Bug 180408

Summary: Fedore Core 4 - Apache - Freeradius mod_auth_radius system hangs
Product: [Fedora] Fedora Reporter: Frank Reiss <f.reiss>
Component: httpdAssignee: Joe Orton <jorton>
Status: CLOSED NOTABUG QA Contact:
Severity: high Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-06-02 13:53:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Frank Reiss 2006-02-07 22:08:58 UTC 
Description of problem: System Hangs
System hangs with Apache SSL mod_auth_radius sending authentication 
information to a radius - mysql server.

Hi everyone,

I am having a problem with my apache web server hanging and am looking for 
help. I have check the log files and am finding nothing to indicate the cause 
of the system hangs.

The web server which hangs is Fedora Core 4

The Radius - Mysql server is Redhat EL4

httpd.conf excerpts.

LoadModule cgi_module modules/mod_cgi.so
LoadModule radius_auth_module /usr/lib/httpd/modules/mod_auth_radius-2.0.so
#</IfModule>
# End of proxy directives.
######################################################################
#
# Add to the BOTTOM of httpd.conf
# If we're using mod_auth_radius, then add it's specific
# configuration options.
#
<IfModule mod_auth_radius-2.0.c>

#
# AddRadiusAuth server[:port] <shared-secret> [ timeout [ : retries ]]
# Use localhost, the old RADIUS port, secret 'testing123',
# time out after 5 seconds, and retry 3 times.
AddRadiusAuth imp-dell-21:1812 password 5:3
#             ServerName       RadiusPassword in clients.conf file
#
# AuthRadiusBindAddress <hostname/ip-address>
#
# Bind client (local) socket to this local IP address.
# The server will then see RADIUS client requests will come from
# the given IP address.
#
# By default, the module does not bind to any particular address,
# and the operating system chooses the address to use.
#

#
# AddRadiusCookieValid <minutes-for-which-cookie-is-valid>
#
# the special value of 0 (zero) means the cookie is valid forever.
#
AddRadiusCookieValid 5
</IfModule>

/var/www/html/.htaccess file is unchanged 

######################################################################
#
#  A sample per-directory access-control configuration, to be used
#  as a '.htacces' file.
#

#
# Use basic password authentication.
# AuthType Digest won't work with RADIUS authentication.
#
AuthType Basic

#
# Tell the user the realm to which they're authenticating.
# This string should be configured for your site.
#
AuthName "RADIUS authentication for localhost"

#
# don't use 'mod_auth'.
# You might want to disable other authentication types here.
# You can get a similar effect by commenting out the
# 'AddModule mod_auth_*' lines, previously in httpd.conf
#
AuthAuthoritative off

#
# Use mod_auth_radius for all authentication, and make the responses
# from it authoritative.
#
AuthRadiusAuthoritative on

#
# Make a local variation of AddRadiusCookieValid.  The server will choose
# the MINIMUM of the two values.
#
# AuthRadiusCookieValid <minutes-for-which-cookie-is-valid>
#
AuthRadiusCookieValid 5

#
# Set the use of RADIUS authentication at this <Location>"
#
# Locally set the RADIUS authentication active.
#
# If there is a directory which you do NOT want to have RADIUS
# authentication for, then use a <Directory> directive, and
# set "AuthRadiusActive Off"
#
AuthRadiusActive On

#
# require that mod_auth_radius return a valid user, otherwise
# access is denied.
#
require valid-user

The error logs do not record what the problem is.

ausit.log

type=SOCKETCALL msg=audit(1139343826.935:1437305): nargs=3 a0=c a1=bf947fbc 
a2=10
type=SOCKADDR msg=audit(1139343826.935:1437305): 
saddr=02001FBA000000000000000000000000
type=SYSCALL msg=audit(1139343826.935:1437305): arch=40000003 syscall=102 
success=no exit=-13 a0=2 a1=bf9473b0 a2=416998 a3=892bed8 items=0 pid=2198 
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=AVC msg=audit(1139343826.935:1437305): avc:  denied  { name_bind } for  
pid=2198 comm="httpd" src=8122 scontext=system_u:system_r:httpd_t 
tcontext=system_u:object_r:port_t tclass=udp_socket
type=SOCKETCALL msg=audit(1139343826.935:1437306): nargs=3 a0=c a1=bf947fbc 
a2=10
type=SOCKADDR msg=audit(1139343826.935:1437306): 
saddr=02001FBB000000000000000000000000
type=SYSCALL msg=audit(1139343826.935:1437306): arch=40000003 syscall=102 
success=no exit=-13 a0=2 a1=bf9473b0 a2=416998 a3=892bed8 items=0 pid=2198 
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=AVC msg=audit(1139343826.935:1437306): avc:  denied  { name_bind } for  
pid=2198 comm="httpd" src=8123 scontext=system_u:system_r:httpd_t 
tcontext=system_u:object_r:port_t tclass=udp_socket
type=SOCKETCALL msg=audit(1139343826.935:1437307): nargs=3 a0=c a1=bf947fbc 
a2=10
type=SOCKADDR msg=audit(1139343826.935:1437307): 
saddr=02001FBC000000000000000000000000
type=SYSCALL msg=audit(1139343826.935:1437307): arch=40000003 syscall=102 
success=no exit=-13 a0=2 a1=bf9473b0 a2=416998 a3=892bed8 items=0 pid=2198 
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 
fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=AVC msg=audit(1139343826.935:1437307): avc:  denied  { name_bind } for  
pid=2198 comm="httpd" src=8124 scontext=system_u:system_r:httpd_t 
tcontext=system_u:object_r:port_t tclass=udp_socket

