Hello,
We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I could
link php with Oracle Instant Client Libraries(oci). OCI is installed under
/opt with the following contexts:
# ls -lZ
drwxr-xr-x root root system_u:object_r:usr_t oracle
[root@saleen_webvm1 instant-client-10.1]# pwd
/opt/oracle/app/instant-client-10.1
[root@saleen_webvm1 instant-client-10.1]# ls -alZ
drwxr-xr-x root root system_u:object_r:usr_t .
drwxr-xr-x root root system_u:object_r:usr_t ..
-rw-r--r-- root root system_u:object_r:usr_t classes12.jar
drwxr-xr-x root root system_u:object_r:usr_t docs
-rw-r--r-- root root system_u:object_r:usr_t glogin.sql
lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so
-rwxr-xr-x root root system_u:object_r:usr_t libclntsh.so.10.1
-rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so
lrwxrwxrwx root root system_u:object_r:usr_t libocci.so
-rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1
-rwxr-xr-x root root system_u:object_r:usr_t libociei.so
-rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so
-rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so
-rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar
-rw-r--r-- root root system_u:object_r:usr_t README_IC.htm
drwxr-xr-x root root system_u:object_r:usr_t sdk
-rwxr-xr-x root root system_u:object_r:usr_t sqlplus
-rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora
When try to start apache, I get some errors in audit.log and apache fails to
start.
type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for
pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10
success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0
ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for
pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9
success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880 pid=2881
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0
key=(null)
type=AVC_PATH msg=audit(1186088202.755:61):
path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1"
audit2allow is telling me to add the following rules:
# audit2allow < audit.log
allow httpd_t self:process execstack;
allow httpd_t usr_t:file execute;
My question/concerns are the following:
1. What risks do I incur by making the process stack executable?
2. If I am reading the second rule correctly, its asking to allow httpd_t
to execute user_t files?
Thanks for your help
_________________________________________________________________
Now you can see trouble?before he arrives
http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
