Re: denied execheap, for httpd with zend optimizer (fc5)

Jaak Simm <jaaksimm@xxxxxxx> · Tue, 23 May 2006 11:13:41 +0300

Hi again,

Can anyone verify that Zend Optimizer generates a execheap denial in 
FC5? Or is it just my problem? Zend Optimizer is needed to run binary 
php code, which is common for commercial php projects.

Simple steps to install Zend Optimizer and verify the problem:
0. you have to have httpd and php installed (yum install httpd php)

1. Download and unpack Zend Optimizer 3
   http://www.zend.com/products/zend_optimizer
   (requires a zend.com user, which can be created  for free at the 
download site)

2. Run ./install in the unpacked dir of Zend Optimizer
   It will ask few questions, but defaults should be fine.

3. Allow execheap, give zend files correct security context, and remove 
their execstack requirement:
   setsebool allow_execheap 1
   chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/ 
-name \*.so`
   execstack -c `find /usr/local/Zend/lib/ -name \*.so`

4. restart httpd:
   service httpd restart

5. check /var/log/messages (whether an avc execheap denial occured, when 
httpd restarted)

Send an e-mail to the list or to me with your results. If it is a common 
problem, then I'll report a bug.

Regards,
Jaak

Jaak Simm wrote:
One additional comment. The command line version of php works with 
zend optimizer, no selinux troubles there.
Only httpd with php and zend optimizer creates the execheap problem.

The context of Zend Optimizer's .so files is:
system_u:object_r:httpd_modules_t

Is execheap allowed in some contexts and disabled in others?

Regards,
Jaak

Jaak Simm wrote:
Hi all,

I'm installing Zend Optimizer 3.0 for httpd in FC5. After giving 
correct security context with chcon and removing execstack 
requirement from its .so files I'm still stuck with "denied 
{execheap}" error in the /var/log/messages, when the httpd starts:
May 20 21:33:26 web2 kernel: audit(1148150006.772:751): avc:  denied  
{ execheap } for  pid=2584 comm="httpd" 
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 
tclass=process

I have enabled allow_execheap:
# getsebool allow_execheap
allow_execheap --> on

Also restarted the computer, but "denied {execheap}" message is 
present and Zend Optimizer does not work.

Any comments and hints from selinux gurus, besides disabling selinux?

Thanks,
Jaak

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list