On Tue, Feb 10, 2009 at 02:58:38PM -0500, Daniel J Walsh wrote: > It is very rare that any app would need execstack, apps having this > privledge are potentially subject to buffer overflow attack. > > http://people.redhat.com/~drepper/selinux-mem.html > > First thing to try is see if the execstack flag is set on the library, > if it is you can remove it and see if the app works.\ > > Query > > # execstack -q /etc/httpd/modules/vcapache.so [root@localhost targeted]# execstack -q /etc/httpd/modules/vcapache.so ? /etc/httpd/modules/vcapache.so > Remove > # execstack -c /etc/httpd/modules/vcapache.so > > Test, [root@localhost targeted]# service httpd start Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: Permission denied [FAILED] > If it breaks and you want to put the flag back on. > > # execstack -s /etc/httpd/modules/vcapache.so > > If removing the flag does not work for you, you can create custom policy > to allow vcapache to run > > # grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack > # semodule -i myexecstack.pp Will that make it automagically work until the day the server is scrapped? Or do I need to put "semodule -i myexecstack.pp" in rc.local or something? Or is there a place I can put the myexecstack.pp file where selinux will read it each time the machine boots? Thanks for the info!!! -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
