Bug 173779 - Apache mod_auth_pam audit_open() fails because of SELinux
Apache mod_auth_pam audit_open() fails because of SELinux
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Antill
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-20 19:40 EST by Ricky Ng-Adam
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-20 13:07:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ricky Ng-Adam 2005-11-20 19:40:19 EST
Description of problem:

mod_auth_pam does not work with Apache httpd because of SELinux

Version-Release number of selected component (if applicable):

mod_auth_pam-1.1.1-1.fc4
httpd-2.0.54-10.2
selinux-policy-targeted-1.27.1-2.11

How reproducible:

always

Steps to Reproduce:
1. install mod_auth_pam
2. create location with 'Require valid-user'
3. try to access
  
Actual results:

Access denied

/var/log/messages:

Nov 21 00:14:42 yi httpd: PAM audit_open() failed: Permission denied

/var/log/audit/audit.log:

type=AVC msg=audit(1132550082.620:35): avc:  denied  { create } for  pid=2226
comm="httpd" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_t
tclass=netlink_audit_socket
type=SYSCALL msg=audit(1132550082.620:35): arch=40000003 syscall=102 success=no
exit=-13 a0=1 a1=bff1f500 a2=2dc0f8 a3=1 items=0 pid=2226 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKETCALL msg=audit(1132550082.620:35): nargs=3 a0=10 a1=3 a2=9
type=AVC msg=audit(1132550082.620:36): avc:  denied  { create } for  pid=2226
comm="httpd" scontext=root:system_r:httpd_t tcontext=root:system_r:httpd_t
tclass=netlink_audit_socket
type=SYSCALL msg=audit(1132550082.620:36): arch=40000003 syscall=102 success=no
exit=-13 a0=1 a1=bff1f4f0 a2=2dc0f8 a3=0 items=0 pid=2226 auid=0 uid=48 gid=48
euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd" exe="/usr/sbin/httpd"
type=SOCKETCALL msg=audit(1132550082.620:36): nargs=3 a0=10 a1=3 a2=9

Expected results:

Works as expected

Additional info:

Workaround:

setsebool -P httpd_disable_trans 1 
service httpd restart
Comment 1 Ricky Ng-Adam 2006-02-25 20:24:15 EST
Under FC5 test 3 this still doesn't work without setting the SELinux
httpd_disable_trans flag

I've installed mod_auth_pam, added the following to my /etc/httpd/conf/httpd.conf:

<Location />
AuthPAM_Enabled on
AuthType Basic
AuthName "root"
Require valid-user
</Location>

and made the shadow file readable by the web server:

[root@localhost logs]# chown root:apache /etc/shadow
[root@localhost logs]# chmod g+r /etc/shadow

Without httpd_disable_trans:

----------------
==> /var/log/audit/audit.log <==
type=AVC msg=audit(1140917004.792:2728): avc:  denied  { read } for  pid=11945
comm="httpd" name="shadow" dev=dm-0 ino=1670878
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:shadow_t:s0
tclass=file
type=SYSCALL msg=audit(1140917004.792:2728): arch=40000003 syscall=5 success=no
exit=-13 a0=b73054 a1=0 a2=1b6 a3=8fd22e8 items=1 pid=11945 auid=500 uid=48
gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"
exe="/usr/sbin/httpd"
type=CWD msg=audit(1140917004.792:2728):  cwd="/"
type=PATH msg=audit(1140917004.792:2728): item=0 name="/etc/shadow" flags=101 
inode=1670878 dev=fd:00 mode=0100440 ouid=0 ogid=48 rdev=00:00
type=AVC msg=audit(1140917004.832:2729): avc:  denied  { execute } for 
pid=11962 comm="httpd" name="unix_chkpwd" dev=dm-0 ino=4648613
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:chkpwd_exec_t:s0
tclass=file
type=SYSCALL msg=audit(1140917004.832:2729): arch=40000003 syscall=11 success=no
exit=-13 a0=77dab8 a1=bf92d37c a2=78b424 a3=8fc38b8 items=1 pid=11962 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"
exe="/usr/sbin/httpd"
type=CWD msg=audit(1140917004.832:2729):  cwd="/"
type=PATH msg=audit(1140917004.832:2729): item=0 name="/sbin/unix_chkpwd"
flags=101  inode=4648613 dev=fd:00 mode=0104755 ouid=0 ogid=0 rdev=00:00

==> /var/log/secure <==
Feb 25 20:22:49 localhost httpd: PAM audit_open() failed: Permission denied
Feb 25 20:23:24 localhost httpd: pam_unix(httpd:auth): authentication failure;
logname= uid=48 euid=48 tty= ruser= rhost=  user=rngadam

==> /var/log/httpd/error_log <==
[Sat Feb 25 20:23:26 2006] [error] [client 127.0.0.1] PAM: user 'rngadam' - not
authenticated: System error

==> /var/log/audit/audit.log <==
type=AVC msg=audit(1140917006.856:2730): avc:  denied  { create } for  pid=11945
comm="httpd" scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1140917006.856:2730): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bf92d2f0 a2=49eff4 a3=1 items=0 pid=11945 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"
exe="/usr/sbin/httpd"
type=SOCKETCALL msg=audit(1140917006.856:2730): nargs=3 a0=10 a1=3 a2=9
type=AVC msg=audit(1140917006.864:2731): avc:  denied  { create } for  pid=11945
comm="httpd" scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=SYSCALL msg=audit(1140917006.864:2731): arch=40000003 syscall=102
success=no exit=-13 a0=1 a1=bf92d2d0 a2=49eff4 a3=0 items=0 pid=11945 auid=500
uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 comm="httpd"
exe="/usr/sbin/httpd"
type=SOCKETCALL msg=audit(1140917006.864:2731): nargs=3 a0=10 a1=3 a2=9

==> /var/log/secure <==
Feb 25 20:23:26 localhost httpd: PAM audit_open() failed: Permission denied
----------------

There is no documentation about it:

[root@localhost conf]# grep -r httpd_disable_trans
/usr/share/doc/mod_auth_pam-1.1.1/*

Also, there is still no mod_auth_pam in Bugzilla even if the package was
officially created in bug #166542 since september.
Comment 2 Ignacio Vazquez-Abrams 2006-02-27 07:10:56 EST
(In reply to comment #1)
> Also, there is still no mod_auth_pam in Bugzilla even if the package was
> officially created in bug #166542 since september.

Yes, there is. mod_auth_pam is part of Fedora Extras.
Comment 3 James Antill 2006-09-20 13:07:06 EDT
 Personally I see this as a documentation problem in mod_auth_pam, I don't see
any sane way to reconcile having full auth privs inside your web server. So
mod_auth_pam is just broken from a security POV.
 httpd_disable_trans is documented in man httpd_selinux.
 Feel free to open a mod_auth_pam documentation feature.

Note You need to log in before you can comment on or make changes to this bug.