Daniel J Walsh wrote:
On 08/14/2009 09:16 AM, Rob Crittenden wrote:I'm having a problem where Apache is segfaulting when SELinux is enabled because of an AVC. I'm using freeIPA which defines a mod_python handler. The AVCs are: type=AVC msg=audit(1250255388.275:27650): avc: denied { execute } for pid=7849 comm="httpd" path=2F746D702F6666696A7435517772202864656C6574656429 dev=sda1 ino=442585 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file type=AVC msg=audit(1250255388.288:27652): avc: denied { execute } for pid=7850 comm="httpd" path=2F6465762F73686D2F6666696D436E667967202864656C6574656429 dev=tmpfs ino=33960 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file audit2allow generated this: module test 1.0; require { type httpd_tmp_t; type httpd_t; type httpd_tmpfs_t; class file execute; } #============= httpd_t ============== allow httpd_t httpd_tmp_t:file execute; allow httpd_t httpd_tmpfs_t:file execute; I'm a bit stumped. What should I look for, something doing an exec, something messing in /tmp, both? thanks robApache executing something in /tmp, just feels like a very bad idea. I am not sure mod_python is doing this, but I would look for some configuration that is putting files in /tmp.
Ok, the core dumps were relatively enlightening. They at least pointed out what import things were choking on.
Turns out that the python ctypes module creates a file in /tmp and executes it. It seems, oddly enough, to actually execute gcc and ldconfig. Quite bizarre. By not importing that module it makes SELinux happy again.
rob
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
