selinux-policy-targeted-2.4.6-255.el5_4.4 httpd is configured to use mod_auth_pamd via winbind booleans have been set allow_httpd_mod_auth_pam --> on httpd_can_network_connect --> on user access gets access denied. The following avc has been generated in permissive mode: type=SYSCALL msg=audit(1270181973.950:37): arch=c000003e syscall=41 success=yes exit=19 a0=10 a1=3 a2=9 a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1270181973.950:37): avc: denied { create } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1270181973.950:38): arch=c000003e syscall=44 success=yes exit=124 a0=13 a1=7fff640fa9c0 a2=7c a3=0 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1270181973.950:38): avc: denied { nlmsg_relay } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=AVC msg=audit(1270181973.950:38): avc: denied { write } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket type=SYSCALL msg=audit(1270181973.950:39): arch=c000003e syscall=45 success=yes exit=36 a0=13 a1=7fff640f8690 a2=231c a3=42 items=0 ppid=2032 pid=2039 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1270181973.950:39): avc: denied { read } for pid=2039 comm="httpd" scontext=user_u:system_r:httpd_t:s0 tcontext=user_u:system_r:httpd_t:s0 tclass=netlink_audit_socket
Miroslav in RHEL6 we have. tunable_policy(`allow_httpd_mod_auth_pam',` auth_domtrans_chk_passwd(httpd_t) logging_send_audit_msgs(httpd_t) ') Can you add this to RHEL5 and F12.
Fixed in selinux-policy-2.4.6-281.el5.noarch
Hello Vadym, could you please run your scenario again with selinux-policy which is available at folllowing URL? http://people.redhat.com/dwalsh/SELinux/RHEL5/noarch/ Thanks
Redhat5 packages were so old, I had to go with Fedora and it works there just fine. I also moved from winbind to nss_ldap. But I will setup a RHEL5.5 with winbind to check, if it's still the case.
selinux-policy-2.4.6-296.el5 selinux-policy-targeted-2.4.6-296.el5 I've got a warning during installation: libsepol.sepol_genbools_array: boolean virt_manage_sysfs no longer in policy but the authentication is successful: 192.168.16.6 - vchepkov [15/Dec/2010:19:29:52 +0000] "GET /favicon.ico HTTP/1.1" 404 299 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_5; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10"
It is ok. The boolean was renamed to virt_use_nfs Thanks for testing.
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: When the httpd service was configured to use the "mod_auth_pam" module with winbind, users were denied access, even though the "allow_httpd_mod_auth_pam" and "httpd_can_network_connect" booleans were set to "on". With this update, "allow_httpd_mod_auth_pam" has been corrected, and users are no longer denied access with this configuration.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html