selinux denying access to "unknown"

Mon Feb 23 17:53:14 UTC 2009

System is a fresh install of RHEL 5.2

[root at testbed ~]# service httpd start
Starting httpd:                                            [FAILED]

[root at testbed ~]# tail -1 /var/log/messages
Feb 23 17:33:34 testbed setroubleshoot:      SELinux is preventing
/usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
For complete SELinux messages. run sealert -l
bda3d483-5ff5-4465-a9af-c2896cd7adb0

[root at testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
Summary
    SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access
to
    <Unknown> (httpd_t).

Detailed Description
    SELinux denied access requested by /usr/sbin/httpd. It is not
expected that
    this access is required by /usr/sbin/httpd and this access may
signal an
    intrusion attempt. It is also possible that the specific version or
    configuration of the application is causing it to require additional
access.
    Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
    package.

Allowing Access
    Sometimes labeling problems can cause SELinux denials.  You could
try to
    restore the default system file context for <Unknown>, restorecon -v
    <Unknown>. There is currently no automatic way to allow this access.
    Instead, you can generate a local policy module to allow this access
- see
    http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you
can
    disable SELinux protection entirely for the application. Disabling
SELinux
    protection is not recommended. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
    Changing the "httpd_disable_trans" boolean to true will disable
SELinux
    protection this application: "setsebool -P httpd_disable_trans=1."

    The following command will allow this access:
    setsebool -P httpd_disable_trans=1

Additional Information

Source Context                root:system_r:httpd_t:s0
Target Context                root:system_r:httpd_t:s0
Target Objects                None [ process ]
Affected RPM Packages         httpd-2.2.3-6.el5 [application]
Policy RPM                    selinux-policy-2.4.6-30.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.disable_trans
Host Name                     testbed
Platform                      Linux testbed
2.6.18-8.el5 #1
                              SMP Fri Jan 26 14:15:21 EST 2007 i686 i686
Alert Count                   2
Line Numbers

Raw Audit Messages

avc: denied { execstack } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177
scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0
tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0

How am I supposed to figure out what it's unhappy about if it won't tell
me?

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************