Problems with httpd and SElinux.
Daniel J Walsh
dwalsh at redhat.com
Tue Nov 29 16:42:25 UTC 2005
Daniel B. Thurman wrote:
>> From: fedora-selinux-list-bounces at redhat.com
>> [mailto:fedora-selinux-list-bounces at redhat.com]On Behalf Of Daniel B.
>> Thurman
>> Sent: Tuesday, November 08, 2005 3:43 PM
>> To: Robert Cahn; Daniel J Walsh
>> Cc: fedora-list at redhat.com; fedora-selinux-list at redhat.com
>> Subject: RE: Problems with httpd and SElinux.
>>
>>
>>
>>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>>> Sent: Monday, November 07, 2005 9:30 AM
>>> To: Daniel B. Thurman
>>> Cc: fedora-selinux-list at redhat.com
>>> Subject: Re: Problems with httpd and SElinux.
>>>
>>>
>>> Daniel B. Thurman wrote:
>>>
>>>> Folks,
>>>>
>>>> I was asked to post this information here. To explain things,
>>>> I have installed FrontPage extensions on FC4 but not realizing
>>>> that I had to first disable SElinux for httpd first, but to make
>>>> a long story short, I was able to install FP and then restore
>>>> SElinux protections for httpd, but on reboot, SElinux refused
>>>> to allow httpd to start and I suspect it had something to do
>>>> with the FrontPage additions to the /etc/httpd/conf/httpd.conf
>>>> file. I currently have SElinux protections turned off for
>>>> https. Below is the audit file, hope it helps show the problem.
>>>>
>>>> type=AVC msg=audit(1131056930.757:251): avc: denied {
>>>>
>>> name_bind } for pid=4946 comm="httpd" src=8090
>>> scontext=root:system_r:httpd_t
>>> tcontext=system_u:object_r:port_t tclass=tcp_socket
>>>
>>>> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003
>>>>
>>> syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218
>>> a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0
>>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd"
>>>
>> exe="/usr/sbin/httpd"
>>
>>>> type=SOCKADDR msg=audit(1131056930.757:251):
>>>>
>>> saddr=0A001F9A000000000000000000000000000000000000000000000000
>>>
>>>> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5
>>>>
>>> a1=8b8da84 a2=1c
>>>
>>>> Kind regards,
>>>> Dan
>>>>
>>>>
>>>>
>>> We do not currently allow apache to listen on port 8090,
>>> but this looks legitimate, so I will add to policy.
>>> You can install policy (selinux-policy-targeted-sources
>>> for now and add a line to:
>>> /etc/selinux/targeted/src/policy/domains/misc/local.te
>>> portcon tcp 8090 system_u:object_r:http_port_t
>>>
>>> Then execute make -c /etc/selinux/targeted/src/policy load
>>>
>>> and you should be able to use that port.
>>>
>>>
>> The information you gave me above does not work. I got all
>> sorts of compile errors. BTW, the make should be "make -C".
>>
>> >From Paul Howarth, I tried:
>> =============================================
>> If you want httpd to be able to listen on port 8090, and you have the
>> policy sources installed, you can do this by adding the following line
>> to /etc/selinux/targeted/src/policy/net_contexts:
>>
>> portcon tcp 8090 system_u:object_r:http_port_t
>>
>> Then you need to compile and reload the security contexts:
>> # make -C /etc/selinux/targeted/src/policy reload
>> =============================================
>>
>> This all compiles fine now.
>>
>> Testing to see if httpd can now restart with the new policies:
>> 1) setsebool -P httpd_disable_trans 0
>> 2) Restart httpd for this to take effect: service httpd restart
>>
>> Httpd can restart with no failure messages. The httpd server
>> now runs fine.
>>
>> HOWEVER - Testing FrontPage client against my FC4 box FAILS to
>> connect and the reason revealed in /var/log/httpd/error_log:
>>
>> [Tue Nov 08 15:25:40 2005] [error] (13)Permission denied:
>> Could not create key file
>> "/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in
>> FrontPageInit(). Until this problem is fixed, the FrontPage
>> security patch is disabled and the FrontPage extensions may
>> not work correctly.
>>
>> I suspect that there is a SElinux policy that is preventing the FP
>> client program from creating and deleting the suidkey file it needs
>> in order to startup and begin listening for FP Client requests. Please
>> note that the process number is created and destroyed for the
>> suidkey file
>> and this is happening from within the httpd service file and
>> has nothing
>> to do with the FP client connection attempts. SELinux policy
>> is preventing
>> the service file from creating and destroying this file.
>>
>> So - in order to get back the successful FP client connections
>> as before,
>> performing these steps:
>>
>> 1) setsebool -P httpd_disable_trans 1
>> 2) Restart httpd for this to take effect: service httpd restart
>>
>> The httpd/error_log error message does not appear and I can now
>> connect with to the FC4 with the FP client.
>>
>> Dan Thurman.
>>
>> --
>>
>
> Huh? Who resent this? This one was sent 11/7/2005...
>
> I replied back to Daniel J Walsh with an attachment with
> the output of /var/log/audit/audit_log file that showed
> why *many* denials that were occuring with SElinux preventing
> the FrontPage process from working within httpd.
>
> In case Daniel did not get it, I am attaching the file again.
>
> ==============================================
> Daniel J. Walsh:
> ================
>
>>> What did you see for AVC messages in /var/log/messages or
>>> /var/log/audit/audit.log?
>>>
>>>
>> Please see the attached file. It is the /var/log/audit/audit.log
>> file and is 13k compressed. I tried best as I could to trucate to
>> relevant logs pertaining to httpd/fp issues. Please let me know if
>> you need anything else.
>>
> ==============================================
>
> Kind regards,
> Dan
>
>
>
Looks like apache is trying to write to apache-fp directory under /usr
somewhere. This dir needs to be labeled httpd_sys_script_rw_t to work
correctly. Also looks like apache tried to do a ps -e or such to get
all the process on the system.
--
More information about the selinux
mailing list