I know jack-diddly about selinux. Up until now, I've simply disabled it each time I ran into a headache like this. I'm having this issue on a RHEL5.3 machine. The problem does not show up on several existing RHEL5.2 machines... I don't know if that's because my predecessor knew the magic recipe, or because of a some difference between 5.2 and 5.3 [root@localhost ~]# service httpd start Starting httpd: httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot enable executable stack as shared object requires: Permission denied [FAILED] [root@localhost ~]# tail -2 /var/log/messages Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620 Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489 [root@localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489 Summary: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). Detailed Description: SELinux denied access requested by httpd. It is not expected that this access is required by httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Allowing Access: You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Additional Information: Source Context root:system_r:httpd_t Target Context root:system_r:httpd_t Target Objects None [ process ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.2.3-22.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 Alert Count 1 First Seen Mon Feb 9 13:03:09 2009 Last Seen Mon Feb 9 13:03:09 2009 Local ID 072e94cc-778b-44a7-b407-ea6616385489 Line Numbers Raw Audit Messages host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc: denied { execstack } for pid=2957 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31): arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) How do I make this particular module work? If I do an "ls -Z" on /etc/httpd/modules/ it has the same permissions as every other module... -rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so -rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapache.so -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
