Bug 430702
Summary: | selinux needs to support apache mod_auth_shadow | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Steve Grubb <sgrubb> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.1 | CC: | dwalsh, ebenes, gowrishankar.rajaiyan, manmah4u, scottb |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2008-0465 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-21 16:06:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Attachments: |
Description
Steve Grubb
2008-01-29 15:22:19 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. Created attachment 293431 [details]
SELinux alert
SELinux alert when allow_httpd_mod_auth_pam boolean is set to off.
Context of /etc/shadow is system_u:object_r:shadow_t.
Context of /usr/sbin/validate is system_u:object_r:chkpwd_exec_t
Created attachment 293432 [details]
SELinux alert
SELinux alert when allow_httpd_mod_auth_pam boolean is set to on.
Context of /etc/shadow is system_u:object_r:shadow_t.
Context of /usr/sbin/validate is system_u:object_r:chkpwd_exec_t
Fixed in /selinux-policy-2.4.6-118.el5 This is still reproducible with SELinux-policy-2.4.6-118.el5 manoj, Could you attach the AVC messages you are seeing? And you did have the allow_httpd_mod_auth_pam boolean turned on ? getsebool allow_httpd_mod_auth_pam setsebool -P allow_httpd_mod_auth_pam=1 I don't see setroubleshoot alerts when I turn on allow_httpd_mod_auth_pam. However I'm unable to browse password protected sites when SELinux is enforced. Also note that there seems to be no problem when SELinux is disabled/permissive. I see below httpd error log messages. [root@rhel5u164 Desktop]# tail -f /var/log/httpd/error_log /usr/sbin/validate: No read access to /etc/shadow. This program must be suid or sgid. [Tue Mar 04 05:09:56 2008] [error] [client 10.1.6.11] Invalid password entered for user manoj /usr/sbin/validate: No read access to /etc/shadow. This program must be suid or sgid. [Tue Mar 04 05:10:01 2008] [error] [client 10.1.6.11] Invalid password entered for user manoj [root@rhel5u164 Desktop]# ls -lZ /etc/shadow -rw------- root root system_u:object_r:shadow_t /etc/shadow [root@rhel5u164 Desktop]# ls -lZ /usr/sbin/validate -rwsr-xr-x root root system_u:object_r:sbin_t /usr/sbin/validate Below is the site virtual host config file.please note that issue exists when AuthPAM_Enabled On as well. [root@rhel5u164 Desktop]# cat /etc/httpd/conf.d/aa_com.conf Listen *:80 NameVirtualHost *:80 <VirtualHost *:80> #xmc:name aa.com ServerName aa.com DocumentRoot /var/www/html/aa.com #xmc:admin web ServerAdmin webmaster <Directory "/var/www/html/aa.com"> Satisfy all AuthName "Restricted Area: aa.com" Require user manoj AuthType Basic AuthPAM_Enabled Off AuthShadow On AuthBasicAuthoritative Off </Directory> </VirtualHost> Yes the file context is set wrong. Fixed in /selinux-policy-2.4.6-124.el5 If you chcon -t chkpwd_exec_t /usr/sbin/validate Does it work? Yes after changing the context of validate binary to chkpwd_exec_t I'm able to browse password protected Web Sites.However I get the below attached Setroubleshoot alert when I browse the sites. Created attachment 296844 [details]
SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read write" to
socket:[19495] (httpd_t).
Please note that I don't have any functionality issues with the attached alert.
(In reply to comment #15) > Created an attachment (id=296844) [edit] > SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read write" to > socket:[19495] (httpd_t). > > Please note that I don't have any functionality issues with the attached alert. Manoj, could you please try the latest policy and reply whether it works for you? It should solve the problem with those messages. Thank you. Latest packages are available here: http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ With Latest SELinux policy selinux-policy-2.4.6-125.el5, I get below attached alert when i browse password protected web sites.As I said before I dont see any functionality issue however. [root@rhel5u1 ~]# /usr/sbin/validate was having correct context with latest policy. -rwsr-xr-x root root system_u:object_r:chkpwd_exec_t /usr/sbin/validate Created attachment 301484 [details]
SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read" to
eventpoll:[54222] (httpd_t).
This might be a leaked file descriptor xandros-libapache2-mod-auth-shadow-2.0.x.7-4 Might be leaking a file descriptor to selinux is closing before validate is run All open file descriptors should be closed on exec fcntl(fd, F_SETFD, FD_CLOEXEC) An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0465.html On Rhel5u2 system with selinux policy 2.4.6-137 i see the below attached SELinux alert when i follow the original method described in this bug.Please note there is no fuctionality issue. Created attachment 308414 [details]
SELinux is preventing validate (system_chkpwd_t) "append" to /var/log/httpd/error_log (httpd_log_t)
This is a simple code redirection of stdout. Can be ignored or you can add custom policy by using audit2allow grep httpd_log_t /var/log/audit/audit.log | audit2allow -M myhttp semodule -i myhttp.pp |