FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-02-2010, 04:38 AM
Vadym Chepkov
 
Default httpd mod_auth_pam winbind

Hi,

I have selinux-policy-targeted-2.4.6-255.el5_4.4

allow_httpd_mod_auth_pam --> on
httpd_can_network_connect --> on

httpd with mod_auth_pam via winbind

get the following avc when in "permissive" mode


type=SYSCALL msg=audit(1270181973.950:37): arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9 a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:37): avc: denied { create } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

type=SYSCALL msg=audit(1270181973.950:38): arch=c000003e syscall=44 success=yes exit=124 a0=13 a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:38): avc: denied { nlmsg_relay } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1270181973.950:38): avc: denied { write } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

type=SYSCALL msg=audit(1270181973.950:39): arch=c000003e syscall=45 success=yes exit=36 a0=13 a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:39): avc: denied { read } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

audit2allow suggests simple:
allow httpd_t self:netlink_audit_socket { nlmsg_relay write create read };

Is something missing in the policy or I missed some other boolean?

Thank you.

Sincerely yours,
Vadym Chepkov
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-02-2010, 03:33 PM
Daniel J Walsh
 
Default httpd mod_auth_pam winbind

On 04/02/2010 12:38 AM, Vadym Chepkov wrote:
> Hi,
>
> I have selinux-policy-targeted-2.4.6-255.el5_4.4
>
> allow_httpd_mod_auth_pam --> on
> httpd_can_network_connect --> on
>
> httpd with mod_auth_pam via winbind
>
> get the following avc when in "permissive" mode
>
>
> type=SYSCALL msg=audit(1270181973.950:37): arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9 a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:37): avc: denied { create } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> type=SYSCALL msg=audit(1270181973.950:38): arch=c000003e syscall=44 success=yes exit=124 a0=13 a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:38): avc: denied { nlmsg_relay } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
> type=AVC msg=audit(1270181973.950:38): avc: denied { write } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> type=SYSCALL msg=audit(1270181973.950:39): arch=c000003e syscall=45 success=yes exit=36 a0=13 a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:39): avc: denied { read } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> audit2allow suggests simple:
> allow httpd_t self:netlink_audit_socket { nlmsg_relay write create read };
>
> Is something missing in the policy or I missed some other boolean?
>
>
No this could be considered a bug. Basically pam is trying to send an
audit message to the audit.log.

YOu can add this access, it would allow the appache process to attempt
to send audit messages. Since the httpd is running as non root, it
might not have the capabilities necessary to send them

Open a bug report on this, since we probably should dontaudit these
calls if the boolean to allow pam is turned on.
> Thank you.
>
> Sincerely yours,
> Vadym Chepkov
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>

--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-02-2010, 04:58 PM
Vadym Chepkov
 
Default httpd mod_auth_pam winbind

--- On Fri, 4/2/10, Daniel J Walsh <dwalsh@redhat.com> wrote:

> From: Daniel J Walsh <dwalsh@redhat.com>
> Subject: Re: httpd mod_auth_pam winbind
> To: "Vadym Chepkov" <chepkov@yahoo.com>
> Cc: selinux@lists.fedoraproject.org
> Date: Friday, April 2, 2010, 11:33 AM
> On 04/02/2010 12:38 AM, Vadym Chepkov
> wrote:
> > Hi,
> >
> > I have selinux-policy-targeted-2.4.6-255.el5_4.4
> >
> > allow_httpd_mod_auth_pam -->* on
> > httpd_can_network_connect -->* on
> >
> > httpd with mod_auth_pam via winbind
> >
> > get the following avc when in "permissive" mode
> >
> >
> > type=SYSCALL msg=audit(1270181973.950:37):
> arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9
> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48
> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:37): avc:*
> denied* { create } for* pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > type=SYSCALL msg=audit(1270181973.950:38):
> arch=c000003e syscall=44 success=yes exit=124 a0=13
> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:38): avc:*
> denied* { nlmsg_relay } for* pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> > type=AVC msg=audit(1270181973.950:38): avc:*
> denied* { write } for* pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > type=SYSCALL msg=audit(1270181973.950:39):
> arch=c000003e syscall=45 success=yes exit=36 a0=13
> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:39): avc:*
> denied* { read } for* pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > audit2allow suggests simple:
> > allow httpd_t self:netlink_audit_socket { nlmsg_relay
> write create read };
> >
> > Is something missing in the policy or I missed some
> other boolean?
> >
> >* *
> No this could be considered a bug.* Basically pam is
> trying to send an
> audit message to the audit.log.
>
> YOu can add this access,* it would allow the appache
> process to attempt
> to send audit messages.* Since the httpd is running as
> non root, it
> might not have the capabilities necessary to send them
>
> Open a bug report on this, since we probably should
> dontaudit these
> calls if the boolean to allow pam is turned on.

dontaudit wouldn't work, apache denies access in enforcing mode.

