Re: [F8] (Re)Starting httpd reveals php pdf.so stack permission errors...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Daniel B. Thurman wrote:
> # setenforce 1  (If set to 0, no following errors are generated)
> # service httpd restart
> <Generates the following errors>
> 
> /etc/log/httpd/errors_log:
> =================
> PHP Warning:  PHP Startup: Unable to load dynamic library
> '/usr/lib/php/modules/pdf.so' - libpdf.so.6: cannot enable executable
> stack as shared object requires: Permission denied in Unknown on line 0
> 
> # ls -lZ /usr/lib/php/modules/pdf.so
> -rwxr-xr-x  root root
> system_u:object_r:textrel_shlib_t:s0 /usr/lib/php/modules/pdf.so
> 
> # find / -xdev -name libpdf.so.6
> <does not exist>
> 
> /etc/log/audit/audit_log:
> ===============
> type=AVC msg=audit(1203285527.123:3893): avc:  denied  { execstack } for
> pid=21241 comm="httpd" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=process
> type=SYSCALL msg=audit(1203285527.123:3893): arch=40000003 syscall=125
> success=no exit=-13 a0=bfca1000 a1=1000 a2=1000007 a3=fffff000 items=0
> ppid=1 pid=21241 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
> 
> SEAlert:
> =================================================
> Summary
>     SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" to
> <Unknown>
>     (httpd_t).
> 
> Detailed Description
>     SELinux denied access requested by /usr/sbin/httpd. It is not
> expected that
>     this access is required by /usr/sbin/httpd and this access may
> signal an
>     intrusion attempt. It is also possible that the specific version or
>     configuration of the application is causing it to require additional
> access.
> 
> Allowing Access
>     You can generate a local policy module to allow this access - see
>     http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
>     SELinux protection altogether. Disabling SELinux protection is not
>     recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
>     against this package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:httpd_t:s0
> Target Context                system_u:system_r:httpd_t:s0
> Target Objects                None [ process ]
> Affected RPM Packages         httpd-2.2.8-1.fc8 [application]
> Policy RPM                    selinux-policy-3.0.8-84.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall
> Host Name                     gold.cdkkt.com
> Platform                      Linux gold.cdkkt.com 2.6.23.15-137.fc8 #1
> SMP Sun
>                               Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count                   10
> First Seen                    Sun 17 Feb 2008 04:50:41 AM PST
> Last Seen                     Sun 17 Feb 2008 01:46:21 PM PST
> Local ID                      b2d0de85-f78b-4945-8d01-1ef26660fe47
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { execstack } for comm=httpd egid=0 euid=0
> exe=/usr/sbin/httpd
> exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20396
> scontext=system_u:system_r:httpd_t:s0 sgid=0
> subj=system_u:system_r:httpd_t:s0
> suid=0 tclass=process tcontext=system_u:system_r:httpd_t:s0 tty=(none)
> uid=0
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

This should be reported as a bug to whoever supplied
/usr/lib/php/modules/pdf.so


You can try
execstack -c /usr/lib/php/modules/pdf.so

And see if that removes th problem.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke5ltAACgkQrlYvE4MpobMdyACeKMpU5KQQYKxXsuC/6dEflZhh
N1wAoINBYK6BTSuYC/9Kcg4zuW//9D9w
=n+th
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux