Bug 430702 - selinux needs to support apache mod_auth_shadow
selinux needs to support apache mod_auth_shadow
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted (Show other bugs)
5.1
All Linux
medium Severity medium
: rc
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-29 10:22 EST by Steve Grubb
Modified: 2008-06-09 15:49 EDT (History)
5 users (show)

See Also:
Fixed In Version: RHBA-2008-0465
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:06:43 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
SELinux alert (1.83 KB, text/plain)
2008-01-30 11:26 EST, Ranga Venkataraman
no flags Details
SELinux alert (1.83 KB, text/plain)
2008-01-30 11:27 EST, Ranga Venkataraman
no flags Details
SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read write" to socket:[19495] (httpd_t). (1.97 KB, text/plain)
2008-03-04 23:20 EST, manoj
no flags Details
SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read" to eventpoll:[54222] (httpd_t). (2.23 KB, text/plain)
2008-04-07 05:03 EDT, manoj
no flags Details
SELinux is preventing validate (system_chkpwd_t) "append" to /var/log/httpd/error_log (httpd_log_t) (5.82 KB, text/plain)
2008-06-05 02:41 EDT, manoj
no flags Details

  None (edit)
Description Steve Grubb 2008-01-29 10:22:19 EST
Description of problem:
When mod_auth_shadow is installed, apache doesn't work due to avc denials. There
is a setuid helper app that checks the password,/usr/sbin/validate and its of
bin_t type. It should probably be  chkpwd_exec_t to allow it read access to shadow.

apache then needs to be able to transition to allow use of the resulting domain.

Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-104.el5

How reproducible:
always

Steps to Reproduce:
1. configure apache to allow access to a page by mod_auth_shadow
2. access the page
3. collect the avc
Comment 1 RHEL Product and Program Management 2008-01-29 10:25:44 EST
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update
release.
Comment 2 Ranga Venkataraman 2008-01-30 11:26:27 EST
Created attachment 293431 [details]
SELinux alert

SELinux alert when allow_httpd_mod_auth_pam boolean is set to off. 
Context of /etc/shadow is system_u:object_r:shadow_t. 
Context of /usr/sbin/validate is system_u:object_r:chkpwd_exec_t
Comment 3 Ranga Venkataraman 2008-01-30 11:27:39 EST
Created attachment 293432 [details]
SELinux alert

SELinux alert when allow_httpd_mod_auth_pam boolean is set to on. 
Context of /etc/shadow is system_u:object_r:shadow_t. 
Context of /usr/sbin/validate is system_u:object_r:chkpwd_exec_t
Comment 4 Daniel Walsh 2008-01-31 13:52:42 EST
Fixed in /selinux-policy-2.4.6-118.el5	
Comment 7 manoj 2008-02-15 06:00:09 EST
This is still reproducible with SELinux-policy-2.4.6-118.el5
Comment 10 Daniel Walsh 2008-02-28 09:37:48 EST
manoj, 

Could you attach the AVC messages you are seeing?

And you did have the allow_httpd_mod_auth_pam boolean turned on ?

getsebool allow_httpd_mod_auth_pam

setsebool -P allow_httpd_mod_auth_pam=1
Comment 11 manoj 2008-03-04 00:25:00 EST
I don't see setroubleshoot alerts when I turn on allow_httpd_mod_auth_pam.
However I'm unable to browse password protected sites when SELinux is enforced.
Also note that there seems to be no problem when SELinux is disabled/permissive.

I see below httpd error log messages.

[root@rhel5u164 Desktop]# tail -f /var/log/httpd/error_log
/usr/sbin/validate: No read access to /etc/shadow.  This program must be suid or
sgid.
[Tue Mar 04 05:09:56 2008] [error] [client 10.1.6.11] Invalid password entered
for user manoj
/usr/sbin/validate: No read access to /etc/shadow.  This program must be suid or
sgid.
[Tue Mar 04 05:10:01 2008] [error] [client 10.1.6.11] Invalid password entered
for user manoj


