When I turn on my SeLinux to enforcing mode on my Red Hat system ssh stops working and my http server stops responding.

I went into the SeLinux GUI and enabled things in there but still it wont work.

Any thoughts on what to check?

permissive mode and disabled they work

I read several articles that say it should not be affect by SeLinux and the setting look correct but the only thing I do is turn on SeLinux and ssh /httpd stop working

ps -eZ | grep sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 432 ? 00:00:00 sshd
system_u:system_r:unconfined_t:SystemLow-SystemHigh 2426 ? 00:00:00 sshd

[root@goxsa1340 ~]# ps -eZ | grep httpd
user_u:system_r:httpd_t 3044 ? 00:00:00 httpd
user_u:system_r:httpd_t 3045 ? 00:00:00 httpd
user_u:system_r:httpd_t 3047 ? 00:00:00 httpd
user_u:system_r:httpd_t 3048 ? 00:00:00 httpd
user_u:system_r:httpd_t 3049 ? 00:00:00 httpd
user_u:system_r:httpd_t 3050 ? 00:00:00 httpd
user_u:system_r:httpd_t 3051 ? 00:00:00 httpd
user_u:system_r:httpd_t 3052 ? 00:00:00 httpd
user_u:system_r:httpd_t 3053 ? 00:00:00 httpd



thank you

What RHEL version?

That does seem odd. By default, /etc/sysconfig/selinux has SELINUXTYPE=targeted. So unless you're doing something unusual with httpd, you should not be seeing these issues.

It might seem like overkill, but run this:
Then try again.

-------

If you're still running into troubles, check /var/log/secure, /var/log/messages, and the httpd logs, and let us know what you are seeing.

tried that and still cannot ssh in with Selinux turned on.

With selinux on i get this message

$ssh myserver
ssh: connect to host myserver port 22: Connection timed out


looking at /var/log/secure I dont see anything being rejected.



Feb 3 10:19:10 myserver sshd[30641]: pam_unix(sshd:session): session closed for user root
Feb 3 11:25:03 myserver sshd[30780]: Accepted publickey for root from xxx.xxx.xxx.xxx port 44782 ssh2
Feb 3 11:25:03 myserver sshd[30780]: pam_unix(sshd:session): session opened for user root by (uid=0)
Feb 3 11:33:18 myserver gdm[2755]: pam_unix(gdm:session): session closed for user root
Feb 3 11:33:24 myserver sshd[2426]: Received signal 15; terminating.
Feb 3 11:33:24 myserver sshd[432]: Exiting on signal 15
Feb 3 11:33:24 myserver sshd[432]: pam_unix(sshd:session): session closed for user root
Feb 3 11:33:24 myserver sshd[30780]: Exiting on signal 15
Feb 3 11:33:24 myserver sshd[30780]: pam_unix(sshd:session): session closed for user root
Feb 3 11:46:59 myserver sshd[2433]: Server listening on :: port 22.
Feb 3 11:46:59 myserver sshd[2433]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Feb 3 11:47:18 myserver sshd[2803]: Accepted publickey for root from xxx.xxx.xxx port 36060 ssh2
Feb 3 11:47:18 myserver sshd[2803]: pam_unix(sshd:session): session opened for user root by (uid=0)

my config file


more config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - SELinux is fully disabled.
SELINUX=permissive
#SELINUX=enforcing
# SELINUXTYPE= type of policy in use. Possible values are:
# targeted - Only targeted network daemons are protected.
# strict - Full SELinux protection.
SELINUXTYPE=targeted

# SETLOCALDEFS= Check local definition changes
SETLOCALDEFS=0


Nothing strange there

Any "kernel: audit" chatter in /var/log/messages? What does it say?

i don't see any messages in the messages file. Red Hat has not been helpful on this matter. We do pay for support but I seem to get better support here gesh.


tail messages

What is it your web app is doing? (Is this just a static "hello world" page? Or something more substantial, e.g. running PHP?)

I don't see any httpd denials in that log snippet you posted. Please use code tags, BTW. It is too hard to read as is.

What things? What settings? Please be specific. Let's focus on one service at a time.


If you suspect SELinux what could be interesting instead is:
- 'getsebool -a | grep -i ssh',
- 'rpm -Vv openssh-server|grep -v "\.\{8\}"',
- 'rpm -ql openssh-server|xargs ls -alZ',
- 'ausearch -ts yesterday -sv no -c sshd',
- 'audit2allow < /var/log/audit/audit.log'.


Ah, not adhering to security best practices I see?


What's this?

