apache2 failing to start
by Ubaidul Khan
Hello,
We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I could
link php with Oracle Instant Client Libraries(oci). OCI is installed under
/opt with the following contexts:
# ls -lZ
drwxr-xr-x root root system_u:object_r:usr_t oracle
[root@saleen_webvm1 instant-client-10.1]# pwd
/opt/oracle/app/instant-client-10.1
[root@saleen_webvm1 instant-client-10.1]# ls -alZ
drwxr-xr-x root root system_u:object_r:usr_t .
drwxr-xr-x root root system_u:object_r:usr_t ..
-rw-r--r-- root root system_u:object_r:usr_t classes12.jar
drwxr-xr-x root root system_u:object_r:usr_t docs
-rw-r--r-- root root system_u:object_r:usr_t glogin.sql
lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so
-rwxr-xr-x root root system_u:object_r:usr_t libclntsh.so.10.1
-rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so
lrwxrwxrwx root root system_u:object_r:usr_t libocci.so
-rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1
-rwxr-xr-x root root system_u:object_r:usr_t libociei.so
-rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so
-rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so
-rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar
-rw-r--r-- root root system_u:object_r:usr_t README_IC.htm
drwxr-xr-x root root system_u:object_r:usr_t sdk
-rwxr-xr-x root root system_u:object_r:usr_t sqlplus
-rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora
When try to start apache, I get some errors in audit.log and apache fails to
start.
type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for
pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10
success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0
ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for
pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9
success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880 pid=2881
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0
key=(null)
type=AVC_PATH msg=audit(1186088202.755:61):
path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1"
audit2allow is telling me to add the following rules:
# audit2allow < audit.log
allow httpd_t self:process execstack;
allow httpd_t usr_t:file execute;
My question/concerns are the following:
1. What risks do I incur by making the process stack executable?
2. If I am reading the second rule correctly, its asking to allow httpd_t
to execute user_t files?
Thanks for your help
_________________________________________________________________
Now you can see trouble
before he arrives
http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507
16 years, 9 months
FC 6 - selinux issue with adding a new custom module
by Jeff Holt
I just copied mod_slam.so to /etc/httpd/modules, executed chcon -r
mod_alias.so mod_slam.so, and edited /etc/httpd/httpd.conf to load the
new module. As a result, I get the following avc error in my
/var/log/messages.
Aug 2 13:28:00 build02 kernel: audit(1186079280.127:7): avc: denied {
execmod } for pid=18939 comm="httpd" name="mod_slam.so" dev=dm-0
ino=8847362 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
When I pass this text to audit2allow I get very little help.
$ tail -1 /var/log/messages | audit2allow
#============= httpd_t ==============
allow httpd_t httpd_modules_t:file execmod;
#
When I pass it to audit2why I get no more help still.
Aug 2 14:17:07 build02 kernel: audit(1186082227.562:10): avc: denied
{ execmod } for pid=19707 comm="httpd" name="mod_slam.so" dev=dm-0
ino=8847362 scontext=user_u:system_r:httpd_t:s0
tcontext=system_u:object_r:httpd_modules_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean
settings; check boolean settings.
You can see the necessary allow rules by running
audit2allow with this audit message as input.
What I find frustrating is that loading the installed modules (i.e.,
installed with the httpd package) do not cause avc errors. In fact, if I
rename, say, mod_alias.so to something else it still loads after I
temporarily edit httpd.conf. And so, I find it hard to believe that the
security policy knows about specific file names. When I copy
mod_alias.so to something else (i.e., to give it a new inode) it still
loads and so I think that proves the security policy also knows nothing
about inodes. These two tests of renaming/copying mod_alias.so
demonstrate to me that rebooting the server or some other
"configuration" action is not necessary.
My actual first question, since I know so little about selinux, is this:
if my module has the same security context as other modules, then why
does an attempt to load it cause that avc error?
Can anyone render assistance?
16 years, 9 months
Re: SE-PostgreSQL for Fedora (Re: Guideline for RPM packages)
by KaiGai Kohei
> Err, I think you should be using the new userland discovery interface
> for this, hardcoding at compile time is a very bad idea (it makes the
> compiled binaries completely non-portable).
