Problem with interbase (firebird-1.5) on FC4 box, httpd-2.0.54, php-interbase-5.0.4-10.5

Daniel J Walsh dwalsh at redhat.com
Mon Feb 6 16:59:28 UTC 2006 

Daniel Paul wrote:
> Hello again,
>
> execstack -c /usr/lib/modules/interbase.so does not solve the problem, 
> execstack -s and -c show the same behaviour (same error message, see below). 
>
> Maybe some more information:
> ls -Z for interbase shows:
> -rwxr-xr-x  root     root     system_u:object_r:lib_t interbase.so
>
> BTW: /usr/lib/httpd/libphp5.so has the same context data:
> -rwxr-xr-x  root     root     system_u:object_r:lib_t libphp5.so
>
> (shouldn't it be -> t=httpd_modules_t ?)
>
> Tell me if you need more input to solve the problem...
>
> Daniel
>
>
>
>
>   
>> Daniel Paul wrote:
>>     
>>> Hello there,
>>>
>>> because I need interbase (firebird) support in php, I recompiled the
>>> actual php-5.0.4-10.5 package with interbase support
>>> (--with-interbase=shared). When I start httpd there is the following
>>> message in error_log:
>>>
>>> PHP Warning:  PHP Startup: Unable to load dynamic library
>>> '/usr/lib/php/modules/interbase.so' - object requires: cannot enable
>>> executable stack as shared object requires: Permission denied in Unknown
>>> on line 0
>>>       
>> try
>>
>> execstack -c  /usr/lib/php/modules/interbase.so
>>
>> execstack is a security problem
>>
>> http://people.redhat.com/drepper/selinux-mem.html
>>
>>     
>>> phpinfo() shows that php has read the interbase.ini file which contains a
>>> reference to the interbase.so module, but interbase support is disabled
>>> (nothing shows up regarding interbase). With selinux set to permissive
>>> mode (instead of enforcing), there is no such message and phpinfo() shows
>>> me, that interbase support is enabled.
>>>
>>> audit.log shows the following:
>>>
>>> type=AVC msg=audit(1138630853.033:10): avc:  denied  { execstack } for
>>> pid=1886 comm="httpd" scontext=root:system_r:httpd_t
>>> tcontext=root:system_r:httpd_t tclass=process
>>> type=SYSCALL msg=audit(1138630853.033:10): arch=40000003 syscall=125
>>> success=no exit=-13 a0=bf8a3000 a1=1000 a2=1000007 a3=d5a000 items=0
>>> pid=1886 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>>> comm="httpd" exe="/usr/sbin/httpd"
>>>
>>> Any help would be truly appreciated.
>>>
>>>       
After you execute

execstack -c /usr/lib/modules/interbase.so

Are you still seeing avc messages?

Dan
>>> Thanks in advance,
>>>
>>> Daniel
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>>       
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>

More information about the fedora-selinux-list mailing list