Bug 579105 Submitted

Thank you,

Sincerely yours,
Vadym Chepkov


--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-05-2010, 12:11 PM
Daniel J Walsh
 
Default httpd mod_auth_pam winbind

On 04/02/2010 12:58 PM, Vadym Chepkov wrote:
> --- On Fri, 4/2/10, Daniel J Walsh<dwalsh@redhat.com> wrote:
>
>
>> From: Daniel J Walsh<dwalsh@redhat.com>
>> Subject: Re: httpd mod_auth_pam winbind
>> To: "Vadym Chepkov"<chepkov@yahoo.com>
>> Cc: selinux@lists.fedoraproject.org
>> Date: Friday, April 2, 2010, 11:33 AM
>> On 04/02/2010 12:38 AM, Vadym Chepkov
>> wrote:
>>
>>> Hi,
>>>
>>> I have selinux-policy-targeted-2.4.6-255.el5_4.4
>>>
>>> allow_httpd_mod_auth_pam --> on
>>> httpd_can_network_connect --> on
>>>
>>> httpd with mod_auth_pam via winbind
>>>
>>> get the following avc when in "permissive" mode
>>>
>>>
>>> type=SYSCALL msg=audit(1270181973.950:37):
>>>
>> arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9
>> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48
>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>> tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>
>>> type=AVC msg=audit(1270181973.950:37): avc:
>>>
>> denied { create } for pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>
>>> type=SYSCALL msg=audit(1270181973.950:38):
>>>
>> arch=c000003e syscall=44 success=yes exit=124 a0=13
>> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039
>> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>> comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>
>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>
>> denied { nlmsg_relay } for pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>
>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>
>> denied { write } for pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>
>>> type=SYSCALL msg=audit(1270181973.950:39):
>>>
>> arch=c000003e syscall=45 success=yes exit=36 a0=13
>> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039
>> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>> comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>
>>> type=AVC msg=audit(1270181973.950:39): avc:
>>>
>> denied { read } for pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>
>>> audit2allow suggests simple:
>>> allow httpd_t self:netlink_audit_socket { nlmsg_relay
>>>
>> write create read };
>>
>>> Is something missing in the policy or I missed some
>>>
>> other boolean?
>>
>>>
>>>
>> No this could be considered a bug. Basically pam is
>> trying to send an
>> audit message to the audit.log.
>>
>> YOu can add this access, it would allow the appache
>> process to attempt
>> to send audit messages. Since the httpd is running as
>> non root, it
>> might not have the capabilities necessary to send them
>>
>> Open a bug report on this, since we probably should
>> dontaudit these
>> calls if the boolean to allow pam is turned on.
>>
> dontaudit wouldn't work, apache denies access in enforcing mode.
>
> Bug 579105 Submitted
>
> Thank you,
>
> Sincerely yours,
> Vadym Chepkov
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Vadym, Please open a bug on RHEL5 to add this functionality. I will add
it to RHEL6, now
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-05-2010, 01:32 PM
Vadym Chepkov
 
Default httpd mod_auth_pam winbind

--- On Mon, 4/5/10, Daniel J Walsh <dwalsh@redhat.com> wrote:

