Is something missing in the policy or I missed some other boolean?
Thank you.
Sincerely yours,
Vadym Chepkov
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
04-02-2010, 03:33 PM
Daniel J Walsh
httpd mod_auth_pam winbind
On 04/02/2010 12:38 AM, Vadym Chepkov wrote:
> Hi,
>
> I have selinux-policy-targeted-2.4.6-255.el5_4.4
>
> allow_httpd_mod_auth_pam --> on
> httpd_can_network_connect --> on
>
> httpd with mod_auth_pam via winbind
>
> get the following avc when in "permissive" mode
>
>
> type=SYSCALL msg=audit(1270181973.950:37): arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9 a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:37): avc: denied { create } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> type=SYSCALL msg=audit(1270181973.950:38): arch=c000003e syscall=44 success=yes exit=124 a0=13 a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:38): avc: denied { nlmsg_relay } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
> type=AVC msg=audit(1270181973.950:38): avc: denied { write } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> type=SYSCALL msg=audit(1270181973.950:39): arch=c000003e syscall=45 success=yes exit=36 a0=13 a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
> type=AVC msg=audit(1270181973.950:39): avc: denied { read } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
>
> audit2allow suggests simple:
> allow httpd_t self:netlink_audit_socket { nlmsg_relay write create read };
>
> Is something missing in the policy or I missed some other boolean?
>
>
No this could be considered a bug. Basically pam is trying to send an
audit message to the audit.log.
YOu can add this access, it would allow the appache process to attempt
to send audit messages. Since the httpd is running as non root, it
might not have the capabilities necessary to send them
Open a bug report on this, since we probably should dontaudit these
calls if the boolean to allow pam is turned on.
> Thank you.
>
> Sincerely yours,
> Vadym Chepkov
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
>
>
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
04-02-2010, 04:58 PM
Vadym Chepkov
httpd mod_auth_pam winbind
--- On Fri, 4/2/10, Daniel J Walsh <dwalsh@redhat.com> wrote:
> From: Daniel J Walsh <dwalsh@redhat.com>
> Subject: Re: httpd mod_auth_pam winbind
> To: "Vadym Chepkov" <chepkov@yahoo.com>
> Cc: selinux@lists.fedoraproject.org
> Date: Friday, April 2, 2010, 11:33 AM
> On 04/02/2010 12:38 AM, Vadym Chepkov
> wrote:
> > Hi,
> >
> > I have selinux-policy-targeted-2.4.6-255.el5_4.4
> >
> > allow_httpd_mod_auth_pam -->* on
> > httpd_can_network_connect -->* on
> >
> > httpd with mod_auth_pam via winbind
> >
> > get the following avc when in "permissive" mode
> >
> >
> > type=SYSCALL msg=audit(1270181973.950:37):
> arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9
> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48
> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:37): avc:*
> denied* { create } for* pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > type=SYSCALL msg=audit(1270181973.950:38):
> arch=c000003e syscall=44 success=yes exit=124 a0=13
> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:38): avc:*
> denied* { nlmsg_relay } for* pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> > type=AVC msg=audit(1270181973.950:38): avc:*
> denied* { write } for* pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > type=SYSCALL msg=audit(1270181973.950:39):
> arch=c000003e syscall=45 success=yes exit=36 a0=13
> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:39): avc:*
> denied* { read } for* pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > audit2allow suggests simple:
> > allow httpd_t self:netlink_audit_socket { nlmsg_relay
> write create read };
> >
> > Is something missing in the policy or I missed some
> other boolean?
> >
> >* *
> No this could be considered a bug.* Basically pam is
> trying to send an
> audit message to the audit.log.
>
> YOu can add this access,* it would allow the appache
> process to attempt
> to send audit messages.* Since the httpd is running as
> non root, it
> might not have the capabilities necessary to send them
>
> Open a bug report on this, since we probably should
> dontaudit these
> calls if the boolean to allow pam is turned on.
dontaudit wouldn't work, apache denies access in enforcing mode.
