HTTPD network access Policy Problem

HTTPD network access Policy Problem

[Christopher L Tubbs II]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I'm reasonably new to SELinux, but I noticed recently that a change I
made in my policy (from the GUI system-config-securitylevel) a while
back to allow the HTTPD to have network access so I can use Web-based
mail scripts now does not seem to work. The only change I've made since
then was period "yum update" with the occasionally policy updates
through that. However, despite the fact that the GUI still shows the
settings that I had changed in the past, the policy is still blocking
access (It works in Permissive mode). Can anybody perhaps explain why
this might be, and what specifically I should check to verify the
settings and make this functional again?

Rainman
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEc4Afc/oGTmWP/osRAuMQAJ4kkjm6paSyTq6cfWn+I+DximpXXgCcDZYj
4vYKYm2FIB462KuAeHVr+0c=
=/P3k
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: HTTPD network access Policy Problem

[Christopher J. PeBenito]

On Tue, 2006-05-23 at 17:35 -0400, Christopher L Tubbs II wrote:
> I'm reasonably new to SELinux, but I noticed recently that a change I
> made in my policy (from the GUI system-config-securitylevel) a while
> back to allow the HTTPD to have network access so I can use Web-based
> mail scripts now does not seem to work. The only change I've made since
> then was period "yum update" with the occasionally policy updates
> through that. However, despite the fact that the GUI still shows the
> settings that I had changed in the past, the policy is still blocking
> access (It works in Permissive mode). Can anybody perhaps explain why
> this might be, and what specifically I should check to verify the
> settings and make this functional again?

First we need to see the denial messages (avc: denied messages) to see
exactly what permissions are being denied.  You can find them
in /var/log/messages (or /var/log/audit/audit.log if you have auditd
running).

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: HTTPD network access Policy Problem

[Christopher L Tubbs II]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Christopher J. PeBenito wrote:
> On Tue, 2006-05-23 at 17:35 -0400, Christopher L Tubbs II wrote:
>> I'm reasonably new to SELinux, but I noticed recently that a change I
>> made in my policy (from the GUI system-config-securitylevel) a while
>> back to allow the HTTPD to have network access so I can use Web-based
>> mail scripts now does not seem to work. The only change I've made since
>> then was period "yum update" with the occasionally policy updates
>> through that. However, despite the fact that the GUI still shows the
>> settings that I had changed in the past, the policy is still blocking
>> access (It works in Permissive mode). Can anybody perhaps explain why
>> this might be, and what specifically I should check to verify the
>> settings and make this functional again?
> 
> First we need to see the denial messages (avc: denied messages) to see
> exactly what permissions are being denied.  You can find them
> in /var/log/messages (or /var/log/audit/audit.log if you have auditd
> running).
> 

It should be noted that I am using PHP to do the mailing.

May 24 20:37:15 tubbs-net kernel: audit(1148517435.478:65): avc:  denied
 { execute } for  pid=2456 comm="httpd" name="bash" dev=dm-0 ino=3470057
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFEdP0rc/oGTmWP/osRAnM6AJ9RFwZrk1O8XlZYP+U77QY20Pb/qQCgtocB
vT+rswYVCy+NZEF3ZckOZJ4=
=RvbW
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: HTTPD network access Policy Problem

[Russell Coker]

On Thursday 25 May 2006 10:41, Christopher L Tubbs II <chris@tubbs-net.com> 
wrote:
> > First we need to see the denial messages (avc: denied messages) to see
> > exactly what permissions are being denied.  You can find them
> > in /var/log/messages (or /var/log/audit/audit.log if you have auditd
> > running).
>
> It should be noted that I am using PHP to do the mailing.
>
> May 24 20:37:15 tubbs-net kernel: audit(1148517435.478:65): avc:  denied
>  { execute } for  pid=2456 comm="httpd" name="bash" dev=dm-0 ino=3470057
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:object_r:shell_exec_t:s0 tclass=file

Try enabling the httpd_ssi_exec boolean.

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.