Selinux & Apache
Daniel J Walsh
dwalsh at redhat.com
Fri Jul 18 15:01:54 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Colly Murray wrote:
> Hi there,
>
>
>
> I'm having some problems with apache and selinux.
>
>
>
> Yesterday in /var/log/httpd/error_log I had:
>
>
>
> [Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd running as
> context user_u:system_r:httpd_t
>
> [Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
>
> [Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for digest
> authentication ...
>
> [Thu Jul 17 16:34:26 2008] [notice] Digest: done
>
> [Thu Jul 17 16:34:26 2008] [warn] pid file /var/www/ditsite/logs/httpd.pid
> overwritten -- Unclean shutdown of previous Apache run?
>
> [Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming normal
> operations
>
>
>
I don't see any errors here?
>
>
> It happened a couple of times on a production site, so I decided to try
> disabling protection for httpd Daemon:
>
>
SELinux was not preventing you from doing anything. I believe. You
restarted the service using service apache restart. Which would change
apache from running as system_u:system_r:httpd_t to
user_u:system_r:httpd_t (user_u is the user who restarted apache)
apache must be watching this and reporting this as a warning. But it
would not prevent apache from doing any thing.
>
> # setsebool -P httpd_disable_trans 1
>
> # service httpd restart
>
>
>
> Message in /var/log/messages
>
>
>
> Jul 18 13:37:46 localhost dbus: avc: received policyload notice (seqno=3)
>
> Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans policy boolean
> was changed to 1 by root
>
> Jul 18 13:37:48 localhost setroubleshoot: SELinux is preventing setsebool
> (semanage_t) "sys_admin" to <Unknown> (semanage_t). For complete SELinux
> messages. run sealert -l dbc64b3f-71be-48c7-aa07-03264440576c
>
>
>
> Sealert says the following:
>
>
>
> Summary:
>
>
>
> SELinux is preventing httpd (httpd_t) "sys_admin" to <Unknown> (httpd_t).
>
>
>
> Detailed Description:
>
>
>
> [SELinux is in permissive mode, the operation would have been denied but was
>
> permitted due to permissive mode.]
>
>
>
> SELinux denied access requested by httpd. It is not expected that this
> access is
>
> required by httpd and this access may signal an intrusion attempt. It is
> also
>
> possible that the specific version or configuration of the application is
>
> causing it to require additional access.
>
>
>
> Allowing Access:
>
>
>
> You can generate a local policy module to allow this access - see FAQ
>
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
>
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
>
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
>
> against this package.
>
>
>
> Additional Information:
>
>
>
> Source Context root:system_r:httpd_t
>
> Target Context root:system_r:httpd_t
>
> Target Objects None [ capability ]
>
> Source httpd
>
> Source Path /usr/sbin/httpd
>
> Port <Unknown>
>
> Host OSTRAIS
>
> Source RPM Packages httpd-2.2.3-11.el5_1.3
>
> Target RPM Packages
>
> Policy RPM selinux-policy-2.4.6-137.1.el5_2
>
> Selinux Enabled True
>
> Policy Type targeted
>
> MLS Enabled True
>
> Enforcing Mode Permissive
>
> Plugin Name catchall
>
> Host Name OSTRAIS
>
> Platform Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May
> 22
>
> 09:01:47 EDT 2008 x86_64 x86_64
>
> Alert Count 10
>
> First Seen Thu Jul 17 17:20:02 2008
>
> Last Seen Fri Jul 18 13:33:30 2008
>
> Local ID b22d5d55-1982-4c69-820e-7df4dbd33842
>
> Line Numbers
>
>
>
> Raw Audit Messages
>
>
>
> host=OSTRAIS type=AVC msg=audit(1216384410.773:2490): avc: denied {
> sys_admin } for pid=24960 comm="httpd" capability=21
> scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
> tclass=capability
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> 1.) Why is selinux preventing me from changing this value?
>
SELinux did not prevent you from changing the value. It seems apache is
still running httpd_t though. Not sure why.
> 2.) Am I taking the correct approach?
No. Why did you disable SELinux protection on apache when it was not
failing? If it is failing, what is it trying to do?
>
>
>
>
>
>
>
>
>
>
>
>
>
> httpd-2.2.3-11.el5_1.3/
>
> Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux
>
> Red Hat Enterprise Linux Server release 5.2 (Tikanga)
>
>
>
> Thanks
>
>
>
> Colly
>
>
> This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkiAsGIACgkQrlYvE4MpobPC6gCfTHASpamsztuXz6+HfiZaSlEF
KqAAoKFwKK/B6pvhVkeFeT40mqz/Mzjc
=Sgqg
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list