Bug 579105 Submitted
Thank you,
Sincerely yours,
Vadym Chepkov
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
04-05-2010, 12:11 PM
Daniel J Walsh
httpd mod_auth_pam winbind
On 04/02/2010 12:58 PM, Vadym Chepkov wrote:
> --- On Fri, 4/2/10, Daniel J Walsh<dwalsh@redhat.com> wrote:
>
>
>> From: Daniel J Walsh<dwalsh@redhat.com>
>> Subject: Re: httpd mod_auth_pam winbind
>> To: "Vadym Chepkov"<chepkov@yahoo.com>
>> Cc: selinux@lists.fedoraproject.org
>> Date: Friday, April 2, 2010, 11:33 AM
>> On 04/02/2010 12:38 AM, Vadym Chepkov
>> wrote:
>>
>>> Hi,
>>>
>>> I have selinux-policy-targeted-2.4.6-255.el5_4.4
>>>
>>> allow_httpd_mod_auth_pam --> on
>>> httpd_can_network_connect --> on
>>>
>>> httpd with mod_auth_pam via winbind
>>>
>>> get the following avc when in "permissive" mode
>>>
>>>
>>> type=SYSCALL msg=audit(1270181973.950:37):
>>>
>> arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9
>> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48
>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
>> tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>
>>> type=AVC msg=audit(1270181973.950:37): avc:
>>>
>> denied { create } for pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>
>>> type=SYSCALL msg=audit(1270181973.950:38):
>>>
>> arch=c000003e syscall=44 success=yes exit=124 a0=13
>> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039
>> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>> comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>
>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>
>> denied { nlmsg_relay } for pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>
>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>
>> denied { write } for pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>
>>> type=SYSCALL msg=audit(1270181973.950:39):
>>>
>> arch=c000003e syscall=45 success=yes exit=36 a0=13
>> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039
>> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
>> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
>> comm="httpd" exe="/usr/sbin/httpd"
>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>
>>> type=AVC msg=audit(1270181973.950:39): avc:
>>>
>> denied { read } for pid=2039 comm="httpd"
>> scontext=user_u:system_r:httpd_t:s0
>> tcontext=user_u:system_r:httpd_t:s0
>> tclass=netlink_audit_socket
>>
>>> audit2allow suggests simple:
>>> allow httpd_t self:netlink_audit_socket { nlmsg_relay
>>>
>> write create read };
>>
>>> Is something missing in the policy or I missed some
>>>
>> other boolean?
>>
>>>
>>>
>> No this could be considered a bug. Basically pam is
>> trying to send an
>> audit message to the audit.log.
>>
>> YOu can add this access, it would allow the appache
>> process to attempt
>> to send audit messages. Since the httpd is running as
>> non root, it
>> might not have the capabilities necessary to send them
>>
>> Open a bug report on this, since we probably should
>> dontaudit these
>> calls if the boolean to allow pam is turned on.
>>
> dontaudit wouldn't work, apache denies access in enforcing mode.