>
> look at libselinux/checkAccess.c in the trunk version to see how it is
> used, essentially something like:
>
> dbase_class = string_to_security_class("database");
> if (dbase_class == 0)
> return 0;
>
> That lets you discover the class offset at runtime. There are also
> facilities for doing the same with permissions.
SE-PostgreSQL can already use the userland discovert interdace, if the kernel
provides it. But it is available at the only latest kernel, now.
We have to be also able to apply hardcoded object class number for a while,
to work on the current kernel (2.6.22 or older).
Otherwise, we have to replace or modify the base policy to add definitions of
new object classes and access vectors related to database, so we want these
definitions are integrated into the base policy.
Thanks,
>> As you mentioned, I also think this trick is not a good idea.
>> However, the number of object classes is not constant between policy versions,
>> so I had to handle the difference and to follow the version up.
>> I modified it by hand at first, but conditional definition for SECCLASS_DATABASE
>> got necessary, because the number of object classes got differ between Fedora core 6
>> and Fedora 7.
>>
>> I think integration of these definitions into the base policy is the best way
>> to avoid such a ugly implementation. :)
>>
>> Thanks,
>>
>>
>>> As an aside to this, I notice that you tried to integrate policy
>>> management into the RPM, and I had to modify my spec file to not do this
>>> because I have my own custom policies on the system. I don't think this
>>> is the best way, long term, to handle policy integration, though,
>>> unfortunately, I don't have any better suggestions. This is something I
>>> intend to look into soon though so I'll provide some feedback on the
>>> previous thread when I have something useful to say :)
>>>
>> --
>> KaiGai Kohei <kaigai(a)kaigai.gr.jp>
--
KaiGai Kohei <kaigai(a)kaigai.gr.jp>
16 years, 9 months
Re: SE-PostgreSQL for Fedora (Re: Guideline for RPM packages)
by KaiGai Kohei
Joshua Brindle wrote:
> KaiGai Kohei wrote:
>> By the way, I'm seeking sponsors who can review SE-PostgreSQL package.
>>
>> https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=249522
>>
>> If you can volunteer the reviewing process, please contact me.
>>
>
> So, I tried grabbing the sepostgres srpm and building it (you didn't
> provide an x86_64 rpm) and I get these compilation errors:
>
> gcc -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
> -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wall
> -Wmissing-prototypes -Wpointer-arith -Winline
> -Wdeclaration-after-statement -Wendif-labels -fno-strict-aliasing -g -D
> SECCLASS_DATABASE= -I../../../src/include -D_GNU_SOURCE -c -o
> sepgsqlCore.o sepgsqlCore.c
> sepgsqlCore.c: In function 'sepgsqlGetDatabaseContext':
> sepgsqlCore.c:792: error: expected expression before ')' token
> sepgsqlCore.c: In function 'sepgsqlInitialize':
> sepgsqlCore.c:836: error: expected expression before ',' token
> sepgsqlCore.c:854: error: expected expression before ',' token
> make[3]: *** [sepgsqlCore.o] Error 1
> make[3]: Leaving directory
> `/usr/src/redhat/BUILD/postgresql-8.2.4/src/backend/security'
> make[2]: *** [security-recursive] Error 2
Joshua,
It seems to me that SECCLASS_DATABASE is defined as empty.
It is normally computed at %build section of the specfile as follows:
SECCLASS_DATABASE=`grep ^define %{_datadir}/selinux/devel/include/support/all_perms.spt \
| cat -n | grep all_database_perms | awk '{print $1}'`
make CUSTOM_COPT=" -D SECCLASS_DATABASE=${SECCLASS_DATABASE}" %{?_smp_mflags}
Thus, selinux-policy-devel-xxx-sepgsql have to be installed to build.
If SECCLASS_DATABASE is not defined, it's defined as 61 being next to SECCLASS_DCCP_SOCKET.
It is correct, if Fedora 6. But incorrect on the latest Fedora 7 and Rawhide.
As you mentioned, I also think this trick is not a good idea.
However, the number of object classes is not constant between policy versions,
so I had to handle the difference and to follow the version up.
I modified it by hand at first, but conditional definition for SECCLASS_DATABASE
got necessary, because the number of object classes got differ between Fedora core 6
and Fedora 7.
