Description of problem: When I have installed default mod_nss, I'm gettin some AVC denied each time httpd is started. Version-Release number of selected component (if applicable): mod_nss-1.0.3-4.el5.i386 How reproducible: always Steps to Reproduce: 1. : > /var/log/audit/audit.log 2. service httpd start 3. cat /var/log/audit/audit.log Actual results: some "AVC denied" - audit log from RHEL-5-Server i386 attached Expected results: no "AVC denied" Additional info: # rpm -V mod_nss # echo $? 0 Tested on all RHEL-5 variants. I'm not sure if this is a bug, but maybe would be good to create some selinux boolean like "httpd_enable_nss".
Created attachment 158118 [details] audit log from RHEL-5-Server i386
What version of selinux-policy-targeted is installed? This should have been fixed in http://rhn.redhat.com/errata/RHBA-2007-0171.html (bug 210003)
Sorry, I forgot to attach this info. It was on the QA stable systems which are supposed to be quite up2date, but sometimes they are not. 2007:0171 is for RHEL- 4, so not applicable here. So now second try: 1. updated to NEW packages from 2007:0541 (libselinux) and 2007:0544 (selinux- policy) 2. # setenforcing 1 3. # load_policy -b 4. # : > /var/log/audit/audit.log 5. # service httpd start 6. # wc -l /var/log/audit/audit.log => 146 rows (log attached) httpd-2.2.3-7.el5.x86_64 mod_nss-1.0.3-4.el5.x86_64 selinux-policy-targeted-2.4.6-77.el5.noarch
Created attachment 158410 [details] audit log from RHEL-5-Client x86_64
Ah, right you are. Sorry, I guess we need to get those RHEL-4 fixes migrated up.
This looks like you have avc messages from two different sources. One you are running on an NIS box without the allow_ypbind boolean turned on. This is causing allow httpd_t hi_reserved_port_t:tcp_socket name_bind; allow httpd_t portmap_port_t:tcp_socket name_connect; allow httpd_t var_yp_t:dir search; To be required. I think if you turn on that boolean this will go away. allow httpd_t proc_net_t:dir { read search }; allow httpd_t self:appletalk_socket create; allow httpd_t self:socket create; > This is being caused because you are execing netstat under the covers in the mod_nss binary and it is requesting all these access. The reason you are execing netstat is to generate randomness and this is not necessary on a Linux system. We have a bugzilla elsewhere to build libnss without the netstat command. allow httpd_t self:capability sys_nice; The 5.1 policy has this.
Reference Bugzilla #246517
Thanks - now I wasn't able to reproduce these: allow httpd_t hi_reserved_port_t:tcp_socket name_bind; allow httpd_t portmap_port_t:tcp_socket name_connect; allow httpd_t var_yp_t:dir search; (used authconfig-tui to turn on/off the NIS and setsebool to set allow_ypbind on/off) But I still have this one (together with these bug 246517 AVC's solves): allow httpd_t self:capability sys_nice; even with new SELinux related stuff installed (haven't rebooted/relabeled, just updated the packages): selinux-policy-targeted-2.4.6-77.el5.noarch (2007:0544) policycoreutils-1.33.12-12.el5.i386 (2007:0543)
This request was evaluated by Red Hat Product Management for inclusion, but this component is not scheduled to be updated in the current Red Hat Enterprise Linux release. This request will be reviewed for a future Red Hat Enterprise Linux release.
I can't reproduce this in RHEL 5.1. Can you try again with a freshly updated system?
I can not reproduce it either (on multiple systems), thank you. selinux-policy-targeted-2.4.6-106.el5_1.3.noarch policycoreutils-1.33.12-12.el5.i386
I'm going to close this as WORKSFORME since I have no idea exactly which selinux policy version fixed it.