Re: Problems with httpd and SElinux.

> From: fedora-selinux-list-bounces(a)redhat.com > [mailto:fedora-selinux-list-bounces@redhat.com]On Behalf Of Daniel B. > Thurman > Sent: Tuesday, November 08, 2005 3:43 PM > To: Robert Cahn; Daniel J Walsh > Cc: fedora-list(a)redhat.com; fedora-selinux-list(a)redhat.com > Subject: RE: Problems with httpd and SElinux. > > > >> From: Daniel J Walsh [mailto:dwalsh@redhat.com] >> Sent: Monday, November 07, 2005 9:30 AM >> To: Daniel B. Thurman >> Cc: fedora-selinux-list(a)redhat.com >> Subject: Re: Problems with httpd and SElinux. >> >> >> Daniel B. Thurman wrote: >> >>> Folks, >>> >>> I was asked to post this information here. To explain things, >>> I have installed FrontPage extensions on FC4 but not realizing >>> that I had to first disable SElinux for httpd first, but to make >>> a long story short, I was able to install FP and then restore >>> SElinux protections for httpd, but on reboot, SElinux refused >>> to allow httpd to start and I suspect it had something to do >>> with the FrontPage additions to the /etc/httpd/conf/httpd.conf >>> file. I currently have SElinux protections turned off for >>> https. Below is the audit file, hope it helps show the problem. >>> >>> type=AVC msg=audit(1131056930.757:251): avc: denied { >>> >> name_bind } for pid=4946 comm="httpd" src=8090 >> scontext=root:system_r:httpd_t >> tcontext=system_u:object_r:port_t tclass=tcp_socket >> >>> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003 >>> >> syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218 >> a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0 >> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" >> > exe="/usr/sbin/httpd" > >>> type=SOCKADDR msg=audit(1131056930.757:251): >>> >> saddr=0A001F9A000000000000000000000000000000000000000000000000 >> >>> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5 >>> >> a1=8b8da84 a2=1c >> >>> Kind regards, >>> Dan >>> >>> >>> >> We do not currently allow apache to listen on port 8090, >> but this looks legitimate, so I will add to policy. >> You can install policy (selinux-policy-targeted-sources >> for now and add a line to: >> /etc/selinux/targeted/src/policy/domains/misc/local.te >> portcon tcp 8090 system_u:object_r:http_port_t >> >> Then execute make -c /etc/selinux/targeted/src/policy load >> >> and you should be able to use that port. >> >> > The information you gave me above does not work. I got all > sorts of compile errors. BTW, the make should be "make -C". > > >From Paul Howarth, I tried: > ============================================= > If you want httpd to be able to listen on port 8090, and you have the > policy sources installed, you can do this by adding the following line > to /etc/selinux/targeted/src/policy/net_contexts: > > portcon tcp 8090 system_u:object_r:http_port_t > > Then you need to compile and reload the security contexts: > # make -C /etc/selinux/targeted/src/policy reload > ============================================= > > This all compiles fine now. > > Testing to see if httpd can now restart with the new policies: > 1) setsebool -P httpd_disable_trans 0 > 2) Restart httpd for this to take effect: service httpd restart > > Httpd can restart with no failure messages. The httpd server > now runs fine. > > HOWEVER - Testing FrontPage client against my FC4 box FAILS to > connect and the reason revealed in /var/log/httpd/error_log: > > [Tue Nov 08 15:25:40 2005] [error] (13)Permission denied: > Could not create key file > "/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in > FrontPageInit(). Until this problem is fixed, the FrontPage > security patch is disabled and the FrontPage extensions may > not work correctly. > > I suspect that there is a SElinux policy that is preventing the FP > client program from creating and deleting the suidkey file it needs > in order to startup and begin listening for FP Client requests. Please > note that the process number is created and destroyed for the > suidkey file > and this is happening from within the httpd service file and > has nothing > to do with the FP client connection attempts. SELinux policy > is preventing > the service file from creating and destroying this file. > > So - in order to get back the successful FP client connections > as before, > performing these steps: > > 1) setsebool -P httpd_disable_trans 1 > 2) Restart httpd for this to take effect: service httpd restart > > The httpd/error_log error message does not appear and I can now > connect with to the FC4 with the FP client. > > Dan Thurman. > > -- > Huh? Who resent this? This one was sent 11/7/2005... I replied back to Daniel J Walsh with an attachment with the output of /var/log/audit/audit_log file that showed why *many* denials that were occuring with SElinux preventing the FrontPage process from working within httpd. In case Daniel did not get it, I am attaching the file again. ============================================== Daniel J. Walsh: ================ >> What did you see for AVC messages in /var/log/messages or >> /var/log/audit/audit.log? >> >> > Please see the attached file. It is the /var/log/audit/audit.log > file and is 13k compressed. I tried best as I could to trucate to > relevant logs pertaining to httpd/fp issues. Please let me know if > you need anything else. > ============================================== Kind regards, Dan