> From: Daniel J Walsh <dwalsh@redhat.com>
> Subject: Re: httpd mod_auth_pam winbind
> To: "Vadym Chepkov" <chepkov@yahoo.com>
> Cc: selinux@lists.fedoraproject.org
> Date: Monday, April 5, 2010, 8:11 AM
> On 04/02/2010 12:58 PM, Vadym Chepkov
> wrote:
> > --- On Fri, 4/2/10, Daniel J Walsh<dwalsh@redhat.com>*
> wrote:
> >
> >* *
> >> From: Daniel J Walsh<dwalsh@redhat.com>
> >> Subject: Re: httpd mod_auth_pam winbind
> >> To: "Vadym Chepkov"<chepkov@yahoo.com>
> >> Cc: selinux@lists.fedoraproject.org
> >> Date: Friday, April 2, 2010, 11:33 AM
> >> On 04/02/2010 12:38 AM, Vadym Chepkov
> >> wrote:
> >>* * *
> >>> Hi,
> >>>
> >>> I have
> selinux-policy-targeted-2.4.6-255.el5_4.4
> >>>
> >>> allow_httpd_mod_auth_pam
> -->***on
> >>> httpd_can_network_connect
> -->***on
> >>>
> >>> httpd with mod_auth_pam via winbind
> >>>
> >>> get the following avc when in "permissive"
> mode
> >>>
> >>>
> >>> type=SYSCALL msg=audit(1270181973.950:37):
> >>>* * * *
> >> arch=c000003e syscall=41 success=yes exit=19 a0=10
> a1=3 a2=9
> >> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295
> uid=48
> >> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> fsgid=48
> >> tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd"
> >> subj=user_u:system_r:httpd_t:s0 key=(null)
> >>* * *
> >>> type=AVC msg=audit(1270181973.950:37): avc:
> >>>* * * *
> >> denied* { create } for* pid=2039
> comm="httpd"
> >> scontext=user_u:system_r:httpd_t:s0
> >> tcontext=user_u:system_r:httpd_t:s0
> >> tclass=netlink_audit_socket
> >>* * *
> >>> type=SYSCALL msg=audit(1270181973.950:38):
> >>>* * * *
> >> arch=c000003e syscall=44 success=yes exit=124
> a0=13
> >> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032
> pid=2039
> >> auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48
> >> egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295
> >> comm="httpd" exe="/usr/sbin/httpd"
> >> subj=user_u:system_r:httpd_t:s0 key=(null)
> >>* * *
> >>> type=AVC msg=audit(1270181973.950:38): avc:
> >>>* * * *
> >> denied* { nlmsg_relay } for* pid=2039
> comm="httpd"
> >> scontext=user_u:system_r:httpd_t:s0
> >> tcontext=user_u:system_r:httpd_t:s0
> >> tclass=netlink_audit_socket
> >>* * *
> >>> type=AVC msg=audit(1270181973.950:38): avc:
> >>>* * * *
> >> denied* { write } for* pid=2039
> comm="httpd"
> >> scontext=user_u:system_r:httpd_t:s0
> >> tcontext=user_u:system_r:httpd_t:s0
> >> tclass=netlink_audit_socket
> >>* * *
> >>> type=SYSCALL msg=audit(1270181973.950:39):
> >>>* * * *
> >> arch=c000003e syscall=45 success=yes exit=36
> a0=13
> >> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032
> pid=2039
> >> auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48
> >> egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295
> >> comm="httpd" exe="/usr/sbin/httpd"
> >> subj=user_u:system_r:httpd_t:s0 key=(null)
> >>* * *
> >>> type=AVC msg=audit(1270181973.950:39): avc:
> >>>* * * *
> >> denied* { read } for* pid=2039
> comm="httpd"
> >> scontext=user_u:system_r:httpd_t:s0
> >> tcontext=user_u:system_r:httpd_t:s0
> >> tclass=netlink_audit_socket
> >>* * *
> >>> audit2allow suggests simple:
> >>> allow httpd_t self:netlink_audit_socket {
> nlmsg_relay
> >>>* * * *
> >> write create read };
> >>* * *
> >>> Is something missing in the policy or I missed
> some
> >>>* * * *
> >> other boolean?
> >>* * *
> >>>
> >>>* * * *
> >> No this could be considered a bug.* Basically
> pam is
> >> trying to send an
> >> audit message to the audit.log.
> >>
> >> YOu can add this access,* it would allow the
> appache
> >> process to attempt
> >> to send audit messages.* Since the httpd is
> running as
> >> non root, it
> >> might not have the capabilities necessary to send
> them
> >>
> >> Open a bug report on this, since we probably
> should
> >> dontaudit these
> >> calls if the boolean to allow pam is turned on.
> >>* * *
> > dontaudit wouldn't work, apache denies access in
> enforcing mode.
> >
> > Bug 579105 Submitted
> >
> > Thank you,
> > ***
> > Sincerely yours,
> >* * Vadym Chepkov
> >
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >* *
> Vadym, Please open a bug on RHEL5 to add this
> functionality.* I will add
> it to RHEL6, now

