Selinux & Apache
Colly Murray
colin.murray at dit.ie
Fri Jul 18 14:49:48 UTC 2008
Hi there,
I'm having some problems with apache and selinux.
Yesterday in /var/log/httpd/error_log I had:
[Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd running as
context user_u:system_r:httpd_t
[Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)
[Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for digest
authentication ...
[Thu Jul 17 16:34:26 2008] [notice] Digest: done
[Thu Jul 17 16:34:26 2008] [warn] pid file /var/www/ditsite/logs/httpd.pid
overwritten -- Unclean shutdown of previous Apache run?
[Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming normal
operations
It happened a couple of times on a production site, so I decided to try
disabling protection for httpd Daemon:
# setsebool -P httpd_disable_trans 1
# service httpd restart
Message in /var/log/messages
Jul 18 13:37:46 localhost dbus: avc: received policyload notice (seqno=3)
Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans policy boolean
was changed to 1 by root
Jul 18 13:37:48 localhost setroubleshoot: SELinux is preventing setsebool
(semanage_t) "sys_admin" to <Unknown> (semanage_t). For complete SELinux
messages. run sealert -l dbc64b3f-71be-48c7-aa07-03264440576c
Sealert says the following:
Summary:
SELinux is preventing httpd (httpd_t) "sys_admin" to <Unknown> (httpd_t).
Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]
SELinux denied access requested by httpd. It is not expected that this
access is
required by httpd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application is
causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.
Additional Information:
Source Context root:system_r:httpd_t
Target Context root:system_r:httpd_t
Target Objects None [ capability ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host OSTRAIS
Source RPM Packages httpd-2.2.3-11.el5_1.3
Target RPM Packages
Policy RPM selinux-policy-2.4.6-137.1.el5_2
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name catchall
Host Name OSTRAIS
Platform Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May
22
09:01:47 EDT 2008 x86_64 x86_64
Alert Count 10
First Seen Thu Jul 17 17:20:02 2008
Last Seen Fri Jul 18 13:33:30 2008
Local ID b22d5d55-1982-4c69-820e-7df4dbd33842
Line Numbers
Raw Audit Messages
host=OSTRAIS type=AVC msg=audit(1216384410.773:2490): avc: denied {
sys_admin } for pid=24960 comm="httpd" capability=21
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
tclass=capability
1.) Why is selinux preventing me from changing this value?
2.) Am I taking the correct approach?
httpd-2.2.3-11.el5_1.3/
Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux
Red Hat Enterprise Linux Server release 5.2 (Tikanga)
Thanks
Colly
This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080718/23b1377e/attachment.htm>
More information about the fedora-selinux-list
mailing list