Bug 155251 - httpd suexec targeted policy issues
httpd suexec targeted policy issues
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Depends On:
Blocks: 156323
  Show dependency treegraph
Reported: 2005-04-18 11:52 EDT by Joe Orton
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version: RHBA-2005-645
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-05 12:34:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Joe Orton 2005-04-18 11:52:38 EDT
Description of problem:
/usr/sbin/suexec should have permission to create and write to
/var/log/httpd/suexec.log, and doesn't work without it; after configuring suexec
in httpd I get:

audit(1113839139.454:0): avc:  denied  { write } for  pid=29554
exe=/usr/sbin/suexec name=httpd dev=sda3 ino=1406411
scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_log_t

I'm also getting this error:

audit(1113839139.453:0): avc:  denied  { net_bind_service } for  pid=29554
exe=/usr/sbin/suexec capability=10 scontext=user_u:system_r:httpd_suexec_t
tcontext=user_u:system_r:httpd_suexec_t tclass=capability

which is possibly some NIS or nscd thing when doing the username lookup?

Version-Release number of selected component (if applicable):
Comment 1 Daniel Walsh 2005-04-19 11:54:42 EDT
Do you have allow_ypbind boolean set

getsebool allow_ypbind
allow_ypbind --> inactive

If it is inactive you can turn it on with

setsebool -P allow_ypbind=1

Does that eliminate the net_bind_service?

Can you setenforce 0 before running you httpd_suexec app?  To tell me what other
privs it needs?


Comment 2 Joe Orton 2005-04-19 13:13:54 EDT
Yes, I do have allow_ypbind=1 enabled (I haven't changed that so I presume it
was set since installation).

After "setenforce 0" and rm'ing suexec.log, I get three denials from a
successful suexec invocation:

<3>audit(1113930658.196:0): avc:  denied  { write } for  pid=6211
exe=/usr/sbin/suexec name=httpd dev=sda3 ino=1406411
scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_log_t
<3>audit(1113930658.196:0): avc:  denied  { add_name } for  pid=6211
exe=/usr/sbin/suexec name=suexec.log scontext=root:system_r:httpd_suexec_t
tcontext=system_u:object_r:httpd_log_t tclass=dir
<3>audit(1113930658.197:0): avc:  denied  { create } for  pid=6211
exe=/usr/sbin/suexec name=suexec.log scontext=root:system_r:httpd_suexec_t
tcontext=root:object_r:httpd_log_t tclass=file
Comment 3 Joe Orton 2005-04-19 13:17:20 EDT
I can't reproduce the net_bind error now.  What should trigger that?
Comment 4 Joe Orton 2005-04-19 13:24:41 EDT
Hmmm, I was catching the denials from "cat /proc/kmsg", maybe that's not such a
good idea.  In /var/log/messages I now have this interesting stuff:

Apr 19 18:20:20 tango kernel: audit(1113931220.257:0):ac dne {ntbn_evc  o pd66
x=ursi/uxccpblt=0sotx=otsse_:tp_uxcttotx=otsstem_r:httpd_suexec_t tclass=capabilit
Apr 19 18:20:40 tango kernel: <3adt11912.5:) v: eid  rt  o pd66 x=ursi/uxcnm=tp

Comment 5 Daniel Walsh 2005-05-12 15:51:05 EDT
There is a test policy out on ftp://people.redhat.com/dwalsh/SELinux/u2

Need policy files and checkpolicy.

Comment 10 Daniel Walsh 2005-09-15 12:07:24 EDT
Closed by accident
Comment 13 Red Hat Bugzilla 2005-10-05 12:34:07 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.