-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Oliver wrote: > I know jack-diddly about selinux. Up until now, I've simply disabled it > each time I ran into a headache like this. I'm having this issue on a > RHEL5.3 machine. The problem does not show up on several existing > RHEL5.2 machines... I don't know if that's because my predecessor knew > the magic recipe, or because of a some difference between 5.2 and 5.3 > > [root@localhost ~]# service httpd start > Starting httpd: httpd: Syntax error on line 209 of > /etc/httpd/conf/httpd.conf: Syntax error on line 1 of > /etc/httpd/conf.d/valicert.conf: Cannot load > /etc/httpd/modules/vcapache.so into server: > /etc/httpd/modules/vcapache.so: cannot enable executable stack as shared > object requires: Permission denied > [FAILED] > > [root@localhost ~]# tail -2 /var/log/messages > Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd > (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux > messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620 > Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd > (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux > messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489 > > [root@localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489 > > Summary: > > SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> > (httpd_t). > > Detailed Description: > > SELinux denied access requested by httpd. It is not expected that this > access is > required by httpd and this access may signal an intrusion attempt. It is > also > possible that the specific version or configuration of the application > is > causing it to require additional access. > > Allowing Access: > > You can generate a local policy module to allow this access - see FAQ > (http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can > disable SELinux protection altogether. Disabling SELinux protection is > not recommended. > Please file a bug report > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this > package. > > Additional Information: > > Source Context root:system_r:httpd_t > Target Context root:system_r:httpd_t > Target Objects None [ process ] > Source httpd > Source Path /usr/sbin/httpd > Port <Unknown> > Host localhost.localdomain > Source RPM Packages httpd-2.2.3-22.el5 > Target RPM Packages > Policy RPM selinux-policy-2.4.6-203.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name catchall > Host Name localhost.localdomain > Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP > Wed Dec 17 11:42:39 EST 2008 i686 i686 > Alert Count 1 > First Seen Mon Feb 9 13:03:09 2009 > Last Seen Mon Feb 9 13:03:09 2009 > Local ID 072e94cc-778b-44a7-b407-ea6616385489 > Line Numbers > > Raw Audit Messages > > host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc: > denied { execstack } for pid=2957 comm="httpd" > scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 > tclass=process > > host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31): > arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000 > a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0 > euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd" > exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null) > > > > > > > How do I make this particular module work? If I do an "ls -Z" on > /etc/httpd/modules/ it has the same permissions as every other module... > > -rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so > -rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapach It is very rare that any app would need execstack, apps having this privledge are potentially subject to buffer overflow attack. http://people.redhat.com/~drepper/selinux-mem.html First thing to try is see if the execstack flag is set on the library, if it is you can remove it and see if the app works.\ Query # execstack -q /etc/httpd/modules/vcapache.so Remove # execstack -c /etc/httpd/modules/vcapache.so Test, If it breaks and you want to put the flag back on. # execstack -s /etc/httpd/modules/vcapache.so If removing the flag does not work for you, you can create custom policy to allow vcapache to run # grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack # semodule -i myexecstack.pp -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmR3G4ACgkQrlYvE4MpobN5iACgtrlcz7TnkjSj3yx47GYsMj/z oRMAoMnpmN/GclT53/ynX6u0HdwwXXV4 =ARrO -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
