Bug 579105

Summary: SELinux denies access for mod_auth_pam
Product: Red Hat Enterprise Linux 5 Reporter: Vadym Chepkov <vchepkov>
Component: selinux-policy-targetedAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.4CC: dwalsh, jrieden, mmalik, slukasik
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
When the httpd service was configured to use the "mod_auth_pam" module with winbind, users were denied access, even though the "allow_httpd_mod_auth_pam" and "httpd_can_network_connect" booleans were set to "on". With this update, "allow_httpd_mod_auth_pam" has been corrected, and users are no longer denied access with this configuration.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:48:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Vadym Chepkov 2010-04-02 16:57:23 UTC 
selinux-policy-targeted-2.4.6-255.el5_4.4

httpd is configured to use mod_auth_pamd via winbind

booleans have been set

allow_httpd_mod_auth_pam -->  on
httpd_can_network_connect -->  on

user access gets access denied. 
The following avc has been generated in permissive mode:

type=SYSCALL msg=audit(1270181973.950:37): arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9 a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:37): avc:  denied  { create } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

type=SYSCALL msg=audit(1270181973.950:38): arch=c000003e syscall=44 success=yes exit=124 a0=13 a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:38): avc:  denied  { nlmsg_relay } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1270181973.950:38): avc:  denied  { write } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

type=SYSCALL msg=audit(1270181973.950:39): arch=c000003e syscall=45 success=yes exit=36 a0=13 a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:39): avc:  denied  { read } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
Comment 1 Daniel Walsh 2010-04-05 12:43:17 UTC 
Miroslav in RHEL6 we have.

tunable_policy(`allow_httpd_mod_auth_pam',`
	auth_domtrans_chk_passwd(httpd_t)
	logging_send_audit_msgs(httpd_t)
')

Can you add this to RHEL5 and F12.
Comment 3 Miroslav Grepl 2010-07-22 09:27:51 UTC 
Fixed in selinux-policy-2.4.6-281.el5.noarch
Comment 5 Milos Malik 2010-11-29 08:06:35 UTC 
Hello Vadym,

could you please run your scenario again with selinux-policy which is available at folllowing URL?

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Thanks
Comment 7 Vadym Chepkov 2010-12-15 18:42:32 UTC 
Redhat5 packages were so old, I had to go with Fedora and it works there just fine. I also moved from winbind to nss_ldap. 

But I will setup a RHEL5.5 with winbind to check, if it's still the case.
Comment 8 Vadym Chepkov 2010-12-15 19:32:22 UTC 
selinux-policy-2.4.6-296.el5
selinux-policy-targeted-2.4.6-296.el5


I've got a warning during installation:

libsepol.sepol_genbools_array: boolean virt_manage_sysfs no longer in policy

but the authentication is successful:


192.168.16.6 - vchepkov [15/Dec/2010:19:29:52 +0000] "GET /favicon.ico HTTP/1.1" 404 299 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"
Comment 9 Miroslav Grepl 2010-12-16 09:40:07 UTC 
It is ok. The boolean was renamed to 

virt_use_nfs


Thanks for testing.
Comment 10 Jaromir Hradilek 2011-01-05 16:12:40 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When the httpd service was configured to use the "mod_auth_pam" module with winbind, users were denied access, even though the "allow_httpd_mod_auth_pam" and "httpd_can_network_connect" booleans were set to "on". With this update, "allow_httpd_mod_auth_pam" has been corrected, and users are no longer denied access with this configuration.
Comment 12 errata-xmlrpc 2011-01-13 21:48:46 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html