httpd mod_auth_pam winbind

Daniel J Walsh dwalsh at redhat.com
Mon Apr 5 12:11:04 UTC 2010 

On 04/02/2010 12:58 PM, Vadym Chepkov wrote:
> --- On Fri, 4/2/10, Daniel J Walsh<dwalsh at redhat.com>  wrote:
>
>    
>> From: Daniel J Walsh<dwalsh at redhat.com>
>> Subject: Re: httpd mod_auth_pam winbind
>> To: "Vadym Chepkov"<chepkov at yahoo.com>
>> Cc: selinux at lists.fedoraproject.org
>> Date: Friday, April 2, 2010, 11:33 AM
>> On 04/02/2010 12:38 AM, Vadym Chepkov
>> wrote:
>>      
>>> Hi,
>>>
>>> I have selinux-policy-targeted-2.4.6-255.el5_4.4
>>>
>>> allow_httpd_mod_auth_pam -->   on
>>> httpd_can_network_connect -->   on
>>>
>>> httpd with mod_auth_pam via winbind
>>>
>>> get the following avc when in "permissive" mode
>>>
>>>
>>> type=SYSCALL msg=audit(1270181973.950:37):
>>>        
>> arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9
>> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48
>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>> tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>      
>>> type=AVC msg=audit(1270181973.950:37): avc:
>>>        
>> denied  { create } for  pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>      
>>> type=SYSCALL msg=audit(1270181973.950:38):
>>>        
>> arch=c000003e syscall=44 success=yes exit=124 a0=13
>> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039
>> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>> comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>      
>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>        
>> denied  { nlmsg_relay } for  pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>      
>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>        
>> denied  { write } for  pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>      
>>> type=SYSCALL msg=audit(1270181973.950:39):
>>>        
>> arch=c000003e syscall=45 success=yes exit=36 a0=13
>> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039
>> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>> comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>      
>>> type=AVC msg=audit(1270181973.950:39): avc:
>>>        
>> denied  { read } for  pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>      
>>> audit2allow suggests simple:
>>> allow httpd_t self:netlink_audit_socket { nlmsg_relay
>>>        
>> write create read };
>>      
>>> Is something missing in the policy or I missed some
>>>        
>> other boolean?
>>      
>>>
>>>        
>> No this could be considered a bug.  Basically pam is
>> trying to send an
>> audit message to the audit.log.
>>
>> YOu can add this access,  it would allow the appache
>> process to attempt
>> to send audit messages.  Since the httpd is running as
>> non root, it
>> might not have the capabilities necessary to send them
>>
>> Open a bug report on this, since we probably should
>> dontaudit these
>> calls if the boolean to allow pam is turned on.
>>      
> dontaudit wouldn't work, apache denies access in enforcing mode.
>
> Bug 579105 Submitted
>
> Thank you,
> 	
> Sincerely yours,
>    Vadym Chepkov
>
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>    
Vadym, Please open a bug on RHEL5 to add this functionality.  I will add 
it to RHEL6, now

More information about the selinux mailing list