Dan,

I did open BZ 579105 on RHEL5. By the way is RHEL6 can be downloaded as a beta, perhaps already? I don't see it on RHN, only RHEL5.5-beta

Thanks,
Vadym




--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-05-2010, 01:49 PM
Daniel J Walsh
 
Default httpd mod_auth_pam winbind

On 04/05/2010 09:32 AM, Vadym Chepkov wrote:
> --- On Mon, 4/5/10, Daniel J Walsh<dwalsh@redhat.com> wrote:
>
>
>> From: Daniel J Walsh<dwalsh@redhat.com>
>> Subject: Re: httpd mod_auth_pam winbind
>> To: "Vadym Chepkov"<chepkov@yahoo.com>
>> Cc: selinux@lists.fedoraproject.org
>> Date: Monday, April 5, 2010, 8:11 AM
>> On 04/02/2010 12:58 PM, Vadym Chepkov
>> wrote:
>>
>>> --- On Fri, 4/2/10, Daniel J Walsh<dwalsh@redhat.com>
>>>
>> wrote:
>>
>>>
>>>
>>>> From: Daniel J Walsh<dwalsh@redhat.com>
>>>> Subject: Re: httpd mod_auth_pam winbind
>>>> To: "Vadym Chepkov"<chepkov@yahoo.com>
>>>> Cc: selinux@lists.fedoraproject.org
>>>> Date: Friday, April 2, 2010, 11:33 AM
>>>> On 04/02/2010 12:38 AM, Vadym Chepkov
>>>> wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> I have
>>>>>
>> selinux-policy-targeted-2.4.6-255.el5_4.4
>>
>>>>> allow_httpd_mod_auth_pam
>>>>>
>> --> on
>>
>>>>> httpd_can_network_connect
>>>>>
>> --> on
>>
>>>>> httpd with mod_auth_pam via winbind
>>>>>
>>>>> get the following avc when in "permissive"
>>>>>
>> mode
>>
>>>>>
>>>>> type=SYSCALL msg=audit(1270181973.950:37):
>>>>>
>>>>>
>>>> arch=c000003e syscall=41 success=yes exit=19 a0=10
>>>>
>> a1=3 a2=9
>>
>>>> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295
>>>>
>> uid=48
>>
>>>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
>>>>
>> fsgid=48
>>
>>>> tty=(none) ses=4294967295 comm="httpd"
>>>>
>> exe="/usr/sbin/httpd"
>>
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>
>>>>> type=AVC msg=audit(1270181973.950:37): avc:
>>>>>
>>>>>
>>>> denied { create } for pid=2039
>>>>
>> comm="httpd"
>>
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>
>>>>> type=SYSCALL msg=audit(1270181973.950:38):
>>>>>
>>>>>
>>>> arch=c000003e syscall=44 success=yes exit=124
>>>>
>> a0=13
>>
>>>> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032
>>>>
>> pid=2039
>>
>>>> auid=4294967295 uid=48 gid=48 euid=48 suid=48
>>>>
>> fsuid=48
>>
>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>
>> ses=4294967295
>>
>>>> comm="httpd" exe="/usr/sbin/httpd"
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>
>>>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>>>
>>>>>
>>>> denied { nlmsg_relay } for pid=2039
>>>>
>> comm="httpd"
>>
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>
>>>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>>>
>>>>>
>>>> denied { write } for pid=2039
>>>>
>> comm="httpd"
>>
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>
>>>>> type=SYSCALL msg=audit(1270181973.950:39):
>>>>>
>>>>>
>>>> arch=c000003e syscall=45 success=yes exit=36
>>>>
>> a0=13
>>
>>>> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032
>>>>
>> pid=2039
>>
>>>> auid=4294967295 uid=48 gid=48 euid=48 suid=48
>>>>
>> fsuid=48
>>
>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>
>> ses=4294967295
>>
>>>> comm="httpd" exe="/usr/sbin/httpd"
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>
>>>>> type=AVC msg=audit(1270181973.950:39): avc:
>>>>>
>>>>>
>>>> denied { read } for pid=2039
>>>>
>> comm="httpd"
>>
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>
>>>>> audit2allow suggests simple:
>>>>> allow httpd_t self:netlink_audit_socket {
>>>>>
>> nlmsg_relay
>>
>>>>>
>>>>>
>>>> write create read };
>>>>
>>>>
>>>>> Is something missing in the policy or I missed
>>>>>
>> some
>>
>>>>>
>>>>>
>>>> other boolean?
>>>>
>>>>
>>>>>
>>>>>
>>>> No this could be considered a bug. Basically
>>>>
>> pam is
>>
>>>> trying to send an
>>>> audit message to the audit.log.
>>>>
>>>> YOu can add this access, it would allow the
>>>>
>> appache
>>
>>>> process to attempt
>>>> to send audit messages. Since the httpd is
>>>>
>> running as
>>
>>>> non root, it
>>>> might not have the capabilities necessary to send
>>>>
>> them
>>
>>>> Open a bug report on this, since we probably
>>>>
>> should
>>
>>>> dontaudit these
>>>> calls if the boolean to allow pam is turned on.
>>>>
>>>>
>>> dontaudit wouldn't work, apache denies access in
>>>
>> enforcing mode.
>>
>>> Bug 579105 Submitted
>>>
>>> Thank you,
>>>
>>> Sincerely yours,
>>> Vadym Chepkov
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>> Vadym, Please open a bug on RHEL5 to add this
>> functionality. I will add
>> it to RHEL6, now
>>
> Dan,
>
> I did open BZ 579105 on RHEL5. By the way is RHEL6 can be downloaded as a beta, perhaps already? I don't see it on RHN, only RHEL5.5-beta
>
> Thanks,
> Vadym
>
>
>
>
>
As I understand it the schedule says Beta 1 will be available April 21.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-05-2010, 01:50 PM
Daniel J Walsh
 
