FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-18-2008, 02:49 PM
Colly Murray
 
Default Selinux & Apache

Hi there,


¬*


I’m having some
problems with apache and selinux.¬*


¬*


Yesterday in /var/log/httpd/error_log
I had:


¬*


[Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd
running as context user_u:system_r:httpd_t


[Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)


[Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for
digest authentication ...


[Thu Jul 17 16:34:26 2008] [notice] Digest: done


[Thu Jul 17 16:34:26 2008] [warn] pid file
/var/www/ditsite/logs/httpd.pid overwritten -- Unclean shutdown of previous
Apache run?


[Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming
normal operations


¬*


¬*


It happened a couple
of times on a production site, so I decided to try disabling protection for
httpd Daemon:


¬*


# setsebool -P httpd_disable_trans 1


# service httpd restart


¬*


Message in /var/log/messages


¬*


Jul 18 13:37:46 localhost dbus: avc:¬* received
policyload notice (seqno=3)


Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans
policy boolean was changed to 1 by root


Jul 18 13:37:48 localhost setroubleshoot: SELinux is
preventing setsebool (semanage_t) "sys_admin" to <Unknown>
(semanage_t). For complete SELinux messages. run sealert -l
dbc64b3f-71be-48c7-aa07-03264440576c


¬*


Sealert says the
following:


¬*


Summary:


¬*


SELinux is preventing httpd (httpd_t) "sys_admin"
to <Unknown> (httpd_t).


¬*


Detailed Description:


¬*


[SELinux is in permissive mode, the operation would have
been denied but was


permitted due to permissive mode.]


¬*


SELinux denied access requested by httpd. It is not expected
that this access is


required by httpd and this access may signal an intrusion
attempt. It is also


possible that the specific version or configuration of the
application is


causing it to require additional access.


¬*


Allowing Access:


¬*


You can generate a local policy module to allow this access
- see FAQ


(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385)
Or you can disable


SELinux protection altogether. Disabling SELinux protection
is not recommended.


Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)


against this package.


¬*


Additional Information:


¬*


Source
Context¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
root:system_r:httpd_t


Target
Context¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
root:system_r:httpd_t


Target
Objects¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
None [ capability ]


Source¬*¬*¬*¬*¬*¬* ¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*httpd


Source
Path¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
/usr/sbin/httpd


Port¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* ¬*¬*
<Unknown>


Host¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* ¬*¬*
OSTRAIS


Source RPM
Packages¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
httpd-2.2.3-11.el5_1.3


Target RPM
Packages¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*


Policy
RPM¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
selinux-policy-2.4.6-137.1.el5_2


Selinux
Enabled¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
True


Policy
Type¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
targeted


MLS
Enabled¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
True


Enforcing
Mode¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
Permissive


Plugin
Name¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
catchall


Host
Name¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
OSTRAIS


Platform¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May 22


¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬* ¬*¬*¬*¬*
09:01:47 EDT 2008 x86_64 x86_64


Alert
Count¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
10


First
Seen¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
Thu Jul 17 17:20:02 2008


Last
Seen¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
Fri Jul 18 13:33:30 2008


Local
ID¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*
b22d5d55-1982-4c69-820e-7df4dbd33842


Line
Numbers¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*



¬*


Raw Audit
Messages¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*¬*


¬*


host=OSTRAIS type=AVC msg=audit(1216384410.773:2490):
avc:¬* denied¬* { sys_admin } for¬* pid=24960
comm="httpd" capability=21 scontext=root:system_r:httpd_t:s0
tcontext=root:system_r:httpd_t:s0 tclass=capability


¬*


¬*


¬*


¬*


¬*


¬*


¬*


¬*


1.)¬*¬*¬*¬* Why is selinux preventing me from changing this
value?¬*


2.)¬*¬*¬*¬* Am I taking the correct approach?


¬*


¬*


¬*


¬*


¬*


¬*


httpd-2.2.3-11.el5_1.3/


Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux


Red Hat Enterprise Linux Server release 5.2 (Tikanga)


¬*


Thanks


¬*


Colly







This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie




--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-18-2008, 03:01 PM
Daniel J Walsh
 
Default Selinux & Apache

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colly Murray wrote:
> Hi there,
>
>
>
> I'm having some problems with apache and selinux.
>
>
>
> Yesterday in /var/log/httpd/error_log I had:
>
>
>
> [Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd running as
> context user_u:system_r:httpd_t
>
> [Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
>
> [Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for digest
> authentication ...
>
> [Thu Jul 17 16:34:26 2008] [notice] Digest: done
>
> [Thu Jul 17 16:34:26 2008] [warn] pid file /var/www/ditsite/logs/httpd.pid
> overwritten -- Unclean shutdown of previous Apache run?
>
> [Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming normal
> operations
>
>
>
I don't see any errors here?

