-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 John Oliver wrote: > System is a fresh install of RHEL 5.2 > > [root@testbed ~]# service httpd start > Starting httpd: [FAILED] > > [root@testbed ~]# tail -1 /var/log/messages > Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing > /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t). > For complete SELinux messages. run sealert -l > bda3d483-5ff5-4465-a9af-c2896cd7adb0 > > [root@testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0 > Summary > SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access > to > <Unknown> (httpd_t). > > Detailed Description > SELinux denied access requested by /usr/sbin/httpd. It is not > expected that > this access is required by /usr/sbin/httpd and this access may > signal an > intrusion attempt. It is also possible that the specific version or > configuration of the application is causing it to require additional > access. > Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > against this > package. > > Allowing Access > Sometimes labeling problems can cause SELinux denials. You could > try to > restore the default system file context for <Unknown>, restorecon -v > <Unknown>. There is currently no automatic way to allow this access. > Instead, you can generate a local policy module to allow this access > - see > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you > can > disable SELinux protection entirely for the application. Disabling > SELinux > protection is not recommended. Please file a > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this > package. > Changing the "httpd_disable_trans" boolean to true will disable > SELinux > protection this application: "setsebool -P httpd_disable_trans=1." > > The following command will allow this access: > setsebool -P httpd_disable_trans=1 > > Additional Information > > Source Context root:system_r:httpd_t:s0 > Target Context root:system_r:httpd_t:s0 > Target Objects None [ process ] > Affected RPM Packages httpd-2.2.3-6.el5 [application] > Policy RPM selinux-policy-2.4.6-30.el5 > Selinux Enabled True > Policy Type targeted > MLS Enabled True > Enforcing Mode Enforcing > Plugin Name plugins.disable_trans > Host Name testbed > Platform Linux testbed > 2.6.18-8.el5 #1 > SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 > Alert Count 2 > Line Numbers > > Raw Audit Messages > > avc: denied { execstack } for comm="httpd" egid=0 euid=0 > exe="/usr/sbin/httpd" > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177 > scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 > suid=0 > tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0 > > > > > > How am I supposed to figure out what it's unhappy about if it won't tell > me? > Is there anything in the apache logs? http://people.redhat.com/~drepper/selinux-mem.html execstack is very rarely required and usually indicates something built incorrectly or a hack. You could look for libraries/binaries that require execstack by using the following command find /bin -exec execstack -q {} \; 2> /dev/null | grep ^X -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkmi6HoACgkQrlYvE4MpobOjqACg2EzNG7y2KTHLFgoLvGQx393W FlYAoJLs1APDPela4U5nrJ7MGS7XCSmy =2p9Y -----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
