Selinux & Apache

Daniel J Walsh dwalsh at redhat.com
Fri Jul 18 15:01:54 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Colly Murray wrote:
> Hi there,
> 
>  
> 
> I'm having some problems with apache and selinux.  
> 
>  
> 
> Yesterday in /var/log/httpd/error_log I had:
> 
>  
> 
> [Thu Jul 17 16:34:26 2008] [notice] SELinux policy enabled; httpd running as
> context user_u:system_r:httpd_t
> 
> [Thu Jul 17 16:34:26 2008] [notice] suEXEC mechanism enabled (wrapper:
> /usr/sbin/suexec)
> 
> [Thu Jul 17 16:34:26 2008] [notice] Digest: generating secret for digest
> authentication ...
> 
> [Thu Jul 17 16:34:26 2008] [notice] Digest: done
> 
> [Thu Jul 17 16:34:26 2008] [warn] pid file /var/www/ditsite/logs/httpd.pid
> overwritten -- Unclean shutdown of previous Apache run?
> 
> [Thu Jul 17 16:34:26 2008] [notice] Apache configured -- resuming normal
> operations
> 
>  
>
I don't see any errors here?

>  
> 
> It happened a couple of times on a production site, so I decided to try
> disabling protection for httpd Daemon:
> 
>  
SELinux was not preventing you from doing anything.  I believe.  You
restarted the service using service apache restart.  Which would change
apache from running as system_u:system_r:httpd_t to
user_u:system_r:httpd_t  (user_u is the user who restarted apache)
apache must be watching this and reporting this as a warning.  But it
would not prevent apache from doing any thing.
> 
> # setsebool -P httpd_disable_trans 1
> 
> # service httpd restart
> 
>  
> 
> Message in /var/log/messages
> 
>  
> 
> Jul 18 13:37:46 localhost dbus: avc:  received policyload notice (seqno=3) 
> 
> Jul 18 13:37:47 localhost setsebool: The httpd_disable_trans policy boolean
> was changed to 1 by root
> 
> Jul 18 13:37:48 localhost setroubleshoot: SELinux is preventing setsebool
> (semanage_t) "sys_admin" to <Unknown> (semanage_t). For complete SELinux
> messages. run sealert -l dbc64b3f-71be-48c7-aa07-03264440576c
> 
>  
> 
> Sealert says the following:
> 
>  
> 
> Summary:
> 
>  
> 
> SELinux is preventing httpd (httpd_t) "sys_admin" to <Unknown> (httpd_t).
> 
>  
> 
> Detailed Description:
> 
>  
> 
> [SELinux is in permissive mode, the operation would have been denied but was
> 
> permitted due to permissive mode.]
> 
>  
> 
> SELinux denied access requested by httpd. It is not expected that this
> access is
> 
> required by httpd and this access may signal an intrusion attempt. It is
> also
> 
> possible that the specific version or configuration of the application is
> 
> causing it to require additional access.
> 
>  
> 
> Allowing Access:
> 
>  
> 
> You can generate a local policy module to allow this access - see FAQ
> 
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> 
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> 
> Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> 
> against this package.
> 
>  
> 
> Additional Information:
> 
>  
> 
> Source Context                root:system_r:httpd_t
> 
> Target Context                root:system_r:httpd_t
> 
> Target Objects                None [ capability ]
> 
> Source                        httpd
> 
> Source Path                   /usr/sbin/httpd
> 
> Port                          <Unknown>
> 
> Host                          OSTRAIS
> 
> Source RPM Packages           httpd-2.2.3-11.el5_1.3
> 
> Target RPM Packages           
> 
> Policy RPM                    selinux-policy-2.4.6-137.1.el5_2
> 
> Selinux Enabled               True
> 
> Policy Type                   targeted
> 
> MLS Enabled                   True
> 
> Enforcing Mode                Permissive
> 
> Plugin Name                   catchall
> 
> Host Name                     OSTRAIS
> 
> Platform                      Linux OSTRAIS 2.6.18-92.1.1.el5 #1 SMP Thu May
> 22
> 
>                               09:01:47 EDT 2008 x86_64 x86_64
> 
> Alert Count                   10
> 
> First Seen                    Thu Jul 17 17:20:02 2008
> 
> Last Seen                     Fri Jul 18 13:33:30 2008
> 
> Local ID                      b22d5d55-1982-4c69-820e-7df4dbd33842
> 
> Line Numbers                  
> 
>  
> 
> Raw Audit Messages            
> 
>  
> 
> host=OSTRAIS type=AVC msg=audit(1216384410.773:2490): avc:  denied  {
> sys_admin } for  pid=24960 comm="httpd" capability=21
> scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
> tclass=capability
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> 1.)     Why is selinux preventing me from changing this value?  
> 
SELinux did not prevent you from changing the value.  It seems apache is
still running httpd_t though.  Not sure why.
> 2.)     Am I taking the correct approach?

No.  Why did you disable SELinux protection on apache when it was not
failing?  If it is failing, what is it trying to do?
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
>  
> 
> httpd-2.2.3-11.el5_1.3/
> 
> Linux 2.6.18-92.1.1.el5 x86_64 GNU/Linux
> 
> Red Hat Enterprise Linux Server release 5.2 (Tikanga)
> 
>  
> 
> Thanks
> 
>  
> 
> Colly
> 
> 
> This message has been scanned for content and viruses by the DIT Information Services E-Mail Scanning Service, and is believed to be clean. http://www.dit.ie
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkiAsGIACgkQrlYvE4MpobPC6gCfTHASpamsztuXz6+HfiZaSlEF
KqAAoKFwKK/B6pvhVkeFeT40mqz/Mzjc
=Sgqg
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list