Bug 430702

Summary: selinux needs to support apache mod_auth_shadow
Product: Red Hat Enterprise Linux 5 Reporter: Steve Grubb <sgrubb>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5.1CC: dwalsh, ebenes, gowrishankar.rajaiyan, manmah4u, scottb
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2008-0465 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-21 16:06:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux alert
none
SELinux alert
none
SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read write" to socket:[19495] (httpd_t).
none
SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read" to eventpoll:[54222] (httpd_t).
none
SELinux is preventing validate (system_chkpwd_t) "append" to /var/log/httpd/error_log (httpd_log_t) none

Description Steve Grubb 2008-01-29 15:22:19 UTC 
Description of problem:
When mod_auth_shadow is installed, apache doesn't work due to avc denials. There
is a setuid helper app that checks the password,/usr/sbin/validate and its of
bin_t type. It should probably be  chkpwd_exec_t to allow it read access to shadow.

apache then needs to be able to transition to allow use of the resulting domain.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-104.el5

How reproducible:
always

Steps to Reproduce:
1. configure apache to allow access to a page by mod_auth_shadow
2. access the page
3. collect the avc
Comment 1 RHEL Program Management 2008-01-29 15:25:44 UTC 
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Ranga Venkataraman 2008-01-30 16:26:27 UTC 
Created attachment 293431 [details]
SELinux alert

SELinux alert when allow_httpd_mod_auth_pam boolean is set to off. 
Context of /etc/shadow is system_u:object_r:shadow_t. 
Context of /usr/sbin/validate is system_u:object_r:chkpwd_exec_t
Comment 3 Ranga Venkataraman 2008-01-30 16:27:39 UTC 
Created attachment 293432 [details]
SELinux alert

SELinux alert when allow_httpd_mod_auth_pam boolean is set to on. 
Context of /etc/shadow is system_u:object_r:shadow_t. 
Context of /usr/sbin/validate is system_u:object_r:chkpwd_exec_t
Comment 4 Daniel Walsh 2008-01-31 18:52:42 UTC 
Fixed in /selinux-policy-2.4.6-118.el5
Comment 7 manoj 2008-02-15 11:00:09 UTC 
This is still reproducible with SELinux-policy-2.4.6-118.el5
Comment 10 Daniel Walsh 2008-02-28 14:37:48 UTC 
manoj, 

Could you attach the AVC messages you are seeing?

And you did have the allow_httpd_mod_auth_pam boolean turned on ?

getsebool allow_httpd_mod_auth_pam

setsebool -P allow_httpd_mod_auth_pam=1
Comment 11 manoj 2008-03-04 05:25:00 UTC 
I don't see setroubleshoot alerts when I turn on allow_httpd_mod_auth_pam.
However I'm unable to browse password protected sites when SELinux is enforced.
Also note that there seems to be no problem when SELinux is disabled/permissive.

I see below httpd error log messages.

[root@rhel5u164 Desktop]# tail -f /var/log/httpd/error_log
/usr/sbin/validate: No read access to /etc/shadow.  This program must be suid or
sgid.
[Tue Mar 04 05:09:56 2008] [error] [client 10.1.6.11] Invalid password entered
for user manoj
/usr/sbin/validate: No read access to /etc/shadow.  This program must be suid or
sgid.
[Tue Mar 04 05:10:01 2008] [error] [client 10.1.6.11] Invalid password entered
for user manoj


[root@rhel5u164 Desktop]# ls -lZ /etc/shadow
-rw-------  root root system_u:object_r:shadow_t       /etc/shadow
Comment 12 manoj 2008-03-04 05:30:43 UTC 
[root@rhel5u164 Desktop]# ls -lZ /usr/sbin/validate 
-rwsr-xr-x  root root system_u:object_r:sbin_t         /usr/sbin/validate

Below is the site virtual host config file.please note that issue exists when
AuthPAM_Enabled On as well.
[root@rhel5u164 Desktop]# cat /etc/httpd/conf.d/aa_com.conf 
Listen *:80
NameVirtualHost *:80
<VirtualHost *:80>
    #xmc:name aa.com
    ServerName aa.com
    DocumentRoot /var/www/html/aa.com
    #xmc:admin web
    ServerAdmin webmaster
    <Directory "/var/www/html/aa.com">
        Satisfy all
        AuthName "Restricted Area: aa.com"
        Require user manoj
        AuthType Basic
        AuthPAM_Enabled Off
        AuthShadow On
        AuthBasicAuthoritative Off
    </Directory>
</VirtualHost>
Comment 13 Daniel Walsh 2008-03-04 20:33:52 UTC 
Yes the file context is set wrong.

Fixed in /selinux-policy-2.4.6-124.el5	

If you chcon -t chkpwd_exec_t /usr/sbin/validate

Does it work?
Comment 14 manoj 2008-03-05 04:18:59 UTC 
Yes after changing the context of validate binary to chkpwd_exec_t I'm able to
browse password protected Web Sites.However I get the below attached
Setroubleshoot alert when I browse the sites.
Comment 15 manoj 2008-03-05 04:20:24 UTC 
Created attachment 296844 [details]
 SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read write" to
  socket:[19495] (httpd_t).

Please note that I don't have any functionality issues with the attached alert.
Comment 17 Eduard Benes 2008-03-26 12:25:29 UTC 
(In reply to comment #15)
> Created an attachment (id=296844) [edit]
>  SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read write" to
>   socket:[19495] (httpd_t).
> 
> Please note that I don't have any functionality issues with the attached 
alert.

Manoj, could you please try the latest policy and reply whether it works for 
you? It should solve the problem with those messages. 
Thank you.

Latest packages are available here:

  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 18 manoj 2008-04-07 09:02:18 UTC 
With Latest SELinux policy selinux-policy-2.4.6-125.el5, I get below attached
alert when i browse password protected web sites.As I said before I dont see any
functionality issue however.

[root@rhel5u1 ~]#  /usr/sbin/validate was having correct context with latest policy.
-rwsr-xr-x  root root system_u:object_r:chkpwd_exec_t  /usr/sbin/validate
Comment 19 manoj 2008-04-07 09:03:09 UTC 
Created attachment 301484 [details]
 SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read" to
eventpoll:[54222] (httpd_t).
Comment 20 Daniel Walsh 2008-04-08 12:58:12 UTC 
This might be a leaked file descriptor 

xandros-libapache2-mod-auth-shadow-2.0.x.7-4

Might be leaking a file descriptor to selinux is closing before validate is run

All open file descriptors should be closed on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 22 errata-xmlrpc 2008-05-21 16:06:43 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html
Comment 23 manoj 2008-06-05 06:39:19 UTC 
On Rhel5u2 system with selinux policy 2.4.6-137 i see the below attached SELinux
alert when i follow the original method described in this bug.Please note there
is no fuctionality issue.
Comment 24 manoj 2008-06-05 06:41:42 UTC 
Created attachment 308414 [details]
SELinux is preventing validate (system_chkpwd_t) "append" to /var/log/httpd/error_log (httpd_log_t)
Comment 25 Daniel Walsh 2008-06-09 19:49:36 UTC 
This is a simple code redirection of stdout.  Can be ignored or you can add
custom policy by using audit2allow

grep httpd_log_t /var/log/audit/audit.log | audit2allow -M myhttp
semodule -i myhttp.pp