<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.16.3">
</HEAD>
<BODY>
<BR>
# setenforce 1 (If set to 0, no following errors are generated)<BR>
# service httpd restart<BR>
<Generates the following errors><BR>
<BR>
/etc/log/httpd/errors_log:<BR>
=================<BR>
PHP Warning: PHP Startup: Unable to load dynamic library<BR>
'/usr/lib/php/modules/pdf.so' - libpdf.so.6: cannot enable executable<BR>
stack as shared object requires: Permission denied in Unknown on line 0<BR>
<BR>
# ls -lZ /usr/lib/php/modules/pdf.so<BR>
-rwxr-xr-x root root system_u:object_r:textrel_shlib_t:s0 /usr/lib/php/modules/pdf.so<BR>
<BR>
# find / -xdev -name libpdf.so.6<BR>
<does not exist><BR>
<BR>
/etc/log/audit/audit_log:<BR>
===============<BR>
type=AVC msg=audit(1203285527.123:3893): avc: denied { execstack } for pid=21241 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process<BR>
type=SYSCALL msg=audit(1203285527.123:3893): arch=40000003 syscall=125 success=no exit=-13 a0=bfca1000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=21241 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)<BR>
<BR>
SEAlert:<BR>
=================================================<BR>
Summary<BR>
SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" to <Unknown><BR>
(httpd_t).<BR>
<BR>
Detailed Description<BR>
SELinux denied access requested by /usr/sbin/httpd. It is not expected that<BR>
this access is required by /usr/sbin/httpd and this access may signal an<BR>
intrusion attempt. It is also possible that the specific version or<BR>
configuration of the application is causing it to require additional access.<BR>
<BR>
Allowing Access<BR>
You can generate a local policy module to allow this access - see<BR>
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable<BR>
SELinux protection altogether. Disabling SELinux protection is not<BR>
recommended. Please file a <A HREF="http://bugzilla.redhat.com/bugzilla/enter_bug.cgi">http://bugzilla.redhat.com/bugzilla/enter_bug.cgi</A><BR>
against this package.<BR>
<BR>
Additional Information <BR>
<BR>
Source Context system_u:system_r:httpd_t:s0<BR>
Target Context system_u:system_r:httpd_t:s0<BR>
Target Objects None [ process ]<BR>
Affected RPM Packages httpd-2.2.8-1.fc8 [application]<BR>
Policy RPM selinux-policy-3.0.8-84.fc8<BR>
Selinux Enabled True<BR>
Policy Type targeted<BR>
MLS Enabled True<BR>
Enforcing Mode Enforcing<BR>
Plugin Name plugins.catchall<BR>
Host Name gold.cdkkt.com<BR>
Platform Linux gold.cdkkt.com 2.6.23.15-137.fc8 #1 SMP Sun<BR>
Feb 10 17:48:34 EST 2008 i686 i686<BR>
Alert Count 10<BR>
First Seen Sun 17 Feb 2008 04:50:41 AM PST<BR>
Last Seen Sun 17 Feb 2008 01:46:21 PM PST<BR>
Local ID b2d0de85-f78b-4945-8d01-1ef26660fe47<BR>
Line Numbers <BR>
<BR>
Raw Audit Messages <BR>
<BR>
avc: denied { execstack } for comm=httpd egid=0 euid=0 exe=/usr/sbin/httpd<BR>
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20396<BR>
scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0<BR>
suid=0 tclass=process tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0<BR>
<BR>
</BODY>
</HTML>