-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Colly Murray wrote: > Hi there, > > > > I'm having some problems with apache and selinux. > > > > Yesterday in /var/log/httpd/error_log I had: > > > > [Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd running as > context user_u:system_r:httpd_t > > [Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > > [Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for digest > authentication ... > > [Thu Jul 17 16:34:26 2008] [notice] Digest: done > > [Thu Jul 17 16:34:26 2008] [warn] pid file /var/www/ditsite/logs/httpd.pid > overwritten -- Unclean shutdown of previous Apache run? > > [Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming normal > operations > > > I don't see any errors here? > > > It happened a couple of times on a production site, so I decided to try > disabling protection for httpd Daemon: > > SELinux was not preventing you from doing anything. I believe. You restarted the service using service apache restart. Which would change apache from running as system_u:system_r:httpd_t to user_u:system_r:httpd_t (user_u is the user who restarted apache) apache must be watching this and reporting this as a warning. But it would not prevent apache from doing any thing. > > # setsebool -P httpd_disable_trans 1 > > # service httpd restart > > > > Message in /var/log/messages > > > > Jul 18 13:37:46 localhost dbus: avc: received policyload notice (seqno=3) > > Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans policy boolean > was changed to 1 by root > > Jul 18 13:37:48 localhost setroubleshoot: SELinux is preventing setsebool > (semanage_t) "sys_admin" to <Unknown> (semanage_t). For complete SELinux > messages. run sealert -l dbc64b3f-71be-48c7-aa07-03264440576c > > > > Sealert says the following: > > > > Summary: > > > > SELinux is preventing httpd (httpd_t) "sys_admin" to <Unknown> (httpd_t). > > > > Detailed Description: > > > > [SELinux is in permissive mode, the operation would have been denied but was > > permitted due to permissive mode.] > > > > SELinux denied access requested by httpd. It is not expected that this > access is > > required by httpd and this access may signal an intrusion attempt. It is > also > > possible that the specific version or configuration of the application is > > causing it to require additional access. > > > > Allowing Access: > > > > You can generate a local policy module to allow this access - see FAQ > > (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can > disable > > SELinux protection altogether. Disabling SELinux protection is not > recommended. > > Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) > > against this package. > > > > Additional Information: > > > > Source Context root:system_r:httpd_t > > Target Context root:system_r:httpd_t > > Target Objects None [ capability ] > > Source httpd > > Source Path /usr/sbin/httpd > > Port <Unknown> > > Host OSTRAIS > > Source RPM Packages httpd-2.2.3-11.el5_1.3 > > Target RPM Packages > > Policy RPM selinux-policy-2.4.6-137.1.el5_2 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Permissive > > Plugin Name catchall > > Host Name OSTRAIS > > Platform Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May > 22 > > 09:01:47 EDT 2008 x86_64 x86_64 > > Alert Count 10 > > First Seen Thu Jul 17 17:20:02 2008 > > Last Seen Fri Jul 18 13:33:30 2008 > > Local ID b22d5d55-1982-4c69-820e-7df4dbd33842 > > Line Numbers > > > > Raw Audit Messages > > > > host=OSTRAIS type=AVC msg=audit(1216384410.773:2490): avc: denied { > sys_admin } for pid=24960 comm="httpd" capability=21 > scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 > tclass=capability > > > > > > > > > > > > > > > > > > 1.) Why is selinux preventing me from changing this value? > SELinux did not prevent you from changing the value. It seems apache is still running httpd_t though. Not sure why. > 2.) Am I taking the correct approach? No. Why did you disable SELinux protection on apache when it was not failing? If it is failing, what is it trying to do? > > > > > > > > > > > > > > httpd-2.2.3-11.el5_1.3/ > > Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux > > Red Hat Enterprise Linux Server release 5.2 (Tikanga) > > > > Thanks > > > > Colly > > > This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie > > > ------------------------------------------------------------------------ > > -- > fedora-selinux-list mailing list > fedora-selinux-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-selinux-list -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkiAsGIACgkQrlYvE4MpobPC6gCfTHASpamsztuXz6+HfiZaSlEF KqAAoKFwKK/B6pvhVkeFeT40mqz/Mzjc =Sgqg -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