Default httpd mod_auth_pam winbind

That date is subject to change :^) And don't quote me on it.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-05-2010, 07:42 PM
Paul Howarth
 
Default httpd mod_auth_pam winbind

On Mon, 5 Apr 2010 06:32:23 -0700 (PDT)
Vadym Chepkov <chepkov@yahoo.com> wrote:

> --- On Mon, 4/5/10, Daniel J Walsh <dwalsh@redhat.com> wrote:
>
> > From: Daniel J Walsh <dwalsh@redhat.com>
> > Subject: Re: httpd mod_auth_pam winbind
> > To: "Vadym Chepkov" <chepkov@yahoo.com>
> > Cc: selinux@lists.fedoraproject.org
> > Date: Monday, April 5, 2010, 8:11 AM
> > On 04/02/2010 12:58 PM, Vadym Chepkov
> > wrote:
> > > --- On Fri, 4/2/10, Daniel J Walsh<dwalsh@redhat.com>*
> > wrote:
> > >
> > >* *
> > >> From: Daniel J Walsh<dwalsh@redhat.com>
> > >> Subject: Re: httpd mod_auth_pam winbind
> > >> To: "Vadym Chepkov"<chepkov@yahoo.com>
> > >> Cc: selinux@lists.fedoraproject.org
> > >> Date: Friday, April 2, 2010, 11:33 AM
> > >> On 04/02/2010 12:38 AM, Vadym Chepkov
> > >> wrote:
> > >>* * *
> > >>> Hi,
> > >>>
> > >>> I have
> > selinux-policy-targeted-2.4.6-255.el5_4.4
> > >>>
> > >>> allow_httpd_mod_auth_pam
> > -->***on
> > >>> httpd_can_network_connect
> > -->***on
> > >>>
> > >>> httpd with mod_auth_pam via winbind
> > >>>
> > >>> get the following avc when in "permissive"
> > mode
> > >>>
> > >>>
> > >>> type=SYSCALL msg=audit(1270181973.950:37):
> > >>>* * * *
> > >> arch=c000003e syscall=41 success=yes exit=19 a0=10
> > a1=3 a2=9
> > >> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295
> > uid=48
> > >> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> > fsgid=48
> > >> tty=(none) ses=4294967295 comm="httpd"
> > exe="/usr/sbin/httpd"
> > >> subj=user_u:system_r:httpd_t:s0 key=(null)
> > >>* * *
> > >>> type=AVC msg=audit(1270181973.950:37): avc:
> > >>>* * * *
> > >> denied* { create } for* pid=2039
> > comm="httpd"
> > >> scontext=user_u:system_r:httpd_t:s0
> > >> tcontext=user_u:system_r:httpd_t:s0
> > >> tclass=netlink_audit_socket
> > >>* * *
> > >>> type=SYSCALL msg=audit(1270181973.950:38):
> > >>>* * * *
> > >> arch=c000003e syscall=44 success=yes exit=124
> > a0=13
> > >> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032
> > pid=2039
> > >> auid=4294967295 uid=48 gid=48 euid=48 suid=48
> > fsuid=48
> > >> egid=48 sgid=48 fsgid=48 tty=(none)
> > ses=4294967295
> > >> comm="httpd" exe="/usr/sbin/httpd"
> > >> subj=user_u:system_r:httpd_t:s0 key=(null)
> > >>* * *
> > >>> type=AVC msg=audit(1270181973.950:38): avc:
> > >>>* * * *
> > >> denied* { nlmsg_relay } for* pid=2039
> > comm="httpd"
> > >> scontext=user_u:system_r:httpd_t:s0
