On Mon, Feb 23, 2009 at 01:18:34PM -0500, Daniel J Walsh wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > John Oliver wrote: > > System is a fresh install of RHEL 5.2 > > > > [root@testbed ~]# service httpd start > > Starting httpd: [FAILED] > > > > [root@testbed ~]# tail -1 /var/log/messages > > Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing > > /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t). > > For complete SELinux messages. run sealert -l > > bda3d483-5ff5-4465-a9af-c2896cd7adb0 > > > > [root@testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0 > > Summary > > SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access > > to > > <Unknown> (httpd_t). > > > > Detailed Description > > SELinux denied access requested by /usr/sbin/httpd. It is not > > expected that > > this access is required by /usr/sbin/httpd and this access may > > signal an > > intrusion attempt. It is also possible that the specific version or > > configuration of the application is causing it to require additional > > access. > > Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi > > against this > > package. > > > > Allowing Access > > Sometimes labeling problems can cause SELinux denials. You could > > try to > > restore the default system file context for <Unknown>, restorecon -v > > <Unknown>. There is currently no automatic way to allow this access. > > Instead, you can generate a local policy module to allow this access > > - see > > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you > > can > > disable SELinux protection entirely for the application. Disabling > > SELinux > > protection is not recommended. Please file a > > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this > > package. > > Changing the "httpd_disable_trans" boolean to true will disable > > SELinux > > protection this application: "setsebool -P httpd_disable_trans=1." > > > > The following command will allow this access: > > setsebool -P httpd_disable_trans=1 > > > > Additional Information > > > > Source Context root:system_r:httpd_t:s0 > > Target Context root:system_r:httpd_t:s0 > > Target Objects None [ process ] > > Affected RPM Packages httpd-2.2.3-6.el5 [application] > > Policy RPM selinux-policy-2.4.6-30.el5 > > Selinux Enabled True > > Policy Type targeted > > MLS Enabled True > > Enforcing Mode Enforcing > > Plugin Name plugins.disable_trans > > Host Name testbed > > Platform Linux testbed > > 2.6.18-8.el5 #1 > > SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 > > Alert Count 2 > > Line Numbers > > > > Raw Audit Messages > > > > avc: denied { execstack } for comm="httpd" egid=0 euid=0 > > exe="/usr/sbin/httpd" > > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177 > > scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 > > suid=0 > > tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0 > > > > > > > > > > > > How am I supposed to figure out what it's unhappy about if it won't tell > > me? > > > Is there anything in the apache logs? No. > http://people.redhat.com/~drepper/selinux-mem.html > > execstack is very rarely required and usually indicates something built > incorrectly or a hack. > > You could look for libraries/binaries that require execstack by using > the following command > > find /bin -exec execstack -q {} \; 2> /dev/null | grep ^X That returns nothing. I cannot find anything being logged anywhere. I have no idea what "Unknown" is or why it won't tell me. -- *********************************************************************** * John Oliver http://www.john-oliver.net/ * * * *********************************************************************** -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