[root@rhel5u164 Desktop]# ls -lZ /etc/shadow
-rw-------  root root system_u:object_r:shadow_t       /etc/shadow
Comment 12 manoj 2008-03-04 00:30:43 EST
[root@rhel5u164 Desktop]# ls -lZ /usr/sbin/validate 
-rwsr-xr-x  root root system_u:object_r:sbin_t         /usr/sbin/validate

Below is the site virtual host config file.please note that issue exists when
AuthPAM_Enabled On as well.
[root@rhel5u164 Desktop]# cat /etc/httpd/conf.d/aa_com.conf 
Listen *:80
NameVirtualHost *:80
<VirtualHost *:80>
    #xmc:name aa.com
    ServerName aa.com
    DocumentRoot /var/www/html/aa.com
    #xmc:admin web
    ServerAdmin webmaster@rhel5u164.com
    <Directory "/var/www/html/aa.com">
        Satisfy all
        AuthName "Restricted Area: aa.com"
        Require user manoj
        AuthType Basic
        AuthPAM_Enabled Off
        AuthShadow On
        AuthBasicAuthoritative Off
    </Directory>
</VirtualHost>

Comment 13 Daniel Walsh 2008-03-04 15:33:52 EST
Yes the file context is set wrong.

Fixed in /selinux-policy-2.4.6-124.el5	

If you chcon -t chkpwd_exec_t /usr/sbin/validate

Does it work?
Comment 14 manoj 2008-03-04 23:18:59 EST
Yes after changing the context of validate binary to chkpwd_exec_t I'm able to
browse password protected Web Sites.However I get the below attached
Setroubleshoot alert when I browse the sites.
Comment 15 manoj 2008-03-04 23:20:24 EST
Created attachment 296844 [details]
 SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read write" to
  socket:[19495] (httpd_t).

Please note that I don't have any functionality issues with the attached alert.
Comment 17 Eduard Benes 2008-03-26 08:25:29 EDT
(In reply to comment #15)
> Created an attachment (id=296844) [edit]
>  SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read write" to
>   socket:[19495] (httpd_t).
> 
> Please note that I don't have any functionality issues with the attached 
alert.

Manoj, could you please try the latest policy and reply whether it works for 
you? It should solve the problem with those messages. 
Thank you.

Latest packages are available here:

  http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/
Comment 18 manoj 2008-04-07 05:02:18 EDT
With Latest SELinux policy selinux-policy-2.4.6-125.el5, I get below attached
alert when i browse password protected web sites.As I said before I dont see any
functionality issue however.

[root@rhel5u1 ~]#  /usr/sbin/validate was having correct context with latest policy.
-rwsr-xr-x  root root system_u:object_r:chkpwd_exec_t  /usr/sbin/validate
Comment 19 manoj 2008-04-07 05:03:09 EDT
Created attachment 301484 [details]
 SELinux is preventing /usr/sbin/validate (system_chkpwd_t) "read" to
eventpoll:[54222] (httpd_t).
Comment 20 Daniel Walsh 2008-04-08 08:58:12 EDT
This might be a leaked file descriptor 

xandros-libapache2-mod-auth-shadow-2.0.x.7-4

Might be leaking a file descriptor to selinux is closing before validate is run

All open file descriptors should be closed on exec

fcntl(fd, F_SETFD, FD_CLOEXEC)
Comment 22 errata-xmlrpc 2008-05-21 12:06:43 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0465.html
Comment 23 manoj 2008-06-05 02:39:19 EDT
On Rhel5u2 system with selinux policy 2.4.6-137 i see the below attached SELinux
alert when i follow the original method described in this bug.Please note there
is no fuctionality issue.
Comment 24 manoj 2008-06-05 02:41:42 EDT
Created attachment 308414 [details]
SELinux is preventing validate (system_chkpwd_t) "append" to /var/log/httpd/error_log (httpd_log_t)
Comment 25 Daniel Walsh 2008-06-09 15:49:36 EDT
This is a simple code redirection of stdout.  Can be ignored or you can add
custom policy by using audit2allow

grep httpd_log_t /var/log/audit/audit.log | audit2allow -M myhttp
semodule -i myhttp.pp

Note You need to log in before you can comment on or make changes to this bug.