>From: fedora-selinux-list-bounces@xxxxxxxxxx >[mailto:fedora-selinux-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. >Thurman >Sent: Tuesday, November 08, 2005 3:43 PM >To: Robert Cahn; Daniel J Walsh >Cc: fedora-list@xxxxxxxxxx; fedora-selinux-list@xxxxxxxxxx >Subject: RE: Problems with httpd and SElinux. > > >>From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx] >>Sent: Monday, November 07, 2005 9:30 AM >>To: Daniel B. Thurman >>Cc: fedora-selinux-list@xxxxxxxxxx >>Subject: Re: Problems with httpd and SElinux. >> >> >>Daniel B. Thurman wrote: >>> Folks, >>> >>> I was asked to post this information here. To explain things, >>> I have installed FrontPage extensions on FC4 but not realizing >>> that I had to first disable SElinux for httpd first, but to make >>> a long story short, I was able to install FP and then restore >>> SElinux protections for httpd, but on reboot, SElinux refused >>> to allow httpd to start and I suspect it had something to do >>> with the FrontPage additions to the /etc/httpd/conf/httpd.conf >>> file. I currently have SElinux protections turned off for >>> https. Below is the audit file, hope it helps show the problem. >>> >>> type=AVC msg=audit(1131056930.757:251): avc: denied { >>name_bind } for pid=4946 comm="httpd" src=8090 >>scontext=root:system_r:httpd_t >>tcontext=system_u:object_r:port_t tclass=tcp_socket >>> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003 >>syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218 >>a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0 >>suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" >exe="/usr/sbin/httpd" >>> type=SOCKADDR msg=audit(1131056930.757:251): >>saddr=0A001F9A000000000000000000000000000000000000000000000000 >>> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5 >>a1=8b8da84 a2=1c >>> >>> Kind regards, >>> Dan >>> >>> >>We do not currently allow apache to listen on port 8090, >>but this looks legitimate, so I will add to policy. >>You can install policy (selinux-policy-targeted-sources >>for now and add a line to: >>/etc/selinux/targeted/src/policy/domains/misc/local.te >>portcon tcp 8090 system_u:object_r:http_port_t >> >>Then execute make -c /etc/selinux/targeted/src/policy load >> >>and you should be able to use that port. >> > >The information you gave me above does not work. I got all >sorts of compile errors. BTW, the make should be "make -C". > >>From Paul Howarth, I tried: >============================================= >If you want httpd to be able to listen on port 8090, and you have the >policy sources installed, you can do this by adding the following line >to /etc/selinux/targeted/src/policy/net_contexts: > >portcon tcp 8090 system_u:object_r:http_port_t > >Then you need to compile and reload the security contexts: ># make -C /etc/selinux/targeted/src/policy reload >============================================= > >This all compiles fine now. > >Testing to see if httpd can now restart with the new policies: >1) setsebool -P httpd_disable_trans 0 >2) Restart httpd for this to take effect: service httpd restart > >Httpd can restart with no failure messages. The httpd server >now runs fine. > >HOWEVER - Testing FrontPage client against my FC4 box FAILS to >connect and the reason revealed in /var/log/httpd/error_log: > >[Tue Nov 08 15:25:40 2005] [error] (13)Permission denied: >Could not create key file >"/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in >FrontPageInit(). Until this problem is fixed, the FrontPage >security patch is disabled and the FrontPage extensions may >not work correctly. > >I suspect that there is a SElinux policy that is preventing the FP >client program from creating and deleting the suidkey file it needs >in order to startup and begin listening for FP Client requests. Please >note that the process number is created and destroyed for the >suidkey file >and this is happening from within the httpd service file and >has nothing >to do with the FP client connection attempts. SELinux policy >is preventing >the service file from creating and destroying this file. > >So - in order to get back the successful FP client connections >as before, >performing these steps: > >1) setsebool -P httpd_disable_trans 1 >2) Restart httpd for this to take effect: service httpd restart > >The httpd/error_log error message does not appear and I can now >connect with to the FC4 with the FP client. > >Dan Thurman. > >-- Huh? Who resent this? This one was sent 11/7/2005... I replied back to Daniel J Walsh with an attachment with the output of /var/log/audit/audit_log file that showed why *many* denials that were occuring with SElinux preventing the FrontPage process from working within httpd. In case Daniel did not get it, I am attaching the file again. ============================================== Daniel J. Walsh: ================ >>What did you see for AVC messages in /var/log/messages or >>/var/log/audit/audit.log? >> > >Please see the attached file. It is the /var/log/audit/audit.log >file and is 13k compressed. I tried best as I could to trucate to >relevant logs pertaining to httpd/fp issues. Please let me know if >you need anything else. ============================================== Kind regards, Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005
Attachment:
selinix.fp.tar.gz
Description: selinix.fp.tar.gz
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
