I'm trying to set an out-of-the-box httpd to use mod_auth_shadow to authenticate users. Selinux won't let me.
mod_auth_shadow runs /usr/sbin/validate (which is chrooted) to actually check against /etc/shadow:
[root@localhost selinux]# ls -lrtZ /usr/sbin/validate -rwsr-xr-x root root system_u:object_r:chkpwd_exec_t:s0 /usr/sbin/validate
Validate appears to be labeled correctly, so, apparently the problem is that httpd can't make the domain transistion.
I really don't know how to allow it to. I'd like to.
Help!
Thanks,
Kevin
selinux-policy-devel-3.3.1-118.fc9.noarch selinux-policy-3.3.1-118.fc9.noarch selinux-policy-targeted-3.3.1-118.fc9.noarch httpd-2.2.9-1.fc9.i386 mod_auth_shadow-2.2-4.fc9.i386
Op woensdag 04-02-2009 om 13:07 uur [tijdzone -0500], schreef Kevin White:
Validate appears to be labeled correctly, so, apparently the problem is that httpd can't make the domain transistion.
I really don't know how to allow it to. I'd like to.
In Fedora 10 httpd_t isnt allowed to transition to that domain:
# sesearch --allow -s httpd_t -t chkpwd_exec_t
allow httpd_t @ttr0099 : filesystem getattr ; allow httpd_t @ttr1747 : file { ioctl read getattr lock execute execute_no_trans } ; allow httpd_t chkpwd_exec_t : file { read getattr execute } ;
You might be able to do a transition using:
mkdir ~/myhttpd; cd ~/myhttpd; echo "policy_module(myhttpd, 0.0.1)" > myhttpd.te; echo "require { type httpd_t, chkpwd_exec_t, system_chkpwd_t; }" >> myhttpd.te; echo "domain_auto_trans(httpd_t, chkpwd_exec_t, system_chkpwd_t)" >> myhttpd.te; make -f /usr/share/selinux/devel/Makefile sudo semodule -i myhttpd.pp
However i do not think this is recommended.
If you really need a transition then i would suggest that you do it to a designated domain. For example httpd_chkpwd_t, and give that domain only the access it needs.
This looks like it should somehow be able to transition though:
sh-3.2# sesearch --allow -s httpd_t | grep chkpwd
allow httpd_t system_chkpwd_t : process transition ;
Maybe people with more knowledge on this matter can shed some light on this.
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Op woensdag 04-02-2009 om 13:07 uur [tijdzone -0500], schreef Kevin White:
I'm trying to set an out-of-the-box httpd to use mod_auth_shadow to authenticate users. Selinux won't let me.
is this boolean not available?:
tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chkpwd(httpd_t) ')
sh-3.2# getsebool -a | grep auth_pam allow_httpd_mod_auth_pam --> off
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
OK, after my work before, mod_auth_shadow is working, but I'm getting a bunch of this in /var/log/messages:
Feb 4 22:47:32 localhost setroubleshoot: SELinux is preventing validate (system_chkpwd_t) "read write" to anon_inode (anon_inodefs_t). For complete SELinux messages. run sealert -l 6f1012d0-d21a-4da2-bc85-e2dc1929aa84
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1233805644.757:1148): avc: denied { read write } for pid=15883 comm="validate" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=33 scontext=unconfined_u:system_r:system_chkpwd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1233805644.757:1148): arch=40000003 syscall=11 success=yes exit=0 a0=bf8b25bf a1=bf8b154c a2=bf8b2dec a3=1 items=0 ppid=15847 pid=15883 auid=513 uid=48 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=11 comm="validate" exe="/usr/sbin/validate" subj=unconfined_u:system_r:system_chkpwd_t:s0 key=(null)
Ummmm....something isn't being allowed, but the check password is still working.
I'm sorry...I don't even know what anon_inode is.
Help?
I'm just trying to use software that's included with Fedora 9...
Kevin
Op woensdag 04-02-2009 om 22:45 uur [tijdzone -0500], schreef Kevin White:
Ummmm....something isn't being allowed, but the check password is still working.
If it is still working, then consider silencing these denials:
mkdir ~/mychkpwd; cd ~/mychkpwd; echo "policy_module(mychkpwd, 0.0.1)" > mychkpwd.te echo "require { type anon_inodefs_t, system_chkpwd_t; }" >> mychkpwd.te echo "dontaudit system_chkpwd_t anon_inodefs_t:file { read write };" >> mychkpwd.te make -f /usr/share/selinux/devel/Makefile sudo semodule -i mychkpwd.pp
I'm just trying to use software that's included with Fedora 9...
Kevin
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kevin White wrote:
OK, after my work before, mod_auth_shadow is working, but I'm getting a bunch of this in /var/log/messages:
Feb 4 22:47:32 localhost setroubleshoot: SELinux is preventing validate (system_chkpwd_t) "read write" to anon_inode (anon_inodefs_t). For complete SELinux messages. run sealert -l 6f1012d0-d21a-4da2-bc85-e2dc1929aa84
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1233805644.757:1148): avc: denied { read write } for pid=15883 comm="validate" path="anon_inode:[eventpoll]" dev=anon_inodefs ino=33 scontext=unconfined_u:system_r:system_chkpwd_t:s0 tcontext=system_u:object_r:anon_inodefs_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1233805644.757:1148): arch=40000003 syscall=11 success=yes exit=0 a0=bf8b25bf a1=bf8b154c a2=bf8b2dec a3=1 items=0 ppid=15847 pid=15883 auid=513 uid=48 gid=502 euid=0 suid=0 fsuid=0 egid=502 sgid=502 fsgid=502 tty=(none) ses=11 comm="validate" exe="/usr/sbin/validate" subj=unconfined_u:system_r:system_chkpwd_t:s0 key=(null)
Ummmm....something isn't being allowed, but the check password is still working.
I'm sorry...I don't even know what anon_inode is.
Help?
I'm just trying to use software that's included with Fedora 9...
Kevin
-- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list
I will add rules to allow this in the policy.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
Dominick Grift -
Kevin White