• 1

Apache security - contd.

In continuation to my previous mail...

The 'allow httpd_t...' rules posted are generated from avc: denied messages.

Regards
Salim Pathan

Re: Apache security - contd.

Looks like you are running an SELinux aware application within httpd_t domain. One that is actually trying to setup proper labeling, perhaps a kerberos Library.

Re: Apache security - contd.

I'm getting these AVC messages(SELinux in Permissive mode) when restarting httpd daemon:

type=AVC msg=audit(1350035968.613:18551): avc: denied { read } for pid=6302 comm="httpd" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1350035968.613:18551): avc: denied { open } for pid=6302 comm="httpd" name="mls" dev=selinuxfs ino=12 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file
type=AVC msg=audit(1350035970.009:18552): avc: denied { search } for pid=6303 comm="httpd" name="selinux" dev=sda3 ino=128829 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=dir
type=AVC msg=audit(1350035970.009:18552): avc: denied { read } for pid=6303 comm="httpd" name="config" dev=sda3 ino=130145 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1350035970.009:18552): avc: denied { open } for pid=6303 comm="httpd" name="config" dev=sda3 ino=130145 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1350035970.009:18553): avc: denied { getattr } for pid=6303 comm="httpd" path="/etc/selinux/config" dev=sda3 ino=130145 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file
type=AVC msg=audit(1350035970.009:18554): avc: denied { search } for pid=6303 comm="httpd" name="contexts" dev=sda3 ino=129181 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir
type=AVC msg=audit(1350035970.009:18554): avc: denied { search } for pid=6303 comm="httpd" name="files" dev=sda3 ino=129187 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_context_t:s0 tclass=dir
type=AVC msg=audit(1350035970.010:18555): avc: denied { read } for pid=6303 comm="httpd" name="file_contexts" dev=sda3 ino=131611 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1350035970.010:18555): avc: denied { open } for pid=6303 comm="httpd" name="file_contexts" dev=sda3 ino=131611 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1350035970.010:18556): avc: denied { getattr } for pid=6303 comm="httpd" path="/etc/selinux/targeted/contexts/files/file_contexts" dev=sda3 ino=131611 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:file_context_t:s0 tclass=file
type=AVC msg=audit(1350035970.132:18557): avc: denied { setfscreate } for pid=6303 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process


I've carefully gone through above messages, but could not figure out the root problem...

any help?


Thanks, Regards
Salim Pathan

Re: Apache security - contd.

Did you setup apache to use kerberos?

Re: Apache security - contd.

I just added these rules to Fedora 18, since I see that using an kerberos rcache file will require them.

Re: Apache security - contd.

No I did not set up apache to use kerberos... The only thing I did on my box is to install openssl & openssh from source package(not from RPM). Is this created problem with file labeling?

Re: Apache security - contd.

Contact me via email or on selinux@lists.fedoraproject.org easier to deal with then these messages.

Re: Apache security - contd.

Hi Dan,

May I've your email ID?

Thanks, Regards

Re: Apache security - contd.

dwalsh@redhat.com

  • 1
?

Log in