>
> Bug 579105 Submitted
>
> Thank you,
>
> Sincerely yours,
> Vadym Chepkov
>
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
Vadym, Please open a bug on RHEL5 to add this functionality. I will add
it to RHEL6, now
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
04-05-2010, 01:32 PM
Vadym Chepkov
httpd mod_auth_pam winbind
--- On Mon, 4/5/10, Daniel J Walsh <dwalsh@redhat.com> wrote:
> From: Daniel J Walsh <dwalsh@redhat.com>
> Subject: Re: httpd mod_auth_pam winbind
> To: "Vadym Chepkov" <chepkov@yahoo.com>
> Cc: selinux@lists.fedoraproject.org
> Date: Monday, April 5, 2010, 8:11 AM
> On 04/02/2010 12:58 PM, Vadym Chepkov
> wrote:
> > --- On Fri, 4/2/10, Daniel J Walsh<dwalsh@redhat.com>*
> wrote:
> >
> >* *
> >> From: Daniel J Walsh<dwalsh@redhat.com>
> >> Subject: Re: httpd mod_auth_pam winbind
> >> To: "Vadym Chepkov"<chepkov@yahoo.com>
> >> Cc: selinux@lists.fedoraproject.org
> >> Date: Friday, April 2, 2010, 11:33 AM
> >> On 04/02/2010 12:38 AM, Vadym Chepkov
> >> wrote:
> >>* * *
> >>> Hi,
> >>>
> >>> I have
> selinux-policy-targeted-2.4.6-255.el5_4.4
> >>>
> >>> allow_httpd_mod_auth_pam
> -->***on
> >>> httpd_can_network_connect
> -->***on
> >>>
> >>> httpd with mod_auth_pam via winbind
> >>>
> >>> get the following avc when in "permissive"
> mode
> >>>
> >>>
> >>> type=SYSCALL msg=audit(1270181973.950:37):
> >>>* * * *
> >> arch=c000003e syscall=41 success=yes exit=19 a0=10
> a1=3 a2=9
> >> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295
> uid=48
> >> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
> fsgid=48
> >> tty=(none) ses=4294967295 comm="httpd"
> exe="/usr/sbin/httpd"
> >> subj=user_u:system_r:httpd_t:s0 key=(null)
> >>* * *
> >>> type=AVC msg=audit(1270181973.950:37): avc:
> >>>* * * *
> >> denied* { create } for* pid=2039
> comm="httpd"
> >> scontext=user_u:system_r:httpd_t:s0
> >> tcontext=user_u:system_r:httpd_t:s0
> >> tclass=netlink_audit_socket
> >>* * *
> >>> type=SYSCALL msg=audit(1270181973.950:38):
> >>>* * * *
> >> arch=c000003e syscall=44 success=yes exit=124
> a0=13
> >> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032
> pid=2039
> >> auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48
> >> egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295
> >> comm="httpd" exe="/usr/sbin/httpd"
> >> subj=user_u:system_r:httpd_t:s0 key=(null)
> >>* * *
> >>> type=AVC msg=audit(1270181973.950:38): avc:
> >>>* * * *
> >> denied* { nlmsg_relay } for* pid=2039
> comm="httpd"
> >> scontext=user_u:system_r:httpd_t:s0
> >> tcontext=user_u:system_r:httpd_t:s0
> >> tclass=netlink_audit_socket
> >>* * *
> >>> type=AVC msg=audit(1270181973.950:38): avc:
> >>>* * * *
> >> denied* { write } for* pid=2039
> comm="httpd"
> >> scontext=user_u:system_r:httpd_t:s0
> >> tcontext=user_u:system_r:httpd_t:s0
> >> tclass=netlink_audit_socket
> >>* * *
> >>> type=SYSCALL msg=audit(1270181973.950:39):
> >>>* * * *
> >> arch=c000003e syscall=45 success=yes exit=36
> a0=13
> >> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032
> pid=2039
> >> auid=4294967295 uid=48 gid=48 euid=48 suid=48
> fsuid=48
> >> egid=48 sgid=48 fsgid=48 tty=(none)
> ses=4294967295
> >> comm="httpd" exe="/usr/sbin/httpd"
> >> subj=user_u:system_r:httpd_t:s0 key=(null)
> >>* * *
> >>> type=AVC msg=audit(1270181973.950:39): avc:
> >>>* * * *
> >> denied* { read } for* pid=2039
> comm="httpd"
> >> scontext=user_u:system_r:httpd_t:s0
> >> tcontext=user_u:system_r:httpd_t:s0
> >> tclass=netlink_audit_socket
> >>* * *
> >>> audit2allow suggests simple:
> >>> allow httpd_t self:netlink_audit_socket {
> nlmsg_relay
> >>>* * * *
> >> write create read };
> >>* * *
> >>> Is something missing in the policy or I missed
> some
> >>>* * * *
> >> other boolean?
