>      
>>>> auid=4294967295 uid=48 gid=48 euid=48 suid=48
>>>>          
>> fsuid=48
>>      
>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>          
>> ses=4294967295
>>      
>>>> comm="httpd" exe="/usr/sbin/httpd"
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>          
>>>>> type=AVC msg=audit(1270181973.950:39): avc:
>>>>>
>>>>>            
>>>> denied  { read } for  pid=2039
>>>>          
>> comm="httpd"
>>      
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>          
>>>>> audit2allow suggests simple:
>>>>> allow httpd_t self:netlink_audit_socket {
>>>>>            
>> nlmsg_relay
>>      
>>>>>
>>>>>            
>>>> write create read };
>>>>
>>>>          
>>>>> Is something missing in the policy or I missed
>>>>>            
>> some
>>      
>>>>>
>>>>>            
>>>> other boolean?
>>>>
>>>>          
>>>>>
>>>>>            
>>>> No this could be considered a bug.  Basically
>>>>          
>> pam is
>>      
>>>> trying to send an
>>>> audit message to the audit.log.
>>>>
>>>> YOu can add this access,  it would allow the
>>>>          
>> appache
>>      
>>>> process to attempt
>>>> to send audit messages.  Since the httpd is
>>>>          
>> running as
>>      
>>>> non root, it
>>>> might not have the capabilities necessary to send
>>>>          
>> them
>>      
>>>> Open a bug report on this, since we probably
>>>>          
>> should
>>      
>>>> dontaudit these
>>>> calls if the boolean to allow pam is turned on.
>>>>
>>>>          
>>> dontaudit wouldn't work, apache denies access in
>>>        
>> enforcing mode.
>>      
>>> Bug 579105 Submitted
>>>
>>> Thank you,
>>>     
>>> Sincerely yours,
>>>      Vadym Chepkov
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux at lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>        
>> Vadym, Please open a bug on RHEL5 to add this
>> functionality.  I will add
>> it to RHEL6, now
>>      
> Dan,
>
> I did open BZ 579105 on RHEL5. By the way is RHEL6 can be downloaded as a beta, perhaps already? I don't see it on RHN, only RHEL5.5-beta
>
> Thanks,
> Vadym
>
>
>
>
>    
As I understand it the schedule says Beta 1 will be available April 21.

More information about the selinux mailing list