I enabled SeLinux using the config file to make it enforcing from permissive.
We have a master server that we allow root in from so that message is OK.

getsebool -a | grep -i ssh
allow_ssh_keysign --> on
run_ssh_inetd --> off
ssh_sysadm_login --> on


rpm -Vv openssh-server|grep -v "\.\{8\}"
S.5....T c /etc/ssh/sshd_config


rpm -ql openssh-server|xargs ls -alZ
-rw-r--r-- root root system_u:object_r:etc_t:s0 /etc/pam.d/sshd
-rwxr-xr-x root root system_u:object_r:initrc_exec_t:s0 /etc/rc.d/init.d/sshd
-rw------- root root root:object_r:etc_t:s0 /etc/ssh/sshd_config
-rwxr-xr-x root root system_u:object_r:bin_t:s0 /usr/libexec/openssh/sftp-server
-rwxr-xr-x root root system_u:object_r:sshd_exec_t:s0 /usr/sbin/sshd
-rw-r--r-- root root system_u:object_r:sbin_t:s0 /usr/sbin/.sshd.hmac
-rw-r--r-- root root system_u:object_r:man_t:s0 /usr/share/man/man5/sshd_config.5.gz
-rw-r--r-- root root system_u:object_r:man_t:s0 /usr/share/man/man8/sftp-server.8.gz
-rw-r--r-- root root system_u:object_r:man_t:s0 /usr/share/man/man8/sshd.8.gz
-rw-r--r-- root root system_u:object_r:locale_t:s0 /var/empty/sshd/etc/localtime

/etc/ssh:
drwxr-xr-x root root system_u:object_r:etc_t:s0 .
drwxr-xr-x root root system_u:object_r:etc_t:s0 ..
-rw------- root root system_u:object_r:etc_t:s0 moduli
-rw-r--r-- root root system_u:object_r:etc_t:s0 ssh_config
-rw------- root root root:object_r:etc_t:s0 sshd_config
-rw------- root root system_u:object_r:sshd_key_t:s0 ssh_host_dsa_key
-rw-r--r-- root root system_u:object_r:etc_t:s0 ssh_host_dsa_key.pub
-rw------- root root system_u:object_r:sshd_key_t:s0 ssh_host_key
-rw-r--r-- root root system_u:object_r:etc_t:s0 ssh_host_key.pub
-rw------- root root system_u:object_r:sshd_key_t:s0 ssh_host_rsa_key
-rw-r--r-- root root system_u:object_r:etc_t:s0 ssh_host_rsa_key.pub

/var/empty/sshd:
drwx--x--x root root system_u:object_r:var_t:s0 .
drwxr-xr-x root root system_u:object_r:var_t:s0 ..
drwxr-xr-x root root system_u:object_r:etc_t:s0 etc

/var/empty/sshd/etc:
drwxr-xr-x root root system_u:object_r:etc_t:s0 .
drwx--x--x root root system_u:object_r:var_t:s0 ..
-rw-r--r-- root root system_u:object_r:locale_t:s0 localtime

ausearch -ts yesterday -sv no -c sshd
audit log is not writable by owner
NOTE - using built-in logs: /var/log/audit/audit.log
<no matches>

audit2allow < /var/log/audit/audit.log


#============= audisp_t ==============
allow audisp_t httpd_sys_content_t:dir search;

#============= avahi_t ==============
allow avahi_t tmp_t:file { write read };
allow avahi_t user_home_t:file { read write };

#============= gpm_t ==============
allow gpm_t httpd_sys_content_t:dir search;

#============= httpd_t ==============
allow httpd_t file_t:dir { search getattr };

#============= ifconfig_t ==============
allow ifconfig_t tmp_t:file { write read };
allow ifconfig_t user_home_t:file { read write };

#============= iptables_t ==============
allow iptables_t tmp_t:file { write read };
allow iptables_t user_home_t:file { read write };

#============= irqbalance_t ==============
allow irqbalance_t httpd_sys_content_t:dir search;

#============= setrans_t ==============
allow setrans_t httpd_sys_content_t:dir search;

i am going to have to rebuild this system i think to many things are wrong with it.

If there really are "too many things are wrong with it" then OK, but if that's your conclusion from this thread and this problem only then I disagree: re-installing Linux for this problem only seems the most asymmetrical and inefficient solution to me, besides you'll never get to the bottom of this.

Back to your previous reply the output of all commands except 'audit2allow' seems OK to me, nothing unusual or blocking there. What is odd in your 'audit2allow' output is that you seem to be running modifications the kernel (2.6.18-194.32.1.el5 right now) and policy (selinux-policy-2.4.6-279.el5_5.2, selinux-policy-targeted-2.4.6-279.el5_5.2 right now) don't cater for. This does not automagically mean that you need local policy additions. For instance anything requiring "dir search" capabilities in httpd_sys_content_t is OK (running 'sesearch -thttpd_sys_content_t --allow' will show many rules for that destination) but allowing iptables_t "read write" access to user_home_t definitely seems not OK (especially read and especially if the file can be written to by unprivileged users). Running 'sesearch -siptables_t --allow' shows what the source is allowed to have access to.


The reason I wrote "not adhering to security best practices I see?" (which you conveniently forgot to respond to) earlier on may be a good starting point as root should not log in over the network anyway. So can an unprivileged user log in OK? If not, what does the verbose SSH output look like from both vantage point of server (run sshd on a different port and add "-d -d -d" to the command line) and client (point ssh to the changed port and add "-v -v -v" to the command line)?


Also there's still the "Address already in use" message you need to clear up. If the port is already in use, meaning the init script doesn't properly detect and kill off sshd running or sshd refuses to die for some odd reason or Something Completely Different is using the port, then you need to investigate that too.

so i rebuilt the system and the still had the issue but I was able to try a few thing. I put the html files in the default location and it works. So its definitely has to do with the other dir i am using /data/www not /var/www/html.

I ran these command and now it seems to be working.

# chcon --reference=/var/www /data
# chcon -R -v -t httpd_sys_content_t /data