I think integration of these definitions into the base policy is the best way
to avoid such a ugly implementation. :)
Thanks,
> As an aside to this, I notice that you tried to integrate policy
> management into the RPM, and I had to modify my spec file to not do this
> because I have my own custom policies on the system. I don't think this
> is the best way, long term, to handle policy integration, though,
> unfortunately, I don't have any better suggestions. This is something I
> intend to look into soon though so I'll provide some feedback on the
> previous thread when I have something useful to say :)
--
KaiGai Kohei <kaigai(a)kaigai.gr.jp>
16 years, 9 months
Re: Containing vmware player 2.0.0 with SELINUX
by Louis Lam
Hi all,
Today i managed to make the vmplayer run in its own domain. What I did was added the statement to my vmware.te. Thanks to Ken and his suggestion (and all of the help so far), i've got the "Selinux by example" book that i've been reading as a reference.
domain_auto_trans(unconfined_t, vmware_exec_t, vmware_t)
Evident from the large amount of avc denials in setroubleshoot when i launch vmplayer, i was able to see that vmplayer was running in the context of :
root:system_r:vmware_t
Two questions from security angle on this approach though:
1. If i allow transition from unconfined_t to vmware_t, it means that any unconfined process can transit to vmware_t and be able to access the vmware files. This is probably not what i'd desire. What would be a good recommendation for this? Any best practices?
2. I still want to start vmware as a user program, probably not as a service. In that case, would I still need to do something in the vmware.if so that the domain auto trans can take on a role ?
Now that i'm able to run it under vmware_t domain, and see a lot of avcs, i intend to make vmware run properly again. I'd go with allowing whatever vmware wants to do, then tightening the security. There are a few approaches i can use, and i'd like to seek your opinions on how to go about doing it:
1. audit2allow: This will list all of the avcs and turn them into allow statements. By adding these statements to my vmware.te, this would enable vmware to function again. Problem is that i may end up with too many statements. There would probably be macros to cover these.
2. macros: This is somethings i'm not familiar with. Are there any documentation that describe some of the more commonly used macros? Or it is better just to see the source?
3. policygentool: From what i understand, this is a script that would generate a module for you. the question is how do i combine it with the vmware source code that I've taken from the reference policy? (that i'm using now)? I forsee a lot of conflicts to be resolved. and may actually not be so clean.
Whats your take on these approach? Are there others that I've missed out?
Thanks in advance,
Louis
----- Original Message ----
From: Ken YANG <spng.yang(a)gmail.com>
To: Louis Lam <lshoujun(a)yahoo.com>
Cc: Daniel J Walsh <dwalsh(a)redhat.com>; fedora-selinux-list(a)redhat.com
Sent: Tuesday, July 31, 2007 6:00:20 AM
Subject: Re: Containing vmware player 2.0.0 with SELINUX
Louis Lam wrote:
> Hi,
>
> Thanks for the reply.
>
> My conclusion is that not I'm not sure where to place the domain_auto_trans() statement. If I can't place it in the vmware.if file(since it will not be read during module compilation ) where can I put this statement? All i need to do now is to make the vmware executable run in its own domain e.g. vmware_t. But it seems more difficult than I thought.
if you want vmware program run in own domain, all necessary rules
should be in te file, e.g.
domain_auto_trans(vmware_t, vmware_host_exec_t, vmware_host_t)
(just a example)
similarly, domain_auto_trans can also used in if file, especially used
in per_role_template. All these are depend on your purpose.
to make vmware run in selinux-policy>3.0, the easiest way is to
follow what tom guid, i.e. modify the net-service.sh to restorce
label after creating device node.
but if you want to make policy contain vmware, you must resolve
the "device node label" problem, IMHO, you should use fs_use_trans
to make label automatically:
http://marc.info/?l=selinux&m=118481693028190&w=2
now, i have not time to do this, so i have not solved the problems
i encountered.
>
> Can you point me to resources to how to develop modules? Can someone help me with this problem?
"Beginning is the most difficult one, but A Good Beginning is half
the battle" :-)
after you finish the beginning, you will find it's not difficult.
The book <<SELinux by example>> is a good guide for developing modules,
but i think the best guide to develop policy is the policy source.
