Bug 81365 - sec-policy/selinux-apache changes for apache-2.0.52-r3
Bug#: 81365 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: All Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: kaiowas@gentoo.org Reported By: soeren.lorenz@web.de
Component: Hardened
URL: 
Summary: sec-policy/selinux-apache changes for apache-2.0.52-r3
Keywords:  
Status Whiteboard: 
Opened: 2005-02-09 06:36 0000
Description:   Opened: 2005-02-09 06:36 0000 
Note: 2.0.52-r3 is currently hard masked. So this is somewhat work in advance.

The filenames of the executables changed to the following:

/usr/sbin # ls -la apache*
lrwxrwxrwx  apache2 -> /usr/sbin/apache2.prefork
-rwxr-xr-x  apache2.prefork
-rwxr-xr-x  apache2ctl
-rwxr-xr-x  apache2logserverstatus
-rwxr-xr-x  apache2splitlogfile

So they don't get labeled correctly anymore. This line in apache.fc should take care of httpd itself, without relabeling the support programs:

  /usr/sbin/apache(2)?(\.+.*)?                  system_u:object_r:httpd_exec_t

Further, the directive

  SSLMutex  file:logs/ssl_mutex

should be changed to

  SSLMutex  file:/var/cache/apache2/ssl_mutex

in

  /etc/apache2/modules.d/40_mod_ssl.conf

by the apache maintainers to work with the current policy.

Regards,

S

------- Comment #1 From Sören Lorenz 2005-02-09 06:36:49 0000 ------- 
Note: 2.0.52-r3 is currently hard masked. So this is somewhat work in advance.

The filenames of the executables changed to the following:

/usr/sbin # ls -la apache*
lrwxrwxrwx  apache2 -> /usr/sbin/apache2.prefork
-rwxr-xr-x  apache2.prefork
-rwxr-xr-x  apache2ctl
-rwxr-xr-x  apache2logserverstatus
-rwxr-xr-x  apache2splitlogfile

So they don't get labeled correctly anymore. This line in apache.fc should take care of httpd itself, without relabeling the support programs:

  /usr/sbin/apache(2)?(\.+.*)?                  system_u:object_r:httpd_exec_t

Further, the directive

  SSLMutex  file:logs/ssl_mutex

should be changed to

  SSLMutex  file:/var/cache/apache2/ssl_mutex

in

  /etc/apache2/modules.d/40_mod_ssl.conf

by the apache maintainers to work with the current policy.

Regards,

Sören Lorenz

------- Comment #2 From Sören Lorenz 2005-02-09 14:57:59 0000 ------- 
Correction: The symlink to the binary should not be labeled httpd_exec_t
because the daemon_domain macro doesn't allow reading symlinks of *_exec_t. So
the line has to be:

  /usr/sbin/apache(2)?\.+.*               system_u:object_r:httpd_exec_t

Regards,

S

------- Comment #3 From Sören Lorenz 2005-02-09 14:57:59 0000 ------- 
Correction: The symlink to the binary should not be labeled httpd_exec_t
because the daemon_domain macro doesn't allow reading symlinks of *_exec_t. So
the line has to be:

  /usr/sbin/apache(2)?\.+.*               system_u:object_r:httpd_exec_t

Regards,

Sören Lorenz

------- Comment #4 From Sören Lorenz 2005-02-11 10:15:23 0000 ------- 
[11:01]<DocSoLo> is it possible that bug 65053 is true again for
apache-2.0.52-r3?
...
[11:03]<Hollow> though mutex seems to be in logs again
[11:04]<DocSoLo> Hollow yep, thats what I was talking about
[11:05]<DocSoLo> this causes problems under SELinux
[11:05]<Hollow> DocSoLo: fixed in cvs. thx
[11:05]<DocSoLo> in this environment httpd is not allowed to delete its
logfiles, it can only append to it
[11:06]<DocSoLo> fine. thanks! 
...
[11:25]<DocSoLo> Hollow this wrong mutex path would possibly also come true for
the apache-1.3.x ebuilds, though i don't use them
...
[11:39]<DocSoLo> anyway if it has been like this in current 1.3.x ebuilds its
okay because i know at least one selinux dev who uses apache-1.3.x in
production under selinux - he would have complained already
[11:40]<Hollow> ok, fine then
[11:41]<DocSoLo> yep, thanks for the quick response

------- Comment #5 From petre rodan (RETIRED) 2005-02-11 12:41:58 0000 ------- 
many thanks for the bug report and for the envolvment

fixed in CVS and in >=selinux-apache-20050211.ebuild