LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Password
Fedora This forum is for the discussion of the Fedora Project.

Notices

Reply
 
Search this Thread
Old 04-30-2008, 04:27 AM   #1
DiWi
Member
 
Registered: Jun 2004
Location: Frankfurt/M Germany
Distribution: SuSE 9.3/10.2/10.3
Posts: 64

Rep: Reputation: 16
SELinux Error on Apache2 with auth_pam


All
I'm trying to set up a test server with an Subversion DAV repository. I did this several times before on SuSE but never on RHEL/Fedora.

The setup went without problems, but when accessing the URL the authentication fails and I get the following SELinux error:
Code:
Summary:

SELinux is preventing httpd (httpd_t) "create" to <Unknown> (httpd_t).

Detailed Description:

SELinux denied access requested by httpd. It is not expected that this access is
required by httpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can disable
SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:system_r:httpd_t:s0
Target Objects                None [ netlink_audit_socket ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          dirkg-fedora
Source RPM Packages           httpd-2.2.8-1.fc8
Target RPM Packages           
Policy RPM                    selinux-policy-3.0.8-95.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   catchall
Host Name                     dirkg-fedora
Platform                      Linux dirkg-fedora 2.6.24.4-64.fc8 #1 SMP Sat Mar
                              29 09:54:46 EDT 2008 i686 i686
Alert Count                   10
First Seen                    Tue 29 Apr 2008 06:59:46 PM CEST
Last Seen                     Wed 30 Apr 2008 09:25:49 AM CEST
Local ID                      84effc8b-6fd9-42cf-8b9d-dc466e5e7609
Line Numbers                  

Raw Audit Messages            

host=dirkg-fedora type=AVC msg=audit(1209540349.930:50): avc:  denied  { create } for  pid=2811 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

host=dirkg-fedora type=SYSCALL msg=audit(1209540349.930:50): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfce6ce0 a2=944ff4 a3=b9ad1cf8 items=0 ppid=2805 pid=2811 auid=500 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)
This is the http configuration part for subversion:
Code:
<Location /repos/mm7>
   DAV svn
   SVNPath /var/www/svn/mm7
   SVNAutoversioning Off
   AuthType Basic
   AuthName "Subversion Repository"
   AuthPAM_Enabled On
   AuthShadow on
   AuthPAM_FallThrough Off
   AuthBasicAuthoritative Off
   Require valid-user
</Location>
I don't want to disable SELinux because this server will go into production. How can I grant access right to httpd in order to do the PAM authentication?

Regards Dirk
 
Old 04-30-2008, 05:50 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,543
Blog Entries: 54

Rep: Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924Reputation: 2924
Quote:
Originally Posted by DiWi View Post
I don't want to disable SELinux because this server will go into production. How can I grant access right to httpd in order to do the PAM authentication?
Thanks for not disabling SElinux.


If you run your AVC message through audit2allow:
Code:
echo 'avc:  denied  { create } comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=netlink_audit_socket'\
|audit2allow
you'll see something like
Code:
#============= httpd_t ==============
allow httpd_t self:netlink_audit_socket create;
which you can add to your local policy. (For netlink_audit_socket see Fedora's docs or http://www.tresys.com/selinux/obj_pe...k_audit_socket.)

If you don't have a local policy source file called "local.te" it should look something like:
Code:
module local 1.0;

require { 
           type httpd_t;
           class netlink_audit_socket { create read write nlmsg_relay };
           class capability audit_write;
}

#============= httpd_t ==============
allow httpd_t self:netlink_audit_socket create;
Of course you can have audit2allow creat the policy file automagically ('man audit2allow').

To make the policy effective it has to be compiled and loaded:
Code:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
Each time you encounter AVC messages you can add those to your "local.te" policy file, recompile and load. While you can easily automate the whole process I'd suggest not doing that or only the compile and load part, and visually inspecting the policy before doing that. BTW I keep my policy source files in /etc/selinux/$policy_type/modules and the binary representation to load (pp) in /etc/selinux/$policy_type/modules/active. Choose (and document: after all it's a production server) a suitable location. To see which modules are loaded use 'semodule -l'. When the above is loaded you'll see your "local $version".

HTH
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
selinux error on fresh core 6 install SpinningCone Fedora 7 05-21-2008 06:22 PM
Need help getting AIDE to work. Error in expression:selinux abefroman Linux - Software 1 04-06-2008 04:36 PM
SElinux // error in file system check // Please Help nomb Fedora 1 03-05-2007 12:51 PM
SuSe Apache2 error: cannot adjust 'apache2' service sir_shunt Suse/Novell 14 04-18-2006 12:36 PM
Apache auth_pam / pam winbind deny failed user auth collen Linux - Security 3 04-10-2006 03:20 AM


All times are GMT -5. The time now is 10:13 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration