579105 – SELinux denies access for mod_auth_pam

Bug 579105 - SELinux denies access for mod_auth_pam

Summary: SELinux denies access for mod_auth_pam

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	selinux-policy-targeted
Sub Component:
Version:	5.4
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Milos Malik
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2010-04-02 16:57 UTC by Vadym Chepkov
Modified:	2012-10-15 14:21 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	When the httpd service was configured to use the "mod_auth_pam" module with winbind, users were denied access, even though the "allow_httpd_mod_auth_pam" and "httpd_can_network_connect" booleans were set to "on". With this update, "allow_httpd_mod_auth_pam" has been corrected, and users are no longer denied access with this configuration.
Clone Of:
Environment:
Last Closed:	2011-01-13 21:48:46 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2011:0026	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2011-01-12 16:11:15 UTC

Description Vadym Chepkov 2010-04-02 16:57:23 UTC

selinux-policy-targeted-2.4.6-255.el5_4.4

httpd is configured to use mod_auth_pamd via winbind

booleans have been set

allow_httpd_mod_auth_pam -->  on
httpd_can_network_connect -->  on

user access gets access denied. 
The following avc has been generated in permissive mode:

type=SYSCALL msg=audit(1270181973.950:37): arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9 a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:37): avc:  denied  { create } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

type=SYSCALL msg=audit(1270181973.950:38): arch=c000003e syscall=44 success=yes exit=124 a0=13 a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:38): avc:  denied  { nlmsg_relay } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
type=AVC msg=audit(1270181973.950:38): avc:  denied  { write } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

type=SYSCALL msg=audit(1270181973.950:39): arch=c000003e syscall=45 success=yes exit=36 a0=13 a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1270181973.950:39): avc:  denied  { read } for  pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket

Comment 1 Daniel Walsh 2010-04-05 12:43:17 UTC

Miroslav in RHEL6 we have.

tunable_policy(`allow_httpd_mod_auth_pam',`
	auth_domtrans_chk_passwd(httpd_t)
	logging_send_audit_msgs(httpd_t)
')

Can you add this to RHEL5 and F12.

Comment 3 Miroslav Grepl 2010-07-22 09:27:51 UTC

Fixed in selinux-policy-2.4.6-281.el5.noarch

Comment 5 Milos Malik 2010-11-29 08:06:35 UTC

Hello Vadym,

could you please run your scenario again with selinux-policy which is available at folllowing URL?

http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/

Thanks

Comment 7 Vadym Chepkov 2010-12-15 18:42:32 UTC

Redhat5 packages were so old, I had to go with Fedora and it works there just fine. I also moved from winbind to nss_ldap. 

But I will setup a RHEL5.5 with winbind to check, if it's still the case.

Comment 8 Vadym Chepkov 2010-12-15 19:32:22 UTC

selinux-policy-2.4.6-296.el5
selinux-policy-targeted-2.4.6-296.el5


I've got a warning during installation:

libsepol.sepol_genbools_array: boolean virt_manage_sysfs no longer in policy

but the authentication is successful:


192.168.16.6 - vchepkov [15/Dec/2010:19:29:52 +0000] "GET /favicon.ico HTTP/1.1" 404 299 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"

Comment 9 Miroslav Grepl 2010-12-16 09:40:07 UTC

It is ok. The boolean was renamed to 

virt_use_nfs


Thanks for testing.

Comment 10 Jaromir Hradilek 2011-01-05 16:12:40 UTC

    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
When the httpd service was configured to use the "mod_auth_pam" module with winbind, users were denied access, even though the "allow_httpd_mod_auth_pam" and "httpd_can_network_connect" booleans were set to "on". With this update, "allow_httpd_mod_auth_pam" has been corrected, and users are no longer denied access with this configuration.

Comment 12 errata-xmlrpc 2011-01-13 21:48:46 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.