Selinux & Apache

Colly Murray colin.murray at dit.ie
Fri Jul 18 14:49:48 UTC 2008


Hi there,

 

I'm having some problems with apache and selinux.  

 

Yesterday in /var/log/httpd/error_log I had:

 

[Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd running as
context user_u:system_r:httpd_t

[Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper:
/usr/sbin/suexec)

[Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for digest
authentication ...

[Thu Jul 17 16:34:26 2008] [notice] Digest: done

[Thu Jul 17 16:34:26 2008] [warn] pid file /var/www/ditsite/logs/httpd.pid
overwritten -- Unclean shutdown of previous Apache run?

[Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming normal
operations

 

 

It happened a couple of times on a production site, so I decided to try
disabling protection for httpd Daemon:

 

# setsebool -P httpd_disable_trans 1

# service httpd restart

 

Message in /var/log/messages

 

Jul 18 13:37:46 localhost dbus: avc:  received policyload notice (seqno=3) 

Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans policy boolean
was changed to 1 by root

Jul 18 13:37:48 localhost setroubleshoot: SELinux is preventing setsebool
(semanage_t) "sys_admin" to <Unknown> (semanage_t). For complete SELinux
messages. run sealert -l dbc64b3f-71be-48c7-aa07-03264440576c

 

Sealert says the following:

 

Summary:

 

SELinux is preventing httpd (httpd_t) "sys_admin" to <Unknown> (httpd_t).

 

Detailed Description:

 

[SELinux is in permissive mode, the operation would have been denied but was

permitted due to permissive mode.]

 

SELinux denied access requested by httpd. It is not expected that this
access is

required by httpd and this access may signal an intrusion attempt. It is
also

possible that the specific version or configuration of the application is

causing it to require additional access.

 

Allowing Access:

 

You can generate a local policy module to allow this access - see FAQ

(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable

SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)

against this package.

 

Additional Information:

 

Source Context                root:system_r:httpd_t

Target Context                root:system_r:httpd_t

Target Objects                None [ capability ]

Source                        httpd

Source Path                   /usr/sbin/httpd

Port                          <Unknown>

Host                          OSTRAIS

Source RPM Packages           httpd-2.2.3-11.el5_1.3

Target RPM Packages           

Policy RPM                    selinux-policy-2.4.6-137.1.el5_2

Selinux Enabled               True

Policy Type                   targeted

MLS Enabled                   True

Enforcing Mode                Permissive

Plugin Name                   catchall

Host Name                     OSTRAIS

Platform                      Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May
22

                              09:01:47 EDT 2008 x86_64 x86_64

Alert Count                   10

First Seen                    Thu Jul 17 17:20:02 2008

Last Seen                     Fri Jul 18 13:33:30 2008

Local ID                      b22d5d55-1982-4c69-820e-7df4dbd33842

Line Numbers                  

 

Raw Audit Messages            

 

host=OSTRAIS type=AVC msg=audit(1216384410.773:2490): avc:  denied  {
sys_admin } for  pid=24960 comm="httpd" capability=21
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
tclass=capability

 

 

 

 

 

 

 

 

1.)     Why is selinux preventing me from changing this value?  

2.)     Am I taking the correct approach?

 

 

 

 

 

 

httpd-2.2.3-11.el5_1.3/

Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux

Red Hat Enterprise Linux Server release 5.2 (Tikanga)

 

Thanks

 

Colly


This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20080718/23b1377e/attachment.htm>


More information about the fedora-selinux-list mailing list