Problems with httpd and SElinux.

Daniel J Walsh dwalsh at redhat.com
Thu Nov 10 20:18:39 UTC 2005 

Daniel B. Thurman wrote:
>> From: Daniel J Walsh [mailto:dwalsh at redhat.com]
>> Sent: Monday, November 07, 2005 9:30 AM
>> To: Daniel B. Thurman
>> Cc: fedora-selinux-list at redhat.com
>> Subject: Re: Problems with httpd and SElinux.
>>
>>
>> Daniel B. Thurman wrote:
>>     
>>> Folks,
>>>
>>> I was asked to post this information here.  To explain things,
>>> I have installed FrontPage extensions on FC4 but not realizing
>>> that I had to first disable SElinux for httpd first, but to make
>>> a long story short, I was able to install FP and then restore
>>> SElinux protections for httpd, but on reboot, SElinux refused
>>> to allow httpd to start and I suspect it had something to do
>>> with the FrontPage additions to the /etc/httpd/conf/httpd.conf
>>> file.  I currently have SElinux protections turned off for
>>> https. Below is the audit file, hope it helps show the problem.
>>>
>>> type=AVC msg=audit(1131056930.757:251): avc:  denied  { 
>>>       
>> name_bind } for  pid=4946 comm="httpd" src=8090 
>> scontext=root:system_r:httpd_t 
>> tcontext=system_u:object_r:port_t tclass=tcp_socket
>>     
>>> type=SYSCALL msg=audit(1131056930.757:251): arch=40000003 
>>>       
>> syscall=102 success=no exit=-13 a0=2 a1=bfc779f0 a2=750218 
>> a3=8b8da58 items=0 pid=4946 auid=4294967295 uid=0 gid=0 euid=0 
>> suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="httpd" exe="/usr/sbin/httpd"
>>     
>>> type=SOCKADDR msg=audit(1131056930.757:251): 
>>>       
>> saddr=0A001F9A000000000000000000000000000000000000000000000000
>>     
>>> type=SOCKETCALL msg=audit(1131056930.757:251): nargs=3 a0=5 
>>>       
>> a1=8b8da84 a2=1c
>>     
>>> Kind regards,
>>> Dan
>>>
>>>   
>>>       
>> We do not currently allow apache to listen on port 8090,
>> but this looks legitimate, so I will add to policy.
>> You can install policy (selinux-policy-targeted-sources
>> for now and add a line to:
>> /etc/selinux/targeted/src/policy/domains/misc/local.te
>> portcon tcp 8090  system_u:object_r:http_port_t
>>
>> Then execute make -c /etc/selinux/targeted/src/policy load
>>
>> and you should be able to use that port.
>>
>>     
>
> The information you gave me above does not work. I got all
> sorts of compile errors.  BTW, the make should be "make -C".
>
> From Paul Howarth, I tried:
> =============================================
> If you want httpd to be able to listen on port 8090, and you have the
> policy sources installed, you can do this by adding the following line
> to /etc/selinux/targeted/src/policy/net_contexts:
>
> portcon tcp 8090  system_u:object_r:http_port_t
>
> Then you need to compile and reload the security contexts:
> # make -C /etc/selinux/targeted/src/policy reload
> =============================================
>
> This all compiles fine now.
>
> Testing to see if httpd can now restart with the new policies:
> 1) setsebool -P httpd_disable_trans 0
> 2) Restart httpd for this to take effect: service httpd restart
>
> Httpd can restart with no failure messages.  The httpd server
> now runs fine.
>
> HOWEVER - Testing FrontPage client against my FC4 box FAILS to
> connect and the reason revealed in /var/log/httpd/error_log:
>
> [Tue Nov 08 15:25:40 2005] [error] (13)Permission denied: Could not create key file "/usr/local/frontpage/version5.0/apache-fp/suidkey.17096" in FrontPageInit().  Until this problem is fixed, the FrontPage security patch is disabled and the FrontPage extensions may not work correctly.
>
> I suspect that there is a SElinux policy that is preventing the FP
> client program from creating and deleting the suidkey file it needs
> in order to startup and begin listening for FP Client requests. Please
> note that the process number is created and destroyed for the suidkey file
> and this is happening from within the httpd service file and has nothing
> to do with the FP client connection attempts.  SELinux policy is preventing
> the service file from creating and destroying this file.
>
> So - in order to get back the successful FP client connections as before,
> performing these steps:
>
> 1) setsebool -P httpd_disable_trans 1
> 2) Restart httpd for this to take effect: service httpd restart
>
> The httpd/error_log error message does not appear and I can now
> connect with to the FC4 with the FP client.
>
> Dan Thurman.
>
>   
What did you see for AVC messages in /var/log/messages or 
/var/log/audit/audit.log?

--

More information about the fedora-list mailing list