server locked up

Support for security such as Firewalls and securing linux
Post Reply
Tony
Posts: 16
Joined: 2005/05/24 20:44:11
Contact:

server locked up

Post by Tony » 2005/07/04 12:42:39

This morning my server decided to lock up - and accessing anything(but SSH via IP) was denied.

I did a reboot and nothing changed so I did a '#setenforce 0' and most of the server came back online. but I still have my other virtual domains and mail etc which are down.

amongst other things my logs show this....

[quote]
Jul 4 13:05:02 zippy kernel: audit(1120478702.174:0): avc: denied { read } for pid=4078 exe=/usr/sbin/httpd name=www dev=dm-0 ino=4571154 scontext=user_u:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=lnk_file
Jul 4 13:05:06 zippy kernel: audit(1120478706.132:0): avc: denied { getattr } for pid=8019 exe=/usr/sbin/httpd path=/home/fertilit/www dev=dm-0 ino=4571154 scontext=user_u:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=lnk_file
Jul 4 13:05:21 zippy crond(pam_unix)[16363]: session closed for user root
Jul 4 13:06:50 zippy kernel: audit(1120478810.874:0): avc: denied { read write } for pid=17483 exe=/usr/sbin/rndc path=/var/webmin/sessiondb.pag dev=dm-0 ino=5373976 scontext=root:system_r:ndc_t tcontext=root:object_r:var_t tclass=file
Jul 4 13:06:50 zippy kernel: audit(1120478810.874:0): avc: denied { execute } for pid=17483 path=/etc/ld.so.cache dev=dm-0 ino=5736565 scontext=root:system_r:ndc_t tcontext=root:object_r:ld_so_cache_t tclass=file
Jul 4 13:07:30 zippy named[3762]: zone fertilityfriends.com/IN: loaded serial 2005060221
Jul 4 13:07:30 zippy named[3762]: zone fertilityfriends.com/IN: sending notifies (serial 2005060221)
Jul 4 13:07:59 zippy kernel: audit(1120478879.933:0): avc: denied { getattr } for pid=3877 exe=/usr/sbin/httpd path=/home/friends/public_html/index.php dev=dm-0 ino=4620297 scontext=user_u:system_r:httpd_t tcontext=root:object_r:user_home_t tclass=file
Jul 4 13:07:59 zippy kernel: audit(1120478879.934:0): avc: denied { read } for pid=3877 exe=/usr/sbin/httpd name=eaccelerator-86746.7920264 dev=dm-0 ino=5439890 scontext=user_u:system_r:httpd_t tcontext=root:object_r:var_t tclass=file
Jul 4 13:07:59 zippy kernel: audit(1120478879.941:0): avc: denied { lock } for pid=3877 exe=/usr/sbin/httpd path=/var/cache/php-eaccelerator/eaccelerator-86746.7920264 dev=dm-0 ino=5439890 scontext=user_u:system_r:httpd_t tcontext=root:object_r:var_t tclass=file
Jul 4 13:08:01 zippy crond(pam_unix)[17862]: session opened for user root by (uid=0)
Jul 4 13:09:21 zippy crond(pam_unix)[17862]: session closed for user root
Jul 4 13:10:01 zippy crond(pam_unix)[18516]: session opened for user root by (uid=0)
Jul 4 13:10:01 zippy crond(pam_unix)[18517]: session opened for user root by (uid=0)
Jul 4 13:10:01 zippy crond(pam_unix)[18517]: session closed for user root
Jul 4 13:10:01 zippy crond(pam_unix)[18516]: session closed for user root
Jul 4 13:11:54 zippy kernel: audit(1120479114.055:0): avc: denied { unlink } for pid=7285 exe=/usr/sbin/httpd name=eaccelerator-user-bd6d1850f6467176493453814f0944d4 dev=dm-0 ino=5441941 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_t tclass=file
Jul 4 13:11:54 zippy kernel: audit(1120479114.055:0): avc: denied { create } for pid=7285 exe=/usr/sbin/httpd name=eaccelerator-user-bd6d1850f6467176493453814f0944d4 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_t tclass=file
Jul 4 13:11:54 zippy kernel: audit(1120479114.055:0): avc: denied { lock } for pid=7285 exe=/usr/sbin/httpd path=/var/cache/php-eaccelerator/eaccelerator-user-bd6d1850f6467176493453814f0944d4 dev=dm-0 ino=5441941 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_t tclass=file
Jul 4 13:11:54 zippy kernel: audit(1120479114.055:0): avc: denied { write } for pid=7285 exe=/usr/sbin/httpd path=/var/cache/php-eaccelerator/eaccelerator-user-bd6d1850f6467176493453814f0944d4 dev=dm-0 ino=5441941 scontext=user_u:system_r:httpd_t tcontext=user_u:object_r:var_t tclass=file
Jul 4 13:12:01 zippy crond(pam_unix)[19512]: session opened for user root by (uid=0)
Jul 4 13:12:17 zippy kernel: audit(1120479137.528:0): avc: denied { unlink } for pid=4081 exe=/usr/sbin/httpd name=eaccelerator-user-a84ad910b1c6efeab4422b827621c529 dev=dm-0 ino=4918073 scontext=user_u:system_r:httpd_t tcontext=root:object_r:var_t tclass=file
Jul 4 13:12:30 zippy kernel: audit(1120479150.108:0): avc: denied { execute } for pid=19676 exe=/bin/bash name=sendmail dev=dm-0 ino=73406 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:root_t tclass=file
Jul 4 13:12:30 zippy kernel: audit(1120479150.108:0): avc: denied { execute_no_trans } for pid=19676 exe=/bin/bash path=/usr/sbin/sendmail dev=dm-0 ino=73406 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:root_t tclass=file
Jul 4 13:12:30 zippy kernel: audit(1120479150.108:0): avc: denied { read } for pid=19676 exe=/bin/bash path=/usr/sbin/sendmail dev=dm-0 ino=73406 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:root_t tclass=file
Jul 4 13:12:30 zippy kernel: audit(1120479150.109:0): avc: denied { create } for pid=19676 exe=/usr/sbin/sendmail scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket
Jul 4 13:12:30 zippy kernel: audit(1120479150.110:0): avc: denied { connect } for pid=19676 exe=/usr/sbin/sendmail scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:httpd_sys_script_t tclass=unix_dgram_socket
Jul 4 13:12:30 zippy kernel: audit(1120479150.110:0): avc: denied { write } for pid=19676 exe=/usr/sbin/sendmail name=log dev=tmpfs ino=5225 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:object_r:devlog_t tclass=sock_file
Jul 4 13:12:32 zippy kernel: audit(1120479152.698:0): avc: denied { write } for pid=3871 exe=/usr/sbin/httpd name=php-eaccelerator dev=dm-0 ino=5439887 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_t tclass=dir
Jul 4 13:12:32 zippy kernel: audit(1120479152.698:0): avc: denied { remove_name } for pid=3871 exe=/usr/sbin/httpd name=eaccelerator-user-b1125416945554d9722ab0ac9ba22d4b dev=dm-0 ino=5441973 scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_t tclass=dir
Jul 4 13:12:32 zippy kernel: audit(1120479152.699:0): avc: denied { add_name } for pid=3871 exe=/usr/sbin/httpd name=eaccelerator-user-b1125416945554d9722ab0ac9ba22d4b scontext=user_u:system_r:httpd_t tcontext=system_u:object_r:var_t tclass=dir
Jul 4 13:13:21 zippy crond(pam_unix)[19512]: session closed for user root
Jul 4 13:13:29 zippy kernel: audit(1120479209.686:0): avc: denied { sendto } for pid=20006 exe=/usr/sbin/postdrop path=/dev/log scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:system_r:syslogd_t tclass=unix_dgram_socket
Jul 4 13:14:29 zippy kernel: audit(1120479269.691:0): avc: denied { write } for pid=20006 exe=/usr/sbin/postdrop name=maildrop dev=dm-0 ino=5505062 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:var_spool_t tclass=dir
Jul 4 13:14:29 zippy kernel: audit(1120479269.691:0): avc: denied { add_name } for pid=20006 exe=/usr/sbin/postdrop name=692998.20006 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:var_spool_t tclass=dir
Jul 4 13:14:29 zippy kernel: audit(1120479269.691:0): avc: denied { remove_name } for pid=20006 exe=/usr/sbin/postdrop name=692998.20006 dev=dm-0 ino=5505100 scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:var_spool_t tclass=dir
Jul 4 13:14:29 zippy kernel: audit(1120479269.693:0): avc: denied { getattr } for pid=20006 exe=/usr/sbin/postdrop path=/var/spool/postfix/public/pickup dev=dm-0 ino=5505068 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:object_r:var_spool_t tclass=fifo_file
Jul 4 13:14:29 zippy kernel: audit(1120479269.694:0): avc: denied { write } for pid=20006 exe=/usr/sbin/postdrop name=pickup dev=dm-0 ino=5505068 scontext=user_u:system_r:httpd_sys_script_t tcontext=user_u:object_r:var_spool_t tclass=fifo_file
[/quote]

