Bug 246079
Summary: | lot of AVC's when starting httpd | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Jan Hutař <jhutar> | ||||||
Component: | mod_nss | Assignee: | Rob Crittenden <rcritten> | ||||||
Status: | CLOSED WORKSFORME | QA Contact: | |||||||
Severity: | low | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | 5.0 | CC: | nalin, rcritten | ||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2008-01-07 15:33:06 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Jan Hutař
2007-06-28 12:51:29 UTC
Created attachment 158118 [details]
audit log from RHEL-5-Server i386
What version of selinux-policy-targeted is installed? This should have been fixed in http://rhn.redhat.com/errata/RHBA-2007-0171.html (bug 210003) Sorry, I forgot to attach this info. It was on the QA stable systems which are supposed to be quite up2date, but sometimes they are not. 2007:0171 is for RHEL- 4, so not applicable here. So now second try: 1. updated to NEW packages from 2007:0541 (libselinux) and 2007:0544 (selinux- policy) 2. # setenforcing 1 3. # load_policy -b 4. # : > /var/log/audit/audit.log 5. # service httpd start 6. # wc -l /var/log/audit/audit.log => 146 rows (log attached) httpd-2.2.3-7.el5.x86_64 mod_nss-1.0.3-4.el5.x86_64 selinux-policy-targeted-2.4.6-77.el5.noarch Created attachment 158410 [details]
audit log from RHEL-5-Client x86_64
Ah, right you are. Sorry, I guess we need to get those RHEL-4 fixes migrated up. This looks like you have avc messages from two different sources.
One you are running on an NIS box without the allow_ypbind boolean turned on.
This is causing
allow httpd_t hi_reserved_port_t:tcp_socket name_bind;
allow httpd_t portmap_port_t:tcp_socket name_connect;
allow httpd_t var_yp_t:dir search;
To be required. I think if you turn on that boolean this will go away.
allow httpd_t proc_net_t:dir { read search };
allow httpd_t self:appletalk_socket create;
allow httpd_t self:socket create;
> This is being caused because you are execing netstat under the covers in the
mod_nss binary and it is requesting all these access. The reason you are execing
netstat is to generate randomness and this is not necessary on a Linux system.
We have a bugzilla elsewhere to build libnss without the netstat command.
allow httpd_t self:capability sys_nice;
The 5.1 policy has this.
Reference Bugzilla #246517 Thanks - now I wasn't able to reproduce these: allow httpd_t hi_reserved_port_t:tcp_socket name_bind; allow httpd_t portmap_port_t:tcp_socket name_connect; allow httpd_t var_yp_t:dir search; (used authconfig-tui to turn on/off the NIS and setsebool to set allow_ypbind on/off) But I still have this one (together with these bug 246517 AVC's solves): allow httpd_t self:capability sys_nice; even with new SELinux related stuff installed (haven't rebooted/relabeled, just updated the packages): selinux-policy-targeted-2.4.6-77.el5.noarch (2007:0544) policycoreutils-1.33.12-12.el5.i386 (2007:0543) This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. This request will be reviewed for a future Red Hat Enterprise Linux release. I can't reproduce this in RHEL 5.1. Can you try again with a freshly updated system? I can not reproduce it either (on multiple systems), thank you. selinux-policy-targeted-2.4.6-106.el5_1.3.noarch policycoreutils-1.33.12-12.el5.i386 I'm going to close this as WORKSFORME since I have no idea exactly which selinux policy version fixed it. |