--- On Fri, 4/2/10, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> From: Daniel J Walsh <dwalsh@xxxxxxxxxx>
> Subject: Re: httpd mod_auth_pam winbind
> To: "Vadym Chepkov" <chepkov@xxxxxxxxx>
> Cc: selinux@xxxxxxxxxxxxxxxxxxxxxxx
> Date: Friday, April 2, 2010, 11:33 AM
> On 04/02/2010 12:38 AM, Vadym Chepkov
> wrote:
> > Hi,
> >
> > I have selinux-policy-targeted-2.4.6-255.el5_4.4
> >
> > allow_httpd_mod_auth_pam --> on
> > httpd_can_network_connect --> on
> >
> > httpd with mod_auth_pam via winbind
> >
> > get the following avc when in "permissive" mode
> >
> >
> > type=SYSCALL msg=audit(1270181973.950:37):
> arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9
> a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48
> gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48
> tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:37): avc:
> denied { create } for pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > type=SYSCALL msg=audit(1270181973.950:38):
> arch=c000003e syscall=44 success=yes exit=124 a0=13
> a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:38): avc:
> denied { nlmsg_relay } for pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> > type=AVC msg=audit(1270181973.950:38): avc:
> denied { write } for pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > type=SYSCALL msg=audit(1270181973.950:39):
> arch=c000003e syscall=45 success=yes exit=36 a0=13
> a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039
> auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48
> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1270181973.950:39): avc:
> denied { read } for pid=2039 comm="httpd"
> scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0
> tclass=netlink_audit_socket
> >
> > audit2allow suggests simple:
> > allow httpd_t self:netlink_audit_socket { nlmsg_relay
> write create read };
> >
> > Is something missing in the policy or I missed some
> other boolean?
> >
> >
> No this could be considered a bug. Basically pam is
> trying to send an
> audit message to the audit.log.
>
> YOu can add this access, it would allow the appache
> process to attempt
> to send audit messages. Since the httpd is running as
> non root, it
> might not have the capabilities necessary to send them
>
> Open a bug report on this, since we probably should
> dontaudit these
> calls if the boolean to allow pam is turned on.
dontaudit wouldn't work, apache denies access in enforcing mode.
Bug 579105 Submitted
Thank you,
Sincerely yours,
Vadym Chepkov
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
