With mod_auth_shadow, SELinux denies httpd access to
/usr/sbin/validate. This is an suid helper program run by
mod_auth_shadow which actually opens and performs a validation request
for mod_auth_shadow.
This problem isn't restricted to mod_auth_shadow, however, it also
happens with mod_auth_winbind as well. This accesses the pam stack,
which runs a separate executable /usr/bin/ntlm_auth (file context:
winbind_helper_exec_t) as a helper program for authentication. Selinux
denies httpd access to ntlm_auth.
I've attached the two alerts.
Scott
Steve Grubb wrote:
On Friday 25 January 2008 18:58:44 Scott Bambrough wrote:
The goal is to make mod_auth_shadow work in a secure fashion with
SELinux in enforcing mode.
Gotcha.
I basically tried the above and can get mod_auth_shadow to work.
I think we need a policy change. Let me think about it and I'll get back with
you on this. I don't want to shoot from the hip.
-Steve
Summary
SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled
files ntlm_auth (winbind_helper_exec_t).
Detailed Description
SELinux has denied the /usr/sbin/httpd access to potentially mislabeled
files ntlm_auth. This means that SELinux will not allow http to use these
files. Many third party apps install html files in directories that SELinux
policy can not predict. These directories have to be labeled with a file
context which httpd can accesss.
Allowing Access
If you want to change the file context of ntlm_auth so that the httpd daemon
can access it, you need to execute it using chcon -t
httpd_sys_content_t.ntlm_auth. You can look at the httpd_selinux man page
for additional information.
Additional Information
Source Context system_u:system_r:httpd_t
Target Context system_u:object_r:winbind_helper_exec_t
Target Objects ntlm_auth [ file ]
Affected RPM Packages httpd-2.2.3-11.el5 [application]
Policy RPM selinux-policy-2.4.6-104.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.httpd_bad_labels
Host Name srh5.sarita.com
Platform Linux srh5.sarita.com 2.6.18-53.el5 #1 SMP Wed Oct
10 16:34:02 EDT 2007 i686 i686
Alert Count 3
Line Numbers
Raw Audit Messages
avc: denied { execute } for comm="httpd" dev=dm-0 egid=48 euid=48
exe="/usr/sbin/httpd" exit=-13 fsgid=48 fsuid=48 gid=48 items=0 name="ntlm_auth"
pid=6702 scontext=system_u:system_r:httpd_t:s0 sgid=48
subj=system_u:system_r:httpd_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:winbind_helper_exec_t:s0 tty=(none) uid=48
Summary
SELinux is preventing the /usr/sbin/validate from using potentially
mislabeled files shadow (shadow_t).
Detailed Description
SELinux has denied the /usr/sbin/validate access to potentially mislabeled
files shadow. This means that SELinux will not allow http to use these
files. Many third party apps install html files in directories that SELinux
policy can not predict. These directories have to be labeled with a file
context which httpd can accesss.
Allowing Access
If you want to change the file context of shadow so that the httpd daemon
can access it, you need to execute it using chcon -t
httpd_sys_content_t.shadow. You can look at the httpd_selinux man page for
additional information.
Additional Information
Source Context root:system_r:httpd_t
Target Context system_u:object_r:shadow_t
Target Objects shadow [ file ]
Affected RPM Packages xandros-libapache2-mod-auth-shadow-2.0.x.7-1
[application]
Policy RPM selinux-policy-2.4.6-104.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.httpd_bad_labels
Host Name srh5.sarita.com
Platform Linux srh5.sarita.com 2.6.18-53.el5 #1 SMP Wed Oct
10 16:34:02 EDT 2007 i686 i686
Alert Count 7
Line Numbers
Raw Audit Messages
avc: denied { read } for comm="validate" dev=dm-0 egid=48 euid=0
exe="/usr/sbin/validate" exit=-13 fsgid=48 fsuid=0 gid=48 items=0 name="shadow"
pid=15891 scontext=root:system_r:httpd_t:s0 sgid=48
subj=root:system_r:httpd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:shadow_t:s0 tty=(none) uid=48
_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list
