apache2 failing to start

Ubaidul Khan ukhanlists at hotmail.com
Thu Aug 2 21:05:15 UTC 2007 

Hello,

We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I could 
link php with Oracle Instant Client Libraries(oci).  OCI is installed under 
/opt with the following contexts:

# ls -lZ
drwxr-xr-x  root root system_u:object_r:usr_t          oracle

[root at saleen_webvm1 instant-client-10.1]# pwd
/opt/oracle/app/instant-client-10.1
[root at saleen_webvm1 instant-client-10.1]# ls -alZ
drwxr-xr-x  root root system_u:object_r:usr_t          .
drwxr-xr-x  root root system_u:object_r:usr_t          ..
-rw-r--r--  root root system_u:object_r:usr_t          classes12.jar
drwxr-xr-x  root root system_u:object_r:usr_t          docs
-rw-r--r--  root root system_u:object_r:usr_t          glogin.sql
lrwxrwxrwx  root root system_u:object_r:usr_t          libclntsh.so
-rwxr-xr-x  root root system_u:object_r:usr_t          libclntsh.so.10.1
-rwxr-xr-x  root root system_