> > >> tcontext=user_u:system_r:httpd_t:s0
> > >> tclass=netlink_audit_socket
> > >>* * *
> > >>> type=AVC msg=audit(1270181973.950:38): avc:
> > >>>* * * *
> > >> denied* { write } for* pid=2039
> > comm="httpd"
> > >> scontext=user_u:system_r:httpd_t:s0
> > >> tcontext=user_u:system_r:httpd_t:s0
> > >> tclass=netlink_audit_socket
> > >>* * *
> > >>> type=SYSCALL msg=audit(1270181973.950:39):
> > >>>* * * *
> > >> arch=c000003e syscall=45 success=yes exit=36
> > a0=13
> > >> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032
> > pid=2039
> > >> auid=4294967295 uid=48 gid=48 euid=48 suid=48
> > fsuid=48
> > >> egid=48 sgid=48 fsgid=48 tty=(none)
> > ses=4294967295
> > >> comm="httpd" exe="/usr/sbin/httpd"
> > >> subj=user_u:system_r:httpd_t:s0 key=(null)
> > >>* * *
> > >>> type=AVC msg=audit(1270181973.950:39): avc:
> > >>>* * * *
> > >> denied* { read } for* pid=2039
> > comm="httpd"
> > >> scontext=user_u:system_r:httpd_t:s0
> > >> tcontext=user_u:system_r:httpd_t:s0
> > >> tclass=netlink_audit_socket
> > >>* * *
> > >>> audit2allow suggests simple:
> > >>> allow httpd_t self:netlink_audit_socket {
> > nlmsg_relay
> > >>>* * * *
> > >> write create read };
> > >>* * *
> > >>> Is something missing in the policy or I missed
> > some
> > >>>* * * *
> > >> other boolean?
> > >>* * *
> > >>>
> > >>>* * * *
> > >> No this could be considered a bug.* Basically
> > pam is
> > >> trying to send an
> > >> audit message to the audit.log.
> > >>
> > >> YOu can add this access,* it would allow the
> > appache
> > >> process to attempt
> > >> to send audit messages.* Since the httpd is
> > running as
> > >> non root, it
> > >> might not have the capabilities necessary to send
> > them
> > >>
> > >> Open a bug report on this, since we probably
> > should
> > >> dontaudit these
> > >> calls if the boolean to allow pam is turned on.
> > >>* * *
> > > dontaudit wouldn't work, apache denies access in
> > enforcing mode.
> > >
> > > Bug 579105 Submitted
> > >
> > > Thank you,
> > > ***
> > > Sincerely yours,
> > >* * Vadym Chepkov
> > >
> > >
> > > --
> > > selinux mailing list
> > > selinux@lists.fedoraproject.org
> > > https://admin.fedoraproject.org/mailman/listinfo/selinux
> > >* *
> > Vadym, Please open a bug on RHEL5 to add this
> > functionality.* I will add
> > it to RHEL6, now
>
> Dan,
>
> I did open BZ 579105 on RHEL5. By the way is RHEL6 can be downloaded
> as a beta, perhaps already? I don't see it on RHN, only RHEL5.5-beta

RHEL 5.5 went "gold" last week. I have two servers already running it.

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 03:35 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org