How reproducible: On a Enterprise RHEL5 Server with SELinux policy targeted(21) enabled in enforcing mode when I start/stop/restart httpd (/etc/init.d/httpd start/stop) I get the below alert. Actual results: Summary SELinux is preventing the /bin/netstat from using potentially mislabeled files net (proc_net_t). Detailed Description SELinux has denied the /bin/netstat access to potentially mislabeled files net. This means that SELinux will not allow http to use these files. Many third party apps install html files in directories that SELinux policy can not predict. These directories have to be labeled with a file context which httpd can accesss. Allowing Access If you want to change the file context of net so that the httpd daemon can access it, you need to execute it using chcon -t httpd_sys_content_t.net. You can look at the httpd_selinux man page for additional information. Additional Information Source Context root:system_r:httpd_t Target Context system_u:object_r:proc_net_t Target Objects net [ dir ] Affected RPM Packages net-tools-1.60-73 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name plugins.httpd_bad_labels Host Name Rhel5.test.com Platform Linux Rhel5.test.com 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:14 EST 2007 x86_64 x86_64 Alert Count 1 Line Numbers Raw Audit Messages avc: denied { search } for comm="netstat" dev=proc egid=0 euid=0 exe="/bin/netstat" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="net" pid=9529 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=dir tcontext=system_u:object_r:proc_net_t:s0 tty=(none) uid=0 Additional info:
Are you using mod_nss? This is a know problem with it execing netstat. you can add this policy by executing # grep netstat /var/log/audit/audit.log | audit2allow mynss # semodule -i mynss.pp The nss libraries do not need to execute netstat.
nss module is present by default in RHEL5.
This is an issue with NSS, not with mod_nss. NSS uses a variety of methods to seed the random number generator on init. One option is to take as input the output of netstat -ni. There is nothing in mod_nss I can do to address this. It looks like the NSS builds 3.11.7-* include a patch to disable running netstat.
Yes, the version of NSS that will ship with a next round of updates will no longer execute netstat, in order to work around a different problem. But the use of netstat might get re-enabled at a later time. Should the targeted policy get changed to allow this? Manoj, are you able to test the workaround suggested by Dan in comment 1?
Yes after adding policy using audit2allow as suggested by Daniel in comment 1 this alert is not generated.
I didn't found any problem of working of WebServer when i'm getting this SELinux alert. Just wanted to know is this bug going to hamper the working of apache in anyways or is it just a noise.
Any updates for my previous query(comment6)
Operating your webserver should not be affected. Allowing the execution of /bin/netstat will increase the amount of random data collected by the cryptographic library.
I propose to resolve this bug. With NSS package versions 3.11.7-1.1 and higher we no longer execute netstat at all. Can you confirm? Thanks a lot.
As proposed 5 weeks ago, I'm now resolving this bug as fixed. Inspecting the changelog tells me, this should have been fixed since RHEL 5.1, in package versions nss-3.11.7-1.3.el5 and later. Adding the policy rule proposed by Dan to selinux is optional.