> >>* * *
> >>>
> >>>* * * *
> >> No this could be considered a bug.* Basically
> pam is
> >> trying to send an
> >> audit message to the audit.log.
> >>
> >> YOu can add this access,* it would allow the
> appache
> >> process to attempt
> >> to send audit messages.* Since the httpd is
> running as
> >> non root, it
> >> might not have the capabilities necessary to send
> them
> >>
> >> Open a bug report on this, since we probably
> should
> >> dontaudit these
> >> calls if the boolean to allow pam is turned on.
> >>* * *
> > dontaudit wouldn't work, apache denies access in
> enforcing mode.
> >
> > Bug 579105 Submitted
> >
> > Thank you,
> > ***
> > Sincerely yours,
> >* * Vadym Chepkov
> >
> >
> > --
> > selinux mailing list
> > selinux@lists.fedoraproject.org
> > https://admin.fedoraproject.org/mailman/listinfo/selinux
> >* *
> Vadym, Please open a bug on RHEL5 to add this
> functionality.* I will add
> it to RHEL6, now
Dan,
I did open BZ 579105 on RHEL5. By the way is RHEL6 can be downloaded as a beta, perhaps already? I don't see it on RHN, only RHEL5.5-beta
Thanks,
Vadym
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
04-05-2010, 01:49 PM
Daniel J Walsh
httpd mod_auth_pam winbind
On 04/05/2010 09:32 AM, Vadym Chepkov wrote:
> --- On Mon, 4/5/10, Daniel J Walsh<dwalsh@redhat.com> wrote:
>
>
>> From: Daniel J Walsh<dwalsh@redhat.com>
>> Subject: Re: httpd mod_auth_pam winbind
>> To: "Vadym Chepkov"<chepkov@yahoo.com>
>> Cc: selinux@lists.fedoraproject.org
>> Date: Monday, April 5, 2010, 8:11 AM
>> On 04/02/2010 12:58 PM, Vadym Chepkov
>> wrote:
>>
>>> --- On Fri, 4/2/10, Daniel J Walsh<dwalsh@redhat.com>
>>>
>> wrote:
>>
>>>
>>>
>>>> From: Daniel J Walsh<dwalsh@redhat.com>
>>>> Subject: Re: httpd mod_auth_pam winbind
>>>> To: "Vadym Chepkov"<chepkov@yahoo.com>
>>>> Cc: selinux@lists.fedoraproject.org
>>>> Date: Friday, April 2, 2010, 11:33 AM
>>>> On 04/02/2010 12:38 AM, Vadym Chepkov
>>>> wrote:
>>>>
>>>>
>>>>> Hi,
>>>>>
>>>>> I have
>>>>>
>> selinux-policy-targeted-2.4.6-255.el5_4.4
>>
>>>>> allow_httpd_mod_auth_pam
>>>>>
>> --> on
>>
>>>>> httpd_can_network_connect
>>>>>
>> --> on
>>
>>>>> httpd with mod_auth_pam via winbind
>>>>>
>>>>> get the following avc when in "permissive"
>>>>>
>> mode
>>
>>>>>
>>>>> type=SYSCALL msg=audit(1270181973.950:37):
>>>>>
>>>>>
>>>> arch=c000003e syscall=41 success=yes exit=19 a0=10
>>>>
>> a1=3 a2=9
>>
>>>> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295
>>>>
>> uid=48
>>
>>>> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48
>>>>
>> fsgid=48
>>
>>>> tty=(none) ses=4294967295 comm="httpd"
>>>>
>> exe="/usr/sbin/httpd"
>>
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>
>>>>> type=AVC msg=audit(1270181973.950:37): avc:
>>>>>
>>>>>
>>>> denied { create } for pid=2039
>>>>
>> comm="httpd"
>>
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>
>>>>> type=SYSCALL msg=audit(1270181973.950:38):
>>>>>
>>>>>
>>>> arch=c000003e syscall=44 success=yes exit=124
>>>>
>> a0=13
>>
>>>> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032