>
>
> It happened a couple of times on a production site, so I decided to try
> disabling protection for httpd Daemon:
>
>
SELinux was not preventing you from doing anything. I believe. You
restarted the service using service apache restart. Which would change
apache from running as system_u:system_r:httpd_t to
user_u:system_r:httpd_t (user_u is the user who restarted apache)
apache must be watching this and reporting this as a warning. But it
would not prevent apache from doing any thing.
>
> # setsebool -P httpd_disable_trans 1
>
> # service httpd restart
>
>
>
> Message in /var/log/messages
>
>
>
> Jul 18 13:37:46 localhost dbus: avc: received policyload notice (seqno=3)
>
> Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans policy boolean
> was changed to 1 by root
>
> Jul 18 13:37:48 localhost setroubleshoot: SELinux is preventing setsebool
> (semanage_t) "sys_admin" to <Unknown> (semanage_t). For complete SELinux
> messages. run sealert -l dbc64b3f-71be-48c7-aa07-03264440576c
>
>
>
> Sealert says the following:
>
>
>
> Summary:
>
>
>
> SELinux is preventing httpd (httpd_t) "sys_admin" to <Unknown> (httpd_t).
>
>
>
> Detailed Description:
>
>
>
> [SELinux is in permissive mode, the operation would have been denied but was
>
> permitted due to permissive mode.]
>
>
>
> SELinux denied access requested by httpd. It is not expected that this
> access is
>
> required by httpd and this access may signal an intrusion attempt. It is
> also
>
> possible that the specific version or configuration of the application is
>
> causing it to require additional access.
>
>
>
> Allowing Access:
>
>
>
> You can generate a local policy module to allow this access - see FAQ
>
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
>
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
>
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>
> against this package.
>
>
>
> Additional Information:
>
>
>
> Source Context root:system_r:httpd_t
>
> Target Context root:system_r:httpd_t
>
> Target Objects None [ capability ]
>
> Source httpd
>
> Source Path /usr/sbin/httpd
>
> Port <Unknown>
>
> Host OSTRAIS
>
> Source RPM Packages httpd-2.2.3-11.el5_1.3
>
> Target RPM Packages
>
> Policy RPM selinux-policy-2.4.6-137.1.el5_2
>
> Selinux Enabled True
>
> Policy Type targeted
>
> MLS Enabled True
>
> Enforcing Mode Permissive
>
> Plugin Name catchall
>
> Host Name OSTRAIS
>
> Platform Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May
> 22
>
> 09:01:47 EDT 2008 x86_64 x86_64
>
> Alert Count 10
>
> First Seen Thu Jul 17 17:20:02 2008
>
> Last Seen Fri Jul 18 13:33:30 2008
>
> Local ID b22d5d55-1982-4c69-820e-7df4dbd33842
>
> Line Numbers
>
>
>
> Raw Audit Messages
>
>
>
> host=OSTRAIS type=AVC msg=audit(1216384410.773:2490): avc: denied {
> sys_admin } for pid=24960 comm="httpd" capability=21
> scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
> tclass=capability
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> 1.) Why is selinux preventing me from changing this value?
>
SELinux did not prevent you from changing the value. It seems apache is
still running httpd_t though. Not sure why.
> 2.) Am I taking the correct approach?

No. Why did you disable SELinux protection on apache when it was not
failing? If it is failing, what is it trying to do?
>
>
>
>
>
>
>
>
>
>
>
>
>
> httpd-2.2.3-11.el5_1.3/
>
> Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux
>
> Red Hat Enterprise Linux Server release 5.2 (Tikanga)
>
>
>
> Thanks
>
>
>
> Colly
>
>
> This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiAsGIACgkQrlYvE4MpobPC6gCfTHASpamszt uXz6+HfiZaSlEF
KqAAoKFwKK/B6pvhVkeFeT40mqz/Mzjc
=Sgqg
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:55 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright ©2007 - 2008, www.linux-archive.org