Bug 246079 - lot of AVC's when starting httpd
lot of AVC's when starting httpd
Status: CLOSED WORKSFORME
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: mod_nss (Show other bugs)
5.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rob Crittenden
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-06-28 08:51 EDT by Jan Hutař
Modified: 2008-01-07 10:33 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-07 10:33:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
audit log from RHEL-5-Server i386 (19.88 KB, application/octet-stream)
2007-06-28 08:51 EDT, Jan Hutař
no flags Details
audit log from RHEL-5-Client x86_64 (35.20 KB, application/octet-stream)
2007-07-03 02:50 EDT, Jan Hutař
no flags Details

  None (edit)
Description Jan Hutař 2007-06-28 08:51:29 EDT
Description of problem:
When I have installed default mod_nss, I'm gettin some AVC denied each time 
httpd is started.


Version-Release number of selected component (if applicable):
mod_nss-1.0.3-4.el5.i386


How reproducible:
always


Steps to Reproduce:
1. : > /var/log/audit/audit.log
2. service httpd start
3. cat /var/log/audit/audit.log


Actual results:
some "AVC denied" - audit log from RHEL-5-Server i386 attached


Expected results:
no "AVC denied"


Additional info:
# rpm -V mod_nss
# echo $?
0

Tested on all RHEL-5 variants.

I'm not sure if this is a bug, but maybe would be good to create some selinux 
boolean like "httpd_enable_nss".
Comment 1 Jan Hutař 2007-06-28 08:51:30 EDT
Created attachment 158118 [details]
audit log from RHEL-5-Server i386
Comment 2 Rob Crittenden 2007-07-02 13:15:31 EDT
What version of selinux-policy-targeted is installed? This should have been
fixed in http://rhn.redhat.com/errata/RHBA-2007-0171.html (bug 210003)
Comment 3 Jan Hutař 2007-07-03 02:47:45 EDT
Sorry,
I forgot to attach this info. It was on the QA stable systems which are 
supposed to be quite up2date, but sometimes they are not. 2007:0171 is for RHEL-
4, so not applicable here.

So now second try:
1. updated to NEW packages from 2007:0541 (libselinux) and 2007:0544 (selinux-
policy)
2. # setenforcing 1
3. # load_policy -b
4. # : > /var/log/audit/audit.log
5. # service httpd start
6. # wc -l /var/log/audit/audit.log
=> 146 rows (log attached)

httpd-2.2.3-7.el5.x86_64
mod_nss-1.0.3-4.el5.x86_64
selinux-policy-targeted-2.4.6-77.el5.noarch
Comment 4 Jan Hutař 2007-07-03 02:50:07 EDT
Created attachment 158410 [details]
audit log from RHEL-5-Client x86_64
Comment 5 Rob Crittenden 2007-07-03 08:34:36 EDT
Ah, right you are. Sorry, I guess we need to get those RHEL-4 fixes migrated up.
Comment 6 Daniel Walsh 2007-07-10 10:43:44 EDT
This looks like you have avc messages from two different sources.

One you are running on an NIS box without the allow_ypbind boolean turned on. 
This is causing 

allow httpd_t hi_reserved_port_t:tcp_socket name_bind;
allow httpd_t portmap_port_t:tcp_socket name_connect;
allow httpd_t var_yp_t:dir search;

To be required.  I think if you turn on that boolean this will go away.


allow httpd_t proc_net_t:dir { read search };
allow httpd_t self:appletalk_socket create;
allow httpd_t self:socket create;

>  This is being caused because you are execing netstat under the covers in the
mod_nss binary and it is requesting all these access. The reason you are execing
netstat is to generate randomness and this is not necessary on a Linux system. 
We have a bugzilla elsewhere to build libnss without the netstat command.
 

allow httpd_t self:capability sys_nice;

The 5.1 policy has this.

Comment 7 Daniel Walsh 2007-07-10 11:11:13 EDT
Reference Bugzilla #246517
Comment 8 Jan Hutař 2007-07-12 10:10:09 EDT
Thanks - now I wasn't able to reproduce these:

allow httpd_t hi_reserved_port_t:tcp_socket name_bind;
allow httpd_t portmap_port_t:tcp_socket name_connect;
allow httpd_t var_yp_t:dir search;

(used authconfig-tui to turn on/off the NIS and setsebool to set allow_ypbind 
on/off)

But I still have this one (together with these bug 246517 AVC's solves):

allow httpd_t self:capability sys_nice;

even with new SELinux related stuff installed (haven't rebooted/relabeled, just 
updated the packages):

selinux-policy-targeted-2.4.6-77.el5.noarch (2007:0544)
policycoreutils-1.33.12-12.el5.i386 (2007:0543)
Comment 9 RHEL Product and Program Management 2007-12-03 15:43:35 EST
This request was evaluated by Red Hat Product Management for
inclusion, but this component is not scheduled to be updated in
the current Red Hat Enterprise Linux release.  This request will
be reviewed for a future Red Hat Enterprise Linux release.
Comment 10 Rob Crittenden 2008-01-03 16:07:58 EST
I can't reproduce this in RHEL 5.1. Can you try again with a freshly updated system?
Comment 11 Jan Hutař 2008-01-07 04:20:06 EST
I can not reproduce it either (on multiple systems), thank you.

selinux-policy-targeted-2.4.6-106.el5_1.3.noarch
policycoreutils-1.33.12-12.el5.i386
Comment 12 Rob Crittenden 2008-01-07 10:33:06 EST
I'm going to close this as WORKSFORME since I have no idea exactly which selinux
policy version fixed it.

Note You need to log in before you can comment on or make changes to this bug.