Problems with httpd and SElinux.

Tue Nov 15 00:52:45 UTC 2005

>From: fedora-selinux-list-bounces at redhat.com
>[mailto:fedora-selinux-list-bounces at redhat.com]On Behalf Of Daniel B.
>Thurman
>Sent: Tuesday, November 08, 2005 3:43 PM
>To: Robert Cahn; Daniel J Walsh
>Cc: fedora-list at redhat.com; fedora-selinux-list at redhat.com
>Subject: RE: Problems with httpd and SElinux.
>
>
>>From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>>Sent: Monday, November 07, 2005 9:30 AM
>>To: Daniel B. Thurman
>>Cc: fedora-selinux-list at redhat.com
>>Subject: Re: Problems with httpd and SElinux.
>>
>>
>>Daniel B. Thurman wrote:
>>> Folks,
>>>
>>> I was asked to post this information here.  To explain things,
>>> I have installed FrontPage extensions on FC4 but not realizing
>>> that I had to first disable SElinux for httpd first, but to make
>>> a long story short, I was able to install FP and then restore
>>> SElinux protections for httpd, but on reboot, SElinux refused
>>> to allow httpd to start and I suspect it had something to do
>>> with the FrontPage additions to the /etc/httpd/conf/httpd.conf
>>> file.  I currently have SElinux protections turned off for
>>> https. Below is the audit file, hope it helps show the problem.
>>>
>>> type=AVC msg=audit(1131056930.757:251): avc:  denied  { 
>>name_bind } for  pid=4946 comm="httpd" src=8090 
>>scontext=root:system_r:httpd_t 
>>tcontext=system_u:object_r:port_t tclass=tcp_socket
>>> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003 
>>syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218 
>>a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0 
>>suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" 
>exe="/usr/sbin/httpd"
>>> type=SOCKADDR msg=audit(1131056930.757:251): 
>>saddr=0A001F9A000000000000000000000000000000000000000000000000
>>> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5 
>>a1=8b8da84 a2=1c
>>>
>>> Kind regards,
>>> Dan
>>>
>>>   
>>We do not currently allow apache to listen on port 8090,
>>but this looks legitimate, so I will add to policy.
>>You can install policy (selinux-policy-targeted-sources
>>for now and add a line to:
>>/etc/selinux/targeted/src/policy/domains/misc/local.te
>>portcon tcp 8090  system_u:object_r:http_port_t
>>
>>Then execute make -c /etc/selinux/targeted/src/policy load
>>
>>and you should be able to use that port.
>>
>
>The information you gave me above does not work. I got all
>sorts of compile errors.  BTW, the make should be "make -C".
>
>>From Paul Howarth, I tried:
>=============================================
>If you want httpd to be able to listen on port 8090, and you have the
>policy sources installed, you can do this by adding the following line
>to /etc/selinux/targeted/src/policy/net_contexts:
>
>portcon tcp 8090  system_u:object_r:http_port_t
>
>Then you need to compile and reload the security contexts:
># make -C /etc/selinux/targeted/src/policy reload
>=============================================
>
>This all compiles fine now.
>
>Testing to see if httpd can now restart with the new policies:
>1) setsebool -P httpd_disable_trans 0
>2) Restart httpd for this to take effect: service httpd restart
>
>Httpd can restart with no failure messages.  The httpd server
>now runs fine.
>
>HOWEVER - Testing FrontPage client against my FC4 box FAILS to
>connect and the reason revealed in /var/log/httpd/error_log:
>
>[Tue Nov 08 15:25:40 2005] [error] (13)Permission denied: 
>Could not create key file 
>"/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in 
>FrontPageInit().  Until this problem is fixed, the FrontPage 
>security patch is disabled and the FrontPage extensions may 
>not work correctly.
>
>I suspect that there is a SElinux policy that is preventing the FP
>client program from creating and deleting the suidkey file it needs
>in order to startup and begin listening for FP Client requests. Please
>note that the process number is created and destroyed for the 
>suidkey file
>and this is happening from within the httpd service file and 
>has nothing
>to do with the FP client connection attempts.  SELinux policy 
>is preventing
>the service file from creating and destroying this file.
>
>So - in order to get back the successful FP client connections 
>as before,
>performing these steps:
>
>1) setsebool -P httpd_disable_trans 1
>2) Restart httpd for this to take effect: service httpd restart
>
>The httpd/error_log error message does not appear and I can now
>connect with to the FC4 with the FP client.
>
>Dan Thurman.
>
>-- 

Huh?  Who resent this?  This one was sent 11/7/2005...

I replied back to Daniel J Walsh with an attachment with
the output of /var/log/audit/audit_log file that showed
why *many* denials that were occuring with SElinux preventing
the FrontPage process from working within httpd.

In case Daniel did not get it, I am attaching the file again.

==============================================
Daniel J. Walsh:
================
>>What did you see for AVC messages in /var/log/messages or 
>>/var/log/audit/audit.log?
>>
>
>Please see the attached file.  It is the /var/log/audit/audit.log
>file and is 13k compressed. I tried best as I could to trucate to 
>relevant logs pertaining to httpd/fp issues. Please let me know if
>you need anything else.
==============================================

Kind regards,
Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.0/167 - Release Date: 11/11/2005

-------------- next part --------------
A non-text attachment was scrubbed...
Name: selinix.fp.tar.gz
Type: application/x-gzip
Size: 12286 bytes
Desc: selinix.fp.tar.gz
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20051114/40762b01/attachment.bin>