Bug 246079

Summary: lot of AVC's when starting httpd
Product: Red Hat Enterprise Linux 5 Reporter: Jan Hutař <jhutar>
Component: mod_nssAssignee: Rob Crittenden <rcritten>
Status: CLOSED WORKSFORME QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: 5.0CC: nalin, rcritten
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-07 15:33:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
audit log from RHEL-5-Server i386
none
audit log from RHEL-5-Client x86_64 none

Description Jan Hutař 2007-06-28 12:51:29 UTC
Description of problem:
When I have installed default mod_nss, I'm gettin some AVC denied each time 
httpd is started.


Version-Release number of selected component (if applicable):
mod_nss-1.0.3-4.el5.i386


How reproducible:
always


Steps to Reproduce:
1. : > /var/log/audit/audit.log
2. service httpd start
3. cat /var/log/audit/audit.log


Actual results:
some "AVC denied" - audit log from RHEL-5-Server i386 attached


Expected results:
no "AVC denied"


Additional info:
# rpm -V mod_nss
# echo $?
0

Tested on all RHEL-5 variants.

I'm not sure if this is a bug, but maybe would be good to create some selinux 
boolean like "httpd_enable_nss".

Comment 1 Jan Hutař 2007-06-28 12:51:30 UTC
Created attachment 158118 [details]
audit log from RHEL-5-Server i386

Comment 2 Rob Crittenden 2007-07-02 17:15:31 UTC
What version of selinux-policy-targeted is installed? This should have been
fixed in http://rhn.redhat.com/errata/RHBA-2007-0171.html (bug 210003)

Comment 3 Jan Hutař 2007-07-03 06:47:45 UTC
Sorry,
I forgot to attach this info. It was on the QA stable systems which are 
supposed to be quite up2date, but sometimes they are not. 2007:0171 is for RHEL-
4, so not applicable here.

So now second try:
1. updated to NEW packages from 2007:0541 (libselinux) and 2007:0544 (selinux-
policy)
2. # setenforcing 1
3. # load_policy -b
4. # : > /var/log/audit/audit.log
5. # service httpd start
6. # wc -l /var/log/audit/audit.log
=> 146 rows (log attached)

httpd-2.2.3-7.el5.x86_64
mod_nss-1.0.3-4.el5.x86_64
selinux-policy-targeted-2.4.6-77.el5.noarch

Comment 4 Jan Hutař 2007-07-03 06:50:07 UTC
Created attachment 158410 [details]
audit log from RHEL-5-Client x86_64

Comment 5 Rob Crittenden 2007-07-03 12:34:36 UTC
Ah, right you are. Sorry, I guess we need to get those RHEL-4 fixes migrated up.

Comment 6 Daniel Walsh 2007-07-10 14:43:44 UTC
This looks like you have avc messages from two different sources.

One you are running on an NIS box without the allow_ypbind boolean turned on. 
This is causing 

allow httpd_t hi_reserved_port_t:tcp_socket name_bind;
allow httpd_t portmap_port_t:tcp_socket name_connect;
allow httpd_t var_yp_t:dir search;

To be required.  I think if you turn on that boolean this will go away.


allow httpd_t proc_net_t:dir { read search };
allow httpd_t self:appletalk_socket create;
allow httpd_t self:socket create;

>  This is being caused because you are execing netstat under the covers in the
mod_nss binary and it is requesting all these access. The reason you are execing
netstat is to generate randomness and this is not necessary on a Linux system. 
We have a bugzilla elsewhere to build libnss without the netstat command.
 

allow httpd_t self:capability sys_nice;

The 5.1 policy has this.



Comment 7 Daniel Walsh 2007-07-10 15:11:13 UTC
Reference Bugzilla #246517

Comment 8 Jan Hutař 2007-07-12 14:10:09 UTC
Thanks - now I wasn't able to reproduce these:

allow httpd_t hi_reserved_port_t:tcp_socket name_bind;
allow httpd_t portmap_port_t:tcp_socket name_connect;
allow httpd_t var_yp_t:dir search;

(used authconfig-tui to turn on/off the NIS and setsebool to set allow_ypbind 
on/off)

But I still have this one (together with these bug 246517 AVC's solves):

allow httpd_t self:capability sys_nice;

even with new SELinux related stuff installed (haven't rebooted/relabeled, just 
updated the packages):

selinux-policy-targeted-2.4.6-77.el5.noarch (2007:0544)
policycoreutils-1.33.12-12.el5.i386 (2007:0543)

Comment 9 RHEL Program Management 2007-12-03 20:43:35 UTC
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.

Comment 10 Rob Crittenden 2008-01-03 21:07:58 UTC
I can't reproduce this in RHEL 5.1. Can you try again with a freshly updated system?

Comment 11 Jan Hutař 2008-01-07 09:20:06 UTC
I can not reproduce it either (on multiple systems), thank you.

selinux-policy-targeted-2.4.6-106.el5_1.3.noarch
policycoreutils-1.33.12-12.el5.i386

Comment 12 Rob Crittenden 2008-01-07 15:33:06 UTC
I'm going to close this as WORKSFORME since I have no idea exactly which selinux
policy version fixed it.