Re: Problems with httpd and SElinux.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Daniel B. Thurman wrote:

From: fedora-selinux-list-bounces@xxxxxxxxxx
[mailto:fedora-selinux-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B.
Thurman
Sent: Tuesday, November 08, 2005 3:43 PM
To: Robert Cahn; Daniel J Walsh
Cc: fedora-list@xxxxxxxxxx; fedora-selinux-list@xxxxxxxxxx
Subject: RE: Problems with httpd and SElinux.



From: Daniel J Walsh [mailto:dwalsh@xxxxxxxxxx]
Sent: Monday, November 07, 2005 9:30 AM
To: Daniel B. Thurman
Cc: fedora-selinux-list@xxxxxxxxxx
Subject: Re: Problems with httpd and SElinux.


Daniel B. Thurman wrote:

Folks,

I was asked to post this information here.  To explain things,
I have installed FrontPage extensions on FC4 but not realizing
that I had to first disable SElinux for httpd first, but to make
a long story short, I was able to install FP and then restore
SElinux protections for httpd, but on reboot, SElinux refused
to allow httpd to start and I suspect it had something to do
with the FrontPage additions to the /etc/httpd/conf/httpd.conf
file.  I currently have SElinux protections turned off for
https. Below is the audit file, hope it helps show the problem.
type=AVC msg=audit(1131056930.757:251): avc: denied {
name_bind } for pid=4946 comm="httpd" src=8090 scontext=root:system_r:httpd_t tcontext=system_u:object_r:port_t tclass=tcp_socket
type=SYSCALL msg=audit(1131056930.757:251): arch=40000003
syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218 a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" 
exe="/usr/sbin/httpd"
type=SOCKADDR msg=audit(1131056930.757:251): 
saddr=0A001F9A000000000000000000000000000000000000000000000000
type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5 
a1=8b8da84 a2=1c

Kind regards,
Dan


We do not currently allow apache to listen on port 8090,
but this looks legitimate, so I will add to policy.
You can install policy (selinux-policy-targeted-sources
for now and add a line to:
/etc/selinux/targeted/src/policy/domains/misc/local.te
portcon tcp 8090  system_u:object_r:http_port_t

Then execute make -c /etc/selinux/targeted/src/policy load

and you should be able to use that port.


The information you gave me above does not work. I got all
sorts of compile errors.  BTW, the make should be "make -C".

>From Paul Howarth, I tried:
=============================================
If you want httpd to be able to listen on port 8090, and you have the
policy sources installed, you can do this by adding the following line
to /etc/selinux/targeted/src/policy/net_contexts:

portcon tcp 8090  system_u:object_r:http_port_t

Then you need to compile and reload the security contexts:
# make -C /etc/selinux/targeted/src/policy reload
=============================================

This all compiles fine now.

Testing to see if httpd can now restart with the new policies:
1) setsebool -P httpd_disable_trans 0
2) Restart httpd for this to take effect: service httpd restart

Httpd can restart with no failure messages.  The httpd server
now runs fine.

HOWEVER - Testing FrontPage client against my FC4 box FAILS to
connect and the reason revealed in /var/log/httpd/error_log:
[Tue Nov 08 15:25:40 2005] [error] (13)Permission denied: Could not create key file "/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in FrontPageInit(). Until this problem is fixed, the FrontPage security patch is disabled and the FrontPage extensions may not work correctly. 

I suspect that there is a SElinux policy that is preventing the FP
client program from creating and deleting the suidkey file it needs
in order to startup and begin listening for FP Client requests. Please
note that the process number is created and destroyed for the suidkey file and this is happening from within the httpd service file and has nothing to do with the FP client connection attempts. SELinux policy is preventing 
the service file from creating and destroying this file.
So - in order to get back the successful FP client connections as before, 
performing these steps:

1) setsebool -P httpd_disable_trans 1
2) Restart httpd for this to take effect: service httpd restart

The httpd/error_log error message does not appear and I can now
connect with to the FC4 with the FP client.

Dan Thurman.

--


Huh?  Who resent this?  This one was sent 11/7/2005...

I replied back to Daniel J Walsh with an attachment with
the output of /var/log/audit/audit_log file that showed
why *many* denials that were occuring with SElinux preventing
the FrontPage process from working within httpd.

In case Daniel did not get it, I am attaching the file again.

==============================================
Daniel J. Walsh:
================
What did you see for AVC messages in /var/log/messages or /var/log/audit/audit.log? 


Please see the attached file.  It is the /var/log/audit/audit.log
file and is 13k compressed. I tried best as I could to trucate to relevant logs pertaining to httpd/fp issues. Please let me know if 
you need anything else.

==============================================

Kind regards,
Dan
Looks like apache is trying to write to apache-fp directory under /usr somewhere. This dir needs to be labeled httpd_sys_script_rw_t to work correctly. Also looks like apache tried to do a ps -e or such to get all the process on the system. 



--


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux