2.6.27-rc1 + selinux new options = no httpd

2.6.27-rc1 + selinux new options = no httpd

[Gene Heskett]

Greetings;

I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn 
off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it 
cannot get perms to access its log files so it exits.

Is there a specific fix for this?

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Heuristics are bug ridden by definition.  If they didn't have bugs,
then they'd be algorithms.

Re: 2.6.27-rc1 + selinux new options = no httpd

[Valdis.Kletnieks]

[-- Attachment #1: Type: text/plain, Size: 466 bytes --]

On Wed, 30 Jul 2008 22:54:25 EDT, Gene Heskett said:
> Greetings;
> 
> I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn 
> off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it 
> cannot get perms to access its log files so it exits.

Oddness indeed - booting with 'permissive' should at least let things work
so you can diagnose the problem.

Do you have any of the AVC messages that got generated when apache failed?

[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

Re: 2.6.27-rc1 + selinux new options = no httpd

[James Morris]

On Wed, 30 Jul 2008, Gene Heskett wrote:

> Greetings;
> 
> I just had to reboot backwards to 2.6.26 as I don't seem to be able to turn 
> off enough selinux stuff to allow apache (httpd) to run, on 2.6.27-rc1 it 
> cannot get perms to access its log files so it exits.

Which new options?

What AVC messages are you seeing?

Which distro are you using and what is the policy package version?

> Is there a specific fix for this?

This is the first I've heard of this.


- James
-- 
James Morris
<jmorris@namei.org>

Re: 2.6.27-rc1 + selinux new options = no httpd

[Gene Heskett]

On Thursday 31 July 2008, James Morris wrote:
>On Wed, 30 Jul 2008, Gene Heskett wrote:
>> Greetings;
>>
>> I just had to reboot backwards to 2.6.26 as I don't seem to be able to
>> turn off enough selinux stuff to allow apache (httpd) to run, on
>> 2.6.27-rc1 it cannot get perms to access its log files so it exits.
>
>Which new options?

Make xconfig-->security options:

XFRM Networking security hooks

 and several others just below it.  Unforch, I can't copy/paste the screen.  
My next build will be with the above option turned off for grins & giggles.
However, I have about 16 bundles of shingles yet to sail up onto a roof & nail 
down in the cooler parts of the day till I'm done.  Taken last evening, I'm 
on the right.

<http://gene.homelinux.net:85/gene/Garage-pix/p7300002.jpg>

>What AVC messages are you seeing?

I posted the whole screen from setroubleshoot earlier.

>Which distro are you using and what is the policy package version?

F8, selinux-policy-targeted-3.0.8-109.fc8
selinux-policy-3.0.8-109.fc8
policycoreutils-gui-2.0.33-3.fc8
checkpolicy-2.0.4-1.fc8
policycoreutils-2.0.33-3.fc8
selinux-policy-devel-3.0.8-109.fc8

System has been relabeled twice now, no change, and the setroubleshoot command 
suggested doesn't fix it.

>> Is there a specific fix for this?
>
>This is the first I've heard of this.
>
Caught me out too. :)
>
>- James

Thanks James.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
"More software projects have gone awry for lack of calendar time than for all
 other causes combined."
-- Fred Brooks, Jr., _The Mythical Man Month_

Re: 2.6.27-rc1 + selinux new options = no httpd

[Eric Paris]

On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> On Thursday 31 July 2008, James Morris wrote:

> >What AVC messages are you seeing?
> 
> I posted the whole screen from setroubleshoot earlier.

I'm sorry but I can't seem to find it in your original message...

http://marc.info/?l=linux-kernel&m=121747333012971&w=2

Do you have another pointer?  I can't think of anything that went into
2.6.27 related to SELinux that should have in any way changed file
access checks but I'll poke through the changelog and see if something
stands out...

-Eric

Re: 2.6.27-rc1 + selinux new options = no httpd

[Stephen Smalley]

On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, James Morris wrote:
> 
> > >What AVC messages are you seeing?
> > 
> > I posted the whole screen from setroubleshoot earlier.
> 
> I'm sorry but I can't seem to find it in your original message...
> 
> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
> 
> Do you have another pointer?  I can't think of anything that went into
> 2.6.27 related to SELinux that should have in any way changed file
> access checks but I'll poke through the changelog and see if something
> stands out...

I suspect it is the append bug introduced by the vfs changes, fixed by
http://marc.info/?l=linux-kernel&m=121726661110266&w=2

httpd would only be allowed append permission to its log file by policy.

-- 
Stephen Smalley
National Security Agency

Re: 2.6.27-rc1 + selinux new options = no httpd

[Gene Heskett]

On Thursday 31 July 2008, Stephen Smalley wrote:
>On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
>> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
>> > On Thursday 31 July 2008, James Morris wrote:
>> > >What AVC messages are you seeing?
>> >
>> > I posted the whole screen from setroubleshoot earlier.
>>
>> I'm sorry but I can't seem to find it in your original message...
>>
>> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
>>
>> Do you have another pointer?  I can't think of anything that went into
>> 2.6.27 related to SELinux that should have in any way changed file
>> access checks but I'll poke through the changelog and see if something
>> stands out...
>
>I suspect it is the append bug introduced by the vfs changes, fixed by
>http://marc.info/?l=linux-kernel&m=121726661110266&w=2
>
>httpd would only be allowed append permission to its log file by policy.

This fixed it right up a few hours ago, Steven.  Thanks.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Keep the phase, baby.

Re: 2.6.27-rc1 + selinux new options = no httpd

[Stephen Smalley]

On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, James Morris wrote:
> 
> > >What AVC messages are you seeing?
> > 
> > I posted the whole screen from setroubleshoot earlier.
> 
> I'm sorry but I can't seem to find it in your original message...
> 
> http://marc.info/?l=linux-kernel&m=121747333012971&w=2
> 
> Do you have another pointer?  I can't think of anything that went into
> 2.6.27 related to SELinux that should have in any way changed file
> access checks but I'll poke through the changelog and see if something
> stands out...

It could be the append bug introduced by the vfs changes.
See:
http://marc.info/?l=linux-kernel&m=121726661110266&w=2

That would break any case where only append permission is granted (not
full write access), as would be typical for httpd log files.

-- 
Stephen Smalley
National Security Agency

Re: 2.6.27-rc1 + selinux new options = no httpd

[Al Viro]

On Fri, Aug 01, 2008 at 08:51:08AM -0400, Stephen Smalley wrote:
> 
> On Thu, 2008-07-31 at 10:44 -0400, Eric Paris wrote:
> > On Thu, 2008-07-31 at 09:09 -0400, Gene Heskett wrote:
> > > On Thursday 31 July 2008, James Morris wrote:
> > 
> > > >What AVC messages are you seeing?
> > > 
> > > I posted the whole screen from setroubleshoot earlier.
> > 
> > I'm sorry but I can't seem to find it in your original message...
> > 
> > http://marc.info/?l=linux-kernel&m=121747333012971&w=2
> > 
> > Do you have another pointer?  I can't think of anything that went into
> > 2.6.27 related to SELinux that should have in any way changed file
> > access checks but I'll poke through the changelog and see if something
> > stands out...
> 
> It could be the append bug introduced by the vfs changes.
> See:
> http://marc.info/?l=linux-kernel&m=121726661110266&w=2
> 
> That would break any case where only append permission is granted (not
> full write access), as would be typical for httpd log files.

commit d54bb7a971b41b8a4baba6e3d9adf14ce035947f
Author: Stephen Smalley <sds@tycho.nsa.gov>
Date:   Mon Jul 28 13:32:38 2008 -0400

    Re: BUG at security/selinux/avc.c:883 (was: Re: linux-next: Tree
    for July 17: early crash on x86-64)

in vfs-2.6.git/for-next (and for-linus as well)

Re: 2.6.27-rc1 + selinux new options = no httpd

[James Morris]

On Thu, 31 Jul 2008, Gene Heskett wrote:

> >Which new options?
> 
> Make xconfig-->security options:
> 
> XFRM Networking security hooks
> 
>  and several others just below it.  Unforch, I can't copy/paste the screen.  

I can't really imagine what that is (although if you enable the secmark 
controls under the main SELinux menu, which are disabled by default, 
there could be problems).

Please post your .config.



- James
-- 
James Morris
<jmorris@namei.org>

2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)

[Rafael J. Wysocki]

On Thursday, 31 of July 2008, James Morris wrote:
> On Thu, 31 Jul 2008, Gene Heskett wrote:
> 
> > >Which new options?
> > 
> > Make xconfig-->security options:
> > 
> > XFRM Networking security hooks
> > 
> >  and several others just below it.  Unforch, I can't copy/paste the screen.  
> 
> I can't really imagine what that is (although if you enable the secmark 
> controls under the main SELinux menu, which are disabled by default, 
> there could be problems).

On a possibly related note, I've been observing a strange issue on one of
my test boxes with OpenSUSE 10.3 recently.   Namely, the fsck complains
that there's no passno value in the fstab, although it obviously is present.

Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX unset,
the fsck doesn't complain about the missing passno field any more.

Thanks,
Rafael

Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)

[Gene Heskett]

On Thursday 31 July 2008, Rafael J. Wysocki wrote:
Update by Gene below.
>On Thursday, 31 of July 2008, James Morris wrote:
>> On Thu, 31 Jul 2008, Gene Heskett wrote:
>> > >Which new options?
>> >
>> > Make xconfig-->security options:
>> >
>> > XFRM Networking security hooks
>> >
>> >  and several others just below it.  Unforch, I can't copy/paste the
>> > screen.
>>
>> I can't really imagine what that is (although if you enable the secmark
>> controls under the main SELinux menu, which are disabled by default,
>> there could be problems).
>
>On a possibly related note, I've been observing a strange issue on one of
>my test boxes with OpenSUSE 10.3 recently.   Namely, the fsck complains
>that there's no passno value in the fstab, although it obviously is present.
>
>Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> unset, the fsck doesn't complain about the missing passno field any more.
>
>Thanks,
>Rafael

I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
my 2.6.26 final .config moved to that src tree.

httpd is still being denied access to its log files and dies during the bootup.

This is a showstopper for me.

>From the log:
Aug  1 09:12:13 coyote setroubleshoot: SELinux prevented httpd reading and writing access to http files. For complete 
SELinux messages. run sealert -l ecd4e1d6-59fa-47ff-830d-3fb7d9114805

>From the output of that report:
The following command will allow this access:

setsebool -P httpd_unified=1
(Gene: but it is not effective)
Additional Information:

Source Context                system_u:system_r:httpd_t:s0
Target Context                system_u:object_r:httpd_log_t:s0
Target Objects                ./error_log [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          coyote.coyote.den
Source RPM Packages           httpd-2.2.8-1.fc8
Target RPM Packages
Policy RPM                    selinux-policy-3.0.8-109.fc8
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   httpd_unified
Host Name                     coyote.coyote.den
Platform                      Linux coyote.coyote.den 2.6.27-rc1 #2 PREEMPT Wed
                              Jul 30 19:05:14 EDT 2008 i686 athlon
Alert Count                   11
First Seen                    Tue Jul 29 15:51:41 2008

There is more but you've seen it previously I believe.

Thanks for any help/solution.

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Advertising may be described as the science of arresting the human
intelligence long enough to get money from it.

Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)

[Eric Paris]

On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
> On Thursday 31 July 2008, Rafael J. Wysocki wrote:
> Update by Gene below.
> >On Thursday, 31 of July 2008, James Morris wrote:
> >> On Thu, 31 Jul 2008, Gene Heskett wrote:
> >> > >Which new options?
> >> >
> >> > Make xconfig-->security options:
> >> >
> >> > XFRM Networking security hooks
> >> >
> >> >  and several others just below it.  Unforch, I can't copy/paste the
> >> > screen.
> >>
> >> I can't really imagine what that is (although if you enable the secmark
> >> controls under the main SELinux menu, which are disabled by default,
> >> there could be problems).
> >
> >On a possibly related note, I've been observing a strange issue on one of
> >my test boxes with OpenSUSE 10.3 recently.   Namely, the fsck complains
> >that there's no passno value in the fstab, although it obviously is present.
> >
> >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> > unset, the fsck doesn't complain about the missing passno field any more.
> >
> >Thanks,
> >Rafael
> 
> I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
> my 2.6.26 final .config moved to that src tree.
> 
> httpd is still being denied access to its log files and dies during the bootup.
> 
> This is a showstopper for me.

Stephen Smalley just sent me a private note.  Apparently he is having
e-mail trouble but he did point out the most likely problem.  Can you
add the patch from

http://marc.info/?l=linux-kernel&m=121726661110266&w=2

And give it a whirl?  Sorry, but we think the problem is that the VFS
stopped passing all of the relevant information down to the security
system.  https is only allowed to append to its log files, not actually
'write.'  Since the VFS is longer differentiating those two operations
you are getting then denial for write.

I'll try to get this pushed into linus's tree quickly.

-Eric

Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)

[Al Viro]

On Fri, Aug 01, 2008 at 09:47:59AM -0400, Eric Paris wrote:
> On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
> > On Thursday 31 July 2008, Rafael J. Wysocki wrote:
> > Update by Gene below.
> > >On Thursday, 31 of July 2008, James Morris wrote:
> > >> On Thu, 31 Jul 2008, Gene Heskett wrote:
> > >> > >Which new options?
> > >> >
> > >> > Make xconfig-->security options:
> > >> >
> > >> > XFRM Networking security hooks
> > >> >
> > >> >  and several others just below it.  Unforch, I can't copy/paste the
> > >> > screen.
> > >>
> > >> I can't really imagine what that is (although if you enable the secmark
> > >> controls under the main SELinux menu, which are disabled by default,
> > >> there could be problems).
> > >
> > >On a possibly related note, I've been observing a strange issue on one of
> > >my test boxes with OpenSUSE 10.3 recently.   Namely, the fsck complains
> > >that there's no passno value in the fstab, although it obviously is present.
> > >
> > >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
> > > unset, the fsck doesn't complain about the missing passno field any more.
> > >
> > >Thanks,
> > >Rafael
> > 
> > I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig' from
> > my 2.6.26 final .config moved to that src tree.
> > 
> > httpd is still being denied access to its log files and dies during the bootup.
> > 
> > This is a showstopper for me.
> 
> Stephen Smalley just sent me a private note.  Apparently he is having
> e-mail trouble but he did point out the most likely problem.  Can you
> add the patch from
> 
> http://marc.info/?l=linux-kernel&m=121726661110266&w=2
> 
> And give it a whirl?  Sorry, but we think the problem is that the VFS
> stopped passing all of the relevant information down to the security
> system.  https is only allowed to append to its log files, not actually
> 'write.'  Since the VFS is longer differentiating those two operations
> you are getting then denial for write.
> 
> I'll try to get this pushed into linus's tree quickly.

It's in linux-next, BTW.  I'll push the next set to Linus in an hour or so.

Re: 2.6.27-rc1: strange fstab issue (Re: 2.6.27-rc1 + selinux new options = no httpd)

[Gene Heskett]

On Friday 01 August 2008, Eric Paris wrote:
>On Fri, 2008-08-01 at 09:39 -0400, Gene Heskett wrote:
>> On Thursday 31 July 2008, Rafael J. Wysocki wrote:
>> Update by Gene below.
>>
>> >On Thursday, 31 of July 2008, James Morris wrote:
>> >> On Thu, 31 Jul 2008, Gene Heskett wrote:
>> >> > >Which new options?
>> >> >
>> >> > Make xconfig-->security options:
>> >> >
>> >> > XFRM Networking security hooks
>> >> >
>> >> >  and several others just below it.  Unforch, I can't copy/paste the
>> >> > screen.
>> >>
>> >> I can't really imagine what that is (although if you enable the secmark
>> >> controls under the main SELinux menu, which are disabled by default,
>> >> there could be problems).
>> >
>> >On a possibly related note, I've been observing a strange issue on one of
>> >my test boxes with OpenSUSE 10.3 recently.   Namely, the fsck complains
>> >that there's no passno value in the fstab, although it obviously is
>> > present.
>> >
>> >Strangely enough, if the kernel is compiled with CONFIG_SECURITY_SELINUX
>> > unset, the fsck doesn't complain about the missing passno field any
>> > more.
>> >
>> >Thanks,
>> >Rafael
>>
>> I just did a 2.6.27-rc1 rebuild on a pure, all defaults 'make oldconfig'
>> from my 2.6.26 final .config moved to that src tree.
>>
>> httpd is still being denied access to its log files and dies during the
>> bootup.
>>
>> This is a showstopper for me.
>
>Stephen Smalley just sent me a private note.  Apparently he is having
>e-mail trouble but he did point out the most likely problem.  Can you
>add the patch from
>
>http://marc.info/?l=linux-kernel&m=121726661110266&w=2

Bingo!
The first version there was off about 10 line numbers so I just added the "|
MAY_APPEND", as the second version shows and that was it.  Thanks.

>And give it a whirl?  Sorry, but we think the problem is that the VFS
>stopped passing all of the relevant information down to the security
>system.  https is only allowed to append to its log files, not actually
>'write.'  Since the VFS is longer differentiating those two operations
>you are getting then denial for write.
>
>I'll try to get this pushed into linus's tree quickly.

Looks like its a good to go fix from this angle.  Thanks Eric.
You could even put a tested by: Gene Heskett in it I suppose. :)

>-Eric



-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Fashion is a form of ugliness so intolerable that we have to alter it
every six months.
		-- Oscar Wilde