>>>>
>> pid=2039
>>
>>>> auid=4294967295 uid=48 gid=48 euid=48 suid=48
>>>>
>> fsuid=48
>>
>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>
>> ses=4294967295
>>
>>>> comm="httpd" exe="/usr/sbin/httpd"
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>
>>>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>>>
>>>>>
>>>> denied { nlmsg_relay } for pid=2039
>>>>
>> comm="httpd"
>>
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>
>>>>> type=AVC msg=audit(1270181973.950:38): avc:
>>>>>
>>>>>
>>>> denied { write } for pid=2039
>>>>
>> comm="httpd"
>>
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>
>>>>> type=SYSCALL msg=audit(1270181973.950:39):
>>>>>
>>>>>
>>>> arch=c000003e syscall=45 success=yes exit=36
>>>>
>> a0=13
>>
>>>> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032
>>>>
>> pid=2039
>>
>>>> auid=4294967295 uid=48 gid=48 euid=48 suid=48
>>>>
>> fsuid=48
>>
>>>> egid=48 sgid=48 fsgid=48 tty=(none)
>>>>
>> ses=4294967295
>>
>>>> comm="httpd" exe="/usr/sbin/httpd"
>>>> subj=user_u:system_r:httpd_t:s0 key=(null)
>>>>
>>>>
>>>>> type=AVC msg=audit(1270181973.950:39): avc:
>>>>>
>>>>>
>>>> denied { read } for pid=2039
>>>>
>> comm="httpd"
>>
>>>> scontext=user_u:system_r:httpd_t:s0
>>>> tcontext=user_u:system_r:httpd_t:s0
>>>> tclass=netlink_audit_socket
>>>>
>>>>
>>>>> audit2allow suggests simple:
>>>>> allow httpd_t self:netlink_audit_socket {
>>>>>
>> nlmsg_relay
>>
>>>>>
>>>>>
>>>> write create read };
>>>>
>>>>
>>>>> Is something missing in the policy or I missed
>>>>>
>> some
>>
>>>>>
>>>>>
>>>> other boolean?
>>>>
>>>>
>>>>>
>>>>>
>>>> No this could be considered a bug. Basically
>>>>
>> pam is
>>
>>>> trying to send an
>>>> audit message to the audit.log.
>>>>
>>>> YOu can add this access, it would allow the
>>>>
>> appache
>>
>>>> process to attempt
>>>> to send audit messages. Since the httpd is
>>>>
>> running as
>>
>>>> non root, it
>>>> might not have the capabilities necessary to send
>>>>
>> them
>>
>>>> Open a bug report on this, since we probably
>>>>
>> should
>>
>>>> dontaudit these
>>>> calls if the boolean to allow pam is turned on.
>>>>
>>>>
>>> dontaudit wouldn't work, apache denies access in
>>>
>> enforcing mode.
>>
>>> Bug 579105 Submitted
>>>
>>> Thank you,
>>>
>>> Sincerely yours,
>>> Vadym Chepkov
>>>
>>>
>>> --
>>> selinux mailing list
>>> selinux@lists.fedoraproject.org
>>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>>>
>>>
>> Vadym, Please open a bug on RHEL5 to add this
>> functionality. I will add
>> it to RHEL6, now
>>
> Dan,
>
> I did open BZ 579105 on RHEL5. By the way is RHEL6 can be downloaded as a beta, perhaps already? I don't see it on RHN, only RHEL5.5-beta
>
> Thanks,
> Vadym
>
>
>
>
>
As I understand it the schedule says Beta 1 will be available April 21.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
04-05-2010, 01:50 PM
Daniel J Walsh
httpd mod_auth_pam winbind
That date is subject to change :^) And don't quote me on it.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
httpd mod_auth_pam winbind
