Description of problem: /usr/sbin/suexec should have permission to create and write to /var/log/httpd/suexec.log, and doesn't work without it; after configuring suexec in httpd I get: audit(1113839139.454:0): avc: denied { write } for pid=29554 exe=/usr/sbin/suexec name=httpd dev=sda3 ino=1406411 scontext=user_u:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_log_t tclass=dir I'm also getting this error: audit(1113839139.453:0): avc: denied { net_bind_service } for pid=29554 exe=/usr/sbin/suexec capability=10 scontext=user_u:system_r:httpd_suexec_t tcontext=user_u:system_r:httpd_suexec_t tclass=capability which is possibly some NIS or nscd thing when doing the username lookup? Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-2.88
Do you have allow_ypbind boolean set getsebool allow_ypbind allow_ypbind --> inactive If it is inactive you can turn it on with setsebool -P allow_ypbind=1 Does that eliminate the net_bind_service? Can you setenforce 0 before running you httpd_suexec app? To tell me what other privs it needs? Dan
Yes, I do have allow_ypbind=1 enabled (I haven't changed that so I presume it was set since installation). After "setenforce 0" and rm'ing suexec.log, I get three denials from a successful suexec invocation: <3>audit(1113930658.196:0): avc: denied { write } for pid=6211 exe=/usr/sbin/suexec name=httpd dev=sda3 ino=1406411 scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_log_t tclass=dir <3>audit(1113930658.196:0): avc: denied { add_name } for pid=6211 exe=/usr/sbin/suexec name=suexec.log scontext=root:system_r:httpd_suexec_t tcontext=system_u:object_r:httpd_log_t tclass=dir <3>audit(1113930658.197:0): avc: denied { create } for pid=6211 exe=/usr/sbin/suexec name=suexec.log scontext=root:system_r:httpd_suexec_t tcontext=root:object_r:httpd_log_t tclass=file
I can't reproduce the net_bind error now. What should trigger that?
Hmmm, I was catching the denials from "cat /proc/kmsg", maybe that's not such a good idea. In /var/log/messages I now have this interesting stuff: Apr 19 18:20:20 tango kernel: audit(1113931220.257:0):ac dne {ntbn_evc o pd66 x=ursi/uxccpblt=0sotx=otsse_:tp_uxcttotx=otsstem_r:httpd_suexec_t tclass=capabilit Apr 19 18:20:40 tango kernel: <3adt11912.5:) v: eid rt o pd66 x=ursi/uxcnm=tp e=d3io1041s [sic]
There is a test policy out on ftp://people.redhat.com/dwalsh/SELinux/u2 Need policy files and checkpolicy. Dan
Closed by accident
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2005-645.html