>
> Thanks & Regards,
> Louis
>
> ----- Original Message ----
> From: Ken YANG <spng.yang(a)gmail.com>
> To: Louis Lam <lshoujun(a)yahoo.com>
> Cc: Daniel J Walsh <dwalsh(a)redhat.com>; fedora-selinux-list(a)redhat.com
> Sent: Monday, July 30, 2007 6:53:17 AM
> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>
> Louis Lam wrote:
>> Hi,
>>
>> I think i'm having a policy compilation problem here
>>
>> I've moved the domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t) statement to vmware.if. I was following the domain_auto_trans rules for other apps such as mozilla. The syntax error problem went away.
>>
>> But the problem is that the domain transition didn't take place. My vmplayer is still running in unconfined state.
>>
>> I'm doing compilation of the vmware.pp module using make -f /usr/share/selinux/devel/Makefile. I've tried to purposely introduce errors into vmware.if to see if the compilation is effective:
>>
>> e.g. domain_auto_trans($2, $2, $1_t, vmware_exec_t, $1_vmware_t)
>>
>> But the make process didn't detect any errors and the compilation still went on. I did a diff between the vmware.pp at the /etc/selinux/targeted/modules/active/modules/vmware.pp and the development directory (where I do all my compilation), but there are no differences.
>>
>> Does it mean if the vmware.if file is modified it will not affect the make?
>
> as i infer (i'm not sure):
>
> the interface will not be checked, unless someone invoke it, because if
> there are not invokes, the parameter can not be determined.
>
> when you build vmware module, you will not use your own interface in
> own module, so build process will not detect error.
>
>
>
>> How do you ensure that the changes at vmware.if effective? (well at least cause some compilation errors?)
>>
>>
>>
>> Thanks,
>> Louis
>>
>>
>>
>>
>>
>> ----- Original Message ----
>> From: Ken YANG <spng.yang(a)gmail.com>
>> To: Louis Lam <lshoujun(a)yahoo.com>
>> Cc: Daniel J Walsh <dwalsh(a)redhat.com>; fedora-selinux-list(a)redhat.com
>> Sent: Saturday, July 28, 2007 5:28:25 PM
>> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>>
>>
>> Louis Lam wrote:
>>> My mistakes, apologies for the confusion, under part 2, I was trying to do domain_auto_trans instead of doman_entry_file, so...
>>>
>>> 2. Created a domain transition so that the vmware user programs e.g.
>>> /usr/lib/vmplayer script, /usr/lib/vmware/bin/vmplayer that are
>>> labelleled system_u:object_r:vmware_exec_t will transit to
>>> system_u:object_r:vmware_t when executed. I put it also in vmware.te:
>>>
>>> domain_auto_trans($1_t, vmware_exec_t, $1_vmware_t)
>>>
>>> but
>>> on making the vmware.pp module I get this warning and error:
>>>
>>> 'syntax error' at token '1' on line 81143:
>>> #line 13
>>> allow $1_t vmware_exec_t: file {getattr read execute};
>> this rule is generated by domain_auto_trans, so i think the
>> syntax error should be caused by other rules.
>>
>> you may check other rules in your policy.
>>
>>> Thanks in advance,
>>> Louis
>>>
>>>
>>> ----- Original Message ----
>>> From: Louis Lam <lshoujun(a)yahoo.com>
>>> To: Daniel J Walsh <dwalsh(a)redhat.com>
>>> Cc: fedora-selinux-list(a)redhat.com
>>> Sent: Friday, July 27, 2007 5:05:05 AM
>>> Subject: Re: Containing vmware player 2.0.0 with SELINUX
>>>
>>> Thanks Daniel for the information, hi everyone
>>>
>>> I've tried to make the following changes:
>>>
>>> 1. Defined the vmware_t type in vmware.te:
>>> type vmware_t;
>>>
>>> I need to do this since I'm trying to let the vmware user program run under vmware_t domain but this is not defined. In terms of overall code compliance is it correct to define here? or should be at the vmware.if?
>> type definition should be in vmware.te
>>
>> Send instant messages to your online friends http://uk.messenger.yahoo.com
>
>
>
>
>
>
>
> Send instant messages to your online friends http://uk.messenger.yahoo.com
Send instant messages to your online friends http://uk.messenger.yahoo.com
16 years, 9 months