httpd mod_auth_pam winbind

Vadym Chepkov chepkov at yahoo.com
Fri Apr 2 16:58:53 UTC 2010 

--- On Fri, 4/2/10, Daniel J Walsh <dwalsh at redhat.com> wrote:

> From: Daniel J Walsh <dwalsh at redhat.com>
> Subject: Re: httpd mod_auth_pam winbind
> To: "Vadym Chepkov" <chepkov at yahoo.com>
> Cc: selinux at lists.fedoraproject.org
> Date: Friday, April 2, 2010, 11:33 AM
> On 04/02/2010 12:38 AM, Vadym Chepkov
> wrote:
> > Hi,
> >
> > I have selinux-policy-targeted-2.4.6-255.el5_4.4
> >
> > allow_httpd_mod_auth_pam -->  on
> > httpd_can_network_connect -->  on
> >
> > httpd with mod_auth_pam via winbind
> >
> > get the following avc when in "permissive" mode
> >
> >
> > type=SYSCALL msg=audit(1270181973.950:37):
> arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9
> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48
> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:37): avc: 
> denied  { create } for  pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > type=SYSCALL msg=audit(1270181973.950:38):
> arch=c000003e syscall=44 success=yes exit=124 a0=13
> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:38): avc: 
> denied  { nlmsg_relay } for  pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> > type=AVC msg=audit(1270181973.950:38): avc: 
> denied  { write } for  pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > type=SYSCALL msg=audit(1270181973.950:39):
> arch=c000003e syscall=45 success=yes exit=36 a0=13
> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:39): avc: 
> denied  { read } for  pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > audit2allow suggests simple:
> > allow httpd_t self:netlink_audit_socket { nlmsg_relay
> write create read };
> >
> > Is something missing in the policy or I missed some
> other boolean?
> >
> >    
> No this could be considered a bug.  Basically pam is
> trying to send an 
> audit message to the audit.log.
> 
> YOu can add this access,  it would allow the appache
> process to attempt 
> to send audit messages.  Since the httpd is running as
> non root, it 
> might not have the capabilities necessary to send them
> 
> Open a bug report on this, since we probably should
> dontaudit these 
> calls if the boolean to allow pam is turned on.

dontaudit wouldn't work, apache denies access in enforcing mode.

Bug 579105 Submitted

Thank you,
	
Sincerely yours,
  Vadym Chepkov

More information about the selinux mailing list