Java Mailing List Archive

http://www.redhatconfig.com/

Home » Red Hat Enterprise Linux 5 »

Re: [rhelv5-list] SELinux and sharing /etc/shadow...

Scott Bambrough

2008-01-28

Replies:

Author LoginPost Reply
With mod_auth_shadow, SELinux denies httpd access to
/usr/sbin/validate. This is an suid helper program run by
mod_auth_shadow which actually opens and performs a validation request
for mod_auth_shadow.

This problem isn't restricted to mod_auth_shadow, however, it also
happens with mod_auth_winbind as well. This accesses the pam stack,
which runs a separate executable /usr/bin/ntlm_auth (file context:
winbind_helper_exec_t) as a helper program for authentication. Selinux
denies httpd access to ntlm_auth.

I've attached the two alerts.

Scott

Steve Grubb wrote:
> On Friday 25 January 2008 18:58:44 Scott Bambrough wrote:
>  
>> The goal is to make mod_auth_shadow work in a secure fashion with
>> SELinux in enforcing mode.
>>  
>
> Gotcha.
>
>  
>> I basically tried the above and can get mod_auth_shadow to work.
>>  
>
> I think we need a policy change. Let me think about it and I'll get back with
> you on this. I don't want to shoot from the hip.
>
> -Steve
>  
Summary
  SELinux is preventing the /usr/sbin/httpd from using potentially mislabeled
  files ntlm_auth (winbind_helper_exec_t).

Detailed Description
  SELinux has denied the /usr/sbin/httpd access to potentially mislabeled
  files ntlm_auth. This means that SELinux will not allow http to use these
  files. Many third party apps install html files in directories that SELinux
  policy can not predict. These directories have to be labeled with a file
  context which httpd can accesss.

Allowing Access
  If you want to change the file context of ntlm_auth so that the httpd daemon
  can access it, you need to execute it using chcon -t
  httpd_sys_content_t.ntlm_auth. You can look at the httpd_selinux man page
  for additional information.

Additional Information    

Source Context           system_u:system_r:httpd_t
Target Context           system_u:object_r:winbind_helper_exec_t
Target Objects           ntlm_auth [ file ]
Affected RPM Packages      httpd-2.2.3-11.el5 [application]
Policy RPM             selinux-policy-2.4.6-104.el5
Selinux Enabled          True
Policy Type             targeted
MLS Enabled             True
Enforcing Mode           Enforcing
Plugin Name             plugins.httpd_bad_labels
Host Name              srh5.sarita.com
Platform               Linux srh5.sarita.com 2.6.18-53.el5 #1 SMP Wed Oct
                   10 16:34:02 EDT 2007 i686 i686
Alert Count             3
Line Numbers            

Raw Audit Messages        

avc: denied { execute } for comm="httpd" dev=dm-0 egid=48 euid=48
exe="/usr/sbin/httpd" exit=-13 fsgid=48 fsuid=48 gid=48 items=0 name="ntlm_auth"
pid=6702 scontext=system_u:system_r:httpd_t:s0 sgid=48
subj=system_u:system_r:httpd_t:s0 suid=48 tclass=file
tcontext=system_u:object_r:winbind_helper_exec_t:s0 tty=(none) uid=48


Summary
  SELinux is preventing the /usr/sbin/validate from using potentially
  mislabeled files shadow (shadow_t).

Detailed Description
  SELinux has denied the /usr/sbin/validate access to potentially mislabeled
  files shadow. This means that SELinux will not allow http to use these
  files. Many third party apps install html files in directories that SELinux
  policy can not predict. These directories have to be labeled with a file
  context which httpd can accesss.

Allowing Access
  If you want to change the file context of shadow so that the httpd daemon
  can access it, you need to execute it using chcon -t
  httpd_sys_content_t.shadow. You can look at the httpd_selinux man page for
  additional information.

Additional Information    

Source Context           root:system_r:httpd_t
Target Context           system_u:object_r:shadow_t
Target Objects           shadow [ file ]
Affected RPM Packages      xandros-libapache2-mod-auth-shadow-2.0.x.7-1
                   [application]
Policy RPM             selinux-policy-2.4.6-104.el5
Selinux Enabled          True
Policy Type             targeted
MLS Enabled             True
Enforcing Mode           Enforcing
Plugin Name             plugins.httpd_bad_labels
Host Name              srh5.sarita.com
Platform               Linux srh5.sarita.com 2.6.18-53.el5 #1 SMP Wed Oct
                   10 16:34:02 EDT 2007 i686 i686
Alert Count             7
Line Numbers            

Raw Audit Messages        

avc: denied { read } for comm="validate" dev=dm-0 egid=48 euid=0
exe="/usr/sbin/validate" exit=-13 fsgid=48 fsuid=0 gid=48 items=0 name="shadow"
pid=15891 scontext=root:system_r:httpd_t:s0 sgid=48
subj=root:system_r:httpd_t:s0 suid=0 tclass=file
tcontext=system_u:object_r:shadow_t:s0 tty=(none) uid=48


_______________________________________________
rhelv5-list mailing list
rhelv5-list@(protected)
https://www.redhat.com/mailman/listinfo/rhelv5-list
©2008 redhatconfig.com - Jax Systems, LLC, U.S.A.