denied execheap, for httpd with zend optimizer (fc5)
Daniel J Walsh
dwalsh at redhat.com
Wed May 24 15:35:30 UTC 2006
Jaak Simm wrote:
> Hi again,
>
> Can anyone verify that Zend Optimizer generates a execheap denial in
> FC5? Or is it just my problem? Zend Optimizer is needed to run binary
> php code, which is common for commercial php projects.
>
> Simple steps to install Zend Optimizer and verify the problem:
> 0. you have to have httpd and php installed (yum install httpd php)
>
> 1. Download and unpack Zend Optimizer 3
> http://www.zend.com/products/zend_optimizer
> (requires a zend.com user, which can be created for free at the
> download site)
>
> 2. Run ./install in the unpacked dir of Zend Optimizer
> It will ask few questions, but defaults should be fine.
>
> 3. Allow execheap, give zend files correct security context, and
> remove their execstack requirement:
> setsebool allow_execheap 1
> chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/
> -name \*.so`
> execstack -c `find /usr/local/Zend/lib/ -name \*.so`
allow_execheap only effects "unconfined processes. If you want this
rule for httpd you will need to build a policy module.
grep execheap /var/log/messages | audit2allow -m Zend
semodule -i Zend.pp
Should add this rule.
You might want to read up on execheap on the following
http://people.redhat.com/~drepper/selinux-mem.html
And report this as a bug to the Zend people.
>
> 4. restart httpd:
> service httpd restart
>
> 5. check /var/log/messages (whether an avc execheap denial occured,
> when httpd restarted)
>
> Send an e-mail to the list or to me with your results. If it is a
> common problem, then I'll report a bug.
>
> Regards,
> Jaak
>
> Jaak Simm wrote:
>> One additional comment. The command line version of php works with
>> zend optimizer, no selinux troubles there.
>> Only httpd with php and zend optimizer creates the execheap problem.
>>
>> The context of Zend Optimizer's .so files is:
>> system_u:object_r:httpd_modules_t
>>
>> Is execheap allowed in some contexts and disabled in others?
>>
>> Regards,
>> Jaak
>>
>> Jaak Simm wrote:
>>> Hi all,
>>>
>>> I'm installing Zend Optimizer 3.0 for httpd in FC5. After giving
>>> correct security context with chcon and removing execstack
>>> requirement from its .so files I'm still stuck with "denied
>>> {execheap}" error in the /var/log/messages, when the httpd starts:
>>> May 20 21:33:26 web2 kernel: audit(1148150006.772:751): avc:
>>> denied { execheap } for pid=2584 comm="httpd"
>>> scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
>>> tclass=process
>>>
>>> I have enabled allow_execheap:
>>> # getsebool allow_execheap
>>> allow_execheap --> on
>>>
>>> Also restarted the computer, but "denied {execheap}" message is
>>> present and Zend Optimizer does not work.
>>>
>>> Any comments and hints from selinux gurus, besides disabling selinux?
>>>
>>> Thanks,
>>> Jaak
>>>
>>> --
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>> --
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
More information about the fedora-selinux-list
mailing list