httpd mod_auth_pam winbind

Paul Howarth paul at city-fan.org
Mon Apr 5 19:42:56 UTC 2010 

On Mon, 5 Apr 2010 06:32:23 -0700 (PDT)
Vadym Chepkov <chepkov at yahoo.com> wrote:

> --- On Mon, 4/5/10, Daniel J Walsh <dwalsh at redhat.com> wrote:
> 
> > From: Daniel J Walsh <dwalsh at redhat.com>
> > Subject: Re: httpd mod_auth_pam winbind
> > To: "Vadym Chepkov" <chepkov at yahoo.com>
> > Cc: selinux at lists.fedoraproject.org
> > Date: Monday, April 5, 2010, 8:11 AM
> > On 04/02/2010 12:58 PM, Vadym Chepkov
> > wrote:
> > > --- On Fri, 4/2/10, Daniel J Walsh<dwalsh at redhat.com> > wrote:
> > >
> > >    
> > >> From: Daniel J Walsh<dwalsh at redhat.com>
> > >> Subject: Re: httpd mod_auth_pam winbind
> > >> To: "Vadym Chepkov"<chepkov at yahoo.com>
> > >> Cc: selinux at lists.fedoraproject.org
> > >> Date: Friday, April 2, 2010, 11:33 AM
> > >> On 04/02/2010 12:38 AM, Vadym Chepkov
> > >> wrote:
> > >>      
> > >>> Hi,
> > >>>
> > >>> I have
> > selinux-policy-targeted-2.4.6-255.el5_4.4
> > >>>
> > >>> allow_httpd_mod_auth_pam
> > -->   on
> > >>> httpd_can_network_connect
> > -->   on
> > >>>
> > >>> httpd with mod_auth_pam via winbind
> > >>>
> > >>> get the following avc when in "permissive"
> > mode
> > >>>
> > >>>
> > >>> type=SYSCALL msg=audit(1270181973.950:37):
> > >>>        
> > >> arch=c000003e syscall=41 success=yes exit=19 a0=10
> > a1=3 a2=9
> > >> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295
> > uid=48
> > >> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> > fsgid=48
> > >> tty=(none) ses=4294967295 comm="httpd"
> > exe="/usr/sbin/httpd"
> > >> subj=user_u:system_r:httpd_t:s0 key=(null)
> > >>      
> > >>> type=AVC msg=audit(1270181973.950:37): avc:
> > >>>        
> > >> denied  { create } for  pid=2039
> > comm="httpd"
> > >> scontext=user_u:system_r:httpd_t:s0
> > >> tcontext=user_u:system_r:httpd_t:s0
> > >> tclass=netlink_audit_socket
> > >>      
> > >>> type=SYSCALL msg=audit(1270181973.950:38):
> > >>>        
> > >> arch=c000003e syscall=44 success=yes exit=124
> > a0=13
> > >> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032
> > pid=2039
> > >> auid=4294967295 uid=48 gid=48 euid=48 suid=48
> > fsuid=48
> > >> egid=48 sgid=48 fsgid=48 tty=(none)
> > ses=4294967295
> > >> comm="httpd" exe="/usr/sbin/httpd"
> > >> subj=user_u:system_r:httpd_t:s0 key=(null)
> > >>      
> > >>> type=AVC msg=audit(1270181973.950:38): avc:
> > >>>        
> > >> denied  { nlmsg_relay } for  pid=2039
> > comm="httpd"
> > >> scontext=user_u:system_r:httpd_t:s0
> > >> tcontext=user_u:system_r:httpd_t:s0
> > >> tclass=netlink_audit_socket
> > >>      
> > >>> type=AVC msg=audit(1270181973.950:38): avc:
> > >>>        
> > >> denied  { write } for  pid=2039
> > comm="httpd"
> > >> scontext=user_u:system_r:httpd_t:s0
> > >> tcontext=user_u:system_r:httpd_t:s0
> > >> tclass=netlink_audit_socket
> > >>      
> > >>> type=SYSCALL msg=audit(1270181973.950:39):
> > >>>        
> > >> arch=c000003e syscall=45 success=yes exit=36
> > a0=13
> > >> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032
> > pid=2039
> > >> auid=4294967295 uid=48 gid=48 euid=48 suid=48
> > fsuid=48
> > >> egid=48 sgid=48 fsgid=48 tty=(none)
> > ses=4294967295
> > >> comm="httpd" exe="/usr/sbin/httpd"
> > >> subj=user_u:system_r:httpd_t:s0 key=(null)
> > >>      
> > >>> type=AVC msg=audit(1270181973.950:39): avc:
> > >>>        
> > >> denied  { read } for  pid=2039
> > comm="httpd"
> > >> scontext=user_u:system_r:httpd_t:s0
> > >> tcontext=user_u:system_r:httpd_t:s0
> > >> tclass=netlink_audit_socket
> > >>      
> > >>> audit2allow suggests simple:
> > >>> allow httpd_t self:netlink_audit_socket {
> > nlmsg_relay
> > >>>        
> > >> write create read };
> > >>      
> > >>> Is something missing in the policy or I missed
> > some
> > >>>        
> > >> other boolean?
> > >>      
> > >>>
> > >>>        
> > >> No this could be considered a bug.  Basically
> > pam is
> > >> trying to send an
> > >> audit message to the audit.log.
> > >>
> > >> YOu can add this access,  it would allow the
> > appache
> > >> process to attempt
> > >> to send audit messages.  Since the httpd is
> > running as
> > >> non root, it
> > >> might not have the capabilities necessary to send
> > them
> > >>
> > >> Open a bug report on this, since we probably
> > should
> > >> dontaudit these
> > >> calls if the boolean to allow pam is turned on.
> > >>      
> > > dontaudit wouldn't work, apache denies access in
> > enforcing mode.
> > >
> > > Bug 579105 Submitted
> > >
> > > Thank you,
> > >     
> > > Sincerely yours,
> > >    Vadym Chepkov
> > >
> > >
> > > --
> > > selinux mailing list
> > > selinux at lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >    
> > Vadym, Please open a bug on RHEL5 to add this
> > functionality.  I will add 
> > it to RHEL6, now
> 
> Dan,
> 
> I did open BZ 579105 on RHEL5. By the way is RHEL6 can be downloaded
> as a beta, perhaps already? I don't see it on RHN, only RHEL5.5-beta

RHEL 5.5 went "gold" last week. I have two servers already running it.

Paul.

More information about the selinux mailing list