messages log
Feb  7 14:22:14 b kernel: audit: backlog limit exceeded
Feb  7 14:22:14 b kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: audit_lost=6450 audit_rate_limit=0 
audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: backlog limit exceeded
Feb  7 14:22:14 b kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: audit_lost=6451 audit_rate_limit=0 
audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: backlog limit exceeded
Feb  7 14:22:14 b kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: audit_lost=6452 audit_rate_limit=0 
audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: backlog limit exceeded
Feb  7 14:22:14 b kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: audit_lost=6453 audit_rate_limit=0 
audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: backlog limit exceeded
Feb  7 14:22:14 b kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: audit_lost=6454 audit_rate_limit=0 
audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: backlog limit exceeded
Feb  7 14:22:14 b kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: audit_lost=6455 audit_rate_limit=0 
audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: backlog limit exceeded
Feb  7 14:22:14 b kernel: audit: audit_backlog=257 > audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: audit_lost=6456 audit_rate_limit=0 
audit_backlog_limit=256
Feb  7 14:22:14 b kernel: audit: backlog limit exceeded
Feb  7 14:23:40 b auditd[1746]: Audit daemon rotating log files
Feb  7 14:23:44 b auditd[1746]: Audit daemon rotating log files

/etc/httpd/logs/error_log

threads.
[Tue Feb 07 12:32:26 2006] [notice] Apache/2.0.54 (Fedora) configured -- 
resuming normal operations
[Tue Feb 07 12:35:01 2006] [notice] SIGHUP received.  Attempting to restart
[Tue Feb 07 12:35:01 2006] [notice] Digest: generating secret for digest 
authentication ...
[Tue Feb 07 12:35:01 2006] [notice] Digest: done
[Tue Feb 07 12:35:01 2006] [notice] mod_python: Creating 4 session mutexes 
based on 256 max processes and 0 max threads.
[Tue Feb 07 12:35:02 2006] [notice] Apache/2.0.54 (Fedora) configured -- 
resuming normal operations
[Tue Feb 07 12:47:54 2006] [notice] suEXEC mechanism enabled 
(wrapper: /usr/sbin/suexec)
[Tue Feb 07 12:47:55 2006] [notice] Digest: generating secret for digest 
authentication ...
[Tue Feb 07 12:47:55 2006] [notice] Digest: done
[Tue Feb 07 12:47:55 2006] [notice] mod_python: Creating 4 session mutexes 
based on 256 max processes and 0 max threads.
[Tue Feb 07 12:47:56 2006] [notice] Apache/2.0.54 (Fedora) configured -- 
resuming normal operations
[Tue Feb 07 15:08:15 2006] [notice] suEXEC mechanism enabled 
(wrapper: /usr/sbin/suexec)
[Tue Feb 07 15:08:16 2006] [notice] Digest: generating secret for digest 
authentication ...
[Tue Feb 07 15:08:16 2006] [notice] Digest: done
[Tue Feb 07 15:08:17 2006] [notice] mod_python: Creating 4 session mutexes 
based on 256 max processes and 0 max threads.
[Tue Feb 07 15:08:18 2006] [notice] Apache/2.0.54 (Fedora) configured -- 
resuming normal operations

/etc/httpd/logs/ssl_error_log
[Tue Feb 07 11:49:34 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 11:52:29 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 12:20:45 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 12:20:47 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 12:32:26 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 12:35:02 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 12:47:55 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 12:47:56 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 15:08:16 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?
[Tue Feb 07 15:08:18 2006] [warn] RSA server certificate CommonName (CN) 
`localhost.localdomain' does NOT match server name!?

Version-Release number of selected component (if applicable):
Linux b.gs4.us 2.6.11-1.1369_FC4 #1 Thu Jun 2 22:55:56 EDT 2005 i686 i686 i386 
GNU/Linux
mod_auth_radius_2.0
Apache 

How reproducible:
every time

Steps to Reproduce:
1. reboot the system
2. thing up the web site.
3. Try to login
  
Actual results:
the system hangs and has to be rebooted via the pwoer switch.

Expected results:
I should see the web site.

Additional info:
Comment 1 Joe Orton 2006-06-02 13:53:46 UTC 
This is likely to be an SELinux policy issue; try

  setsebool httpd_can_network_connect=1

and if that fixes it run the command again passing the -P flag to make the
change permanent.
Comment 2 Joe Orton 2006-06-02 13:54:06 UTC 
*** Bug 180409 has been marked as a duplicate of this bug. ***