Daniel B. Thurman wrote:
> From: fedora-selinux-list-bounces(a)redhat.com
> [mailto:fedora-selinux-list-bounces@redhat.com]On Behalf Of Daniel B.
> Thurman
> Sent: Tuesday, November 08, 2005 3:43 PM
> To: Robert Cahn; Daniel J Walsh
> Cc: fedora-list(a)redhat.com; fedora-selinux-list(a)redhat.com
> Subject: RE: Problems with httpd and SElinux.
>
>
>
>> From: Daniel J Walsh [mailto:dwalsh@redhat.com]
>> Sent: Monday, November 07, 2005 9:30 AM
>> To: Daniel B. Thurman
>> Cc: fedora-selinux-list(a)redhat.com
>> Subject: Re: Problems with httpd and SElinux.
>>
>>
>> Daniel B. Thurman wrote:
>>
>>> Folks,
>>>
>>> I was asked to post this information here. To explain things,
>>> I have installed FrontPage extensions on FC4 but not realizing
>>> that I had to first disable SElinux for httpd first, but to make
>>> a long story short, I was able to install FP and then restore
>>> SElinux protections for httpd, but on reboot, SElinux refused
>>> to allow httpd to start and I suspect it had something to do
>>> with the FrontPage additions to the /etc/httpd/conf/httpd.conf
>>> file. I currently have SElinux protections turned off for
>>> https. Below is the audit file, hope it helps show the problem.
>>>
>>> type=AVC msg=audit(1131056930.757:251): avc: denied {
>>>
>> name_bind } for pid=4946 comm="httpd" src=8090
>> scontext=root:system_r:httpd_t
>> tcontext=system_u:object_r:port_t tclass=tcp_socket
>>
>>> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003
>>>
>> syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218
>> a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd"
>>
> exe="/usr/sbin/httpd"
>
>>> type=SOCKADDR msg=audit(1131056930.757:251):
>>>
>> saddr=0A001F9A000000000000000000000000000000000000000000000000
>>
>>> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5
>>>
>> a1=8b8da84 a2=1c
>>
>>> Kind regards,
>>> Dan
>>>
>>>
>>>
>> We do not currently allow apache to listen on port 8090,
>> but this looks legitimate, so I will add to policy.
>> You can install policy (selinux-policy-targeted-sources
>> for now and add a line to:
>> /etc/selinux/targeted/src/policy/domains/misc/local.te
>> portcon tcp 8090 system_u:object_r:http_port_t
>>
>> Then execute make -c /etc/selinux/targeted/src/policy load
>>
>> and you should be able to use that port.
>>
>>
> The information you gave me above does not work. I got all
> sorts of compile errors. BTW, the make should be "make -C".
>
> >From Paul Howarth, I tried:
> =============================================
> If you want httpd to be able to listen on port 8090, and you have the
> policy sources installed, you can do this by adding the following line
> to /etc/selinux/targeted/src/policy/net_contexts:
>
> portcon tcp 8090 system_u:object_r:http_port_t
>
> Then you need to compile and reload the security contexts:
> # make -C /etc/selinux/targeted/src/policy reload
> =============================================
>
> This all compiles fine now.
>
> Testing to see if httpd can now restart with the new policies:
> 1) setsebool -P httpd_disable_trans 0
> 2) Restart httpd for this to take effect: service httpd restart
>
> Httpd can restart with no failure messages. The httpd server
> now runs fine.
>
> HOWEVER - Testing FrontPage client against my FC4 box FAILS to
> connect and the reason revealed in /var/log/httpd/error_log:
>
> [Tue Nov 08 15:25:40 2005] [error] (13)Permission denied:
> Could not create key file
> "/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in
> FrontPageInit(). Until this problem is fixed, the FrontPage
> security patch is disabled and the FrontPage extensions may
> not work correctly.
>
> I suspect that there is a SElinux policy that is preventing the FP
> client program from creating and deleting the suidkey file it needs
> in order to startup and begin listening for FP Client requests. Please
> note that the process number is created and destroyed for the
> suidkey file
> and this is happening from within the httpd service file and
> has nothing
> to do with the FP client connection attempts. SELinux policy
> is preventing
> the service file from creating and destroying this file.
>
> So - in order to get back the successful FP client connections
> as before,
> performing these steps:
>
> 1) setsebool -P httpd_disable_trans 1
> 2) Restart httpd for this to take effect: service httpd restart
>
> The httpd/error_log error message does not appear and I can now
> connect with to the FC4 with the FP client.
>
> Dan Thurman.
>
> --
>
Huh? Who resent this? This one was sent 11/7/2005...
I replied back to Daniel J Walsh with an attachment with
the output of /var/log/audit/audit_log file that showed
why *many* denials that were occuring with SElinux preventing
the FrontPage process from working within httpd.
In case Daniel did not get it, I am attaching the file again.
==============================================
Daniel J. Walsh:
================
>> What did you see for AVC messages in /var/log/messages or
>> /var/log/audit/audit.log?
>>
>>
> Please see the attached file. It is the /var/log/audit/audit.log
> file and is 13k compressed. I tried best as I could to trucate to
> relevant logs pertaining to httpd/fp issues. Please let me know if
> you need anything else.
>
==============================================
Kind regards,
Dan
Looks like apache is trying to write to apache-fp directory under /usr
somewhere. This dir needs to be labeled httpd_sys_script_rw_t to work
correctly. Also looks like apache tried to do a ps -e or such to get
all the process on the system.
--