Problems with httpd and SElinux.

Tue Nov 29 16:42:25 UTC 2005

Daniel B. Thurman wrote:
>> From: fedora-selinux-list-bounces at redhat.com
>> [mailto:fedora-selinux-list-bounces at redhat.com]On Behalf Of Daniel B.
>> Thurman
>> Sent: Tuesday, November 08, 2005 3:43 PM
>> To: Robert Cahn; Daniel J Walsh
>> Cc: fedora-list at redhat.com; fedora-selinux-list at redhat.com
>> Subject: RE: Problems with httpd and SElinux.
>>
>>
>>     
>>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>>> Sent: Monday, November 07, 2005 9:30 AM
>>> To: Daniel B. Thurman
>>> Cc: fedora-selinux-list at redhat.com
>>> Subject: Re: Problems with httpd and SElinux.
>>>
>>>
>>> Daniel B. Thurman wrote:
>>>       
>>>> Folks,
>>>>
>>>> I was asked to post this information here.  To explain things,
>>>> I have installed FrontPage extensions on FC4 but not realizing
>>>> that I had to first disable SElinux for httpd first, but to make
>>>> a long story short, I was able to install FP and then restore
>>>> SElinux protections for httpd, but on reboot, SElinux refused
>>>> to allow httpd to start and I suspect it had something to do
>>>> with the FrontPage additions to the /etc/httpd/conf/httpd.conf
>>>> file.  I currently have SElinux protections turned off for
>>>> https. Below is the audit file, hope it helps show the problem.
>>>>
>>>> type=AVC msg=audit(1131056930.757:251): avc:  denied  { 
>>>>         
>>> name_bind } for  pid=4946 comm="httpd" src=8090 
>>> scontext=root:system_r:httpd_t 
>>> tcontext=system_u:object_r:port_t tclass=tcp_socket
>>>       
>>>> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003 
>>>>         
>>> syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218 
>>> a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0 
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" 
>>>       
>> exe="/usr/sbin/httpd"
>>     
>>>> type=SOCKADDR msg=audit(1131056930.757:251): 
>>>>         
>>> saddr=0A001F9A000000000000000000000000000000000000000000000000
>>>       
>>>> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5 
>>>>         
>>> a1=8b8da84 a2=1c
>>>       
>>>> Kind regards,
>>>> Dan
>>>>
>>>>   
>>>>         
>>> We do not currently allow apache to listen on port 8090,
>>> but this looks legitimate, so I will add to policy.
>>> You can install policy (selinux-policy-targeted-sources
>>> for now and add a line to:
>>> /etc/selinux/targeted/src/policy/domains/misc/local.te
>>> portcon tcp 8090  system_u:object_r:http_port_t
>>>
>>> Then execute make -c /etc/selinux/targeted/src/policy load
>>>
>>> and you should be able to use that port.
>>>
>>>       
>> The information you gave me above does not work. I got all
>> sorts of compile errors.  BTW, the make should be "make -C".
>>
>> >From Paul Howarth, I tried:
>> =============================================
>> If you want httpd to be able to listen on port 8090, and you have the
>> policy sources installed, you can do this by adding the following line
>> to /etc/selinux/targeted/src/policy/net_contexts:
>>
>> portcon tcp 8090  system_u:object_r:http_port_t
>>
>> Then you need to compile and reload the security contexts:
>> # make -C /etc/selinux/targeted/src/policy reload
>> =============================================
>>
>> This all compiles fine now.
>>
>> Testing to see if httpd can now restart with the new policies:
>> 1) setsebool -P httpd_disable_trans 0
>> 2) Restart httpd for this to take effect: service httpd restart
>>
>> Httpd can restart with no failure messages.  The httpd server
>> now runs fine.
>>
>> HOWEVER - Testing FrontPage client against my FC4 box FAILS to
>> connect and the reason revealed in /var/log/httpd/error_log:
>>
>> [Tue Nov 08 15:25:40 2005] [error] (13)Permission denied: 
>> Could not create key file 
>> "/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in 
>> FrontPageInit().  Until this problem is fixed, the FrontPage 
>> security patch is disabled and the FrontPage extensions may 
>> not work correctly.
>>
>> I suspect that there is a SElinux policy that is preventing the FP
>> client program from creating and deleting the suidkey file it needs
>> in order to startup and begin listening for FP Client requests. Please
>> note that the process number is created and destroyed for the 
>> suidkey file
>> and this is happening from within the httpd service file and 
>> has nothing
>> to do with the FP client connection attempts.  SELinux policy 
>> is preventing
>> the service file from creating and destroying this file.
>>
>> So - in order to get back the successful FP client connections 
>> as before,
>> performing these steps:
>>
>> 1) setsebool -P httpd_disable_trans 1
>> 2) Restart httpd for this to take effect: service httpd restart
>>
>> The httpd/error_log error message does not appear and I can now
>> connect with to the FC4 with the FP client.
>>
>> Dan Thurman.
>>
>> -- 
>>     
>
> Huh?  Who resent this?  This one was sent 11/7/2005...
>
> I replied back to Daniel J Walsh with an attachment with
> the output of /var/log/audit/audit_log file that showed
> why *many* denials that were occuring with SElinux preventing
> the FrontPage process from working within httpd.
>
> In case Daniel did not get it, I am attaching the file again.
>
> ==============================================
> Daniel J. Walsh:
> ================
>   
>>> What did you see for AVC messages in /var/log/messages or 
>>> /var/log/audit/audit.log?
>>>
>>>       
>> Please see the attached file.  It is the /var/log/audit/audit.log
>> file and is 13k compressed. I tried best as I could to trucate to 
>> relevant logs pertaining to httpd/fp issues. Please let me know if
>> you need anything else.
>>     
> ==============================================
>
> Kind regards,
> Dan
>
>
>   
Looks like apache is trying to write to apache-fp directory under /usr 
somewhere.  This dir needs to be labeled httpd_sys_script_rw_t to work 
correctly.  Also looks like apache tried to do a ps -e or such to get 
all the process on the system.


--