It seems to me that selinux is going a little crazy :(

Im tempted to disable SElinux altogether.

Should I attempt to trouble shoot this(it will take me an age) or perhaps just turn off SELINUX?

Any thoughts appreciated.

Tony

hughesjr
Site Admin
Posts: 250
Joined: 2004/12/05 01:51:26
Location: Corpus Christi, Texas, USA
Contact:

server locked up

Post by hughesjr » 2005/07/04 17:07:37

First thing I would do is figure out what changed on the server to cause the issue. Nothing should have changed without action on your part.

You can then make SELinux be in [b]permissive[/b] mode by editing [b]/etc/sysconfig/selinux[/b] ... so you get the errors in the logs, but nothing is blocked. You can then solve the issues and enable SELinux as you wish.

Tony
Posts: 16
Joined: 2005/05/24 20:44:11
Contact:

Re: server locked up

Post by Tony » 2005/07/04 19:27:50

I managed to get the server working by disabling selinux with the '#setenfoce 0' although it still didnt want to play, so I rebooted the machine - and then noticed that my ns wasn't responding (its on the same box :() - I checked my eth:0 and saw that the IP's I use for ns1 & NS2 were not there.

Tonight I added them back and restarted named and httpd

It all started working again.

Im now looking at the logs to see what happend :)

Post Reply

Return to “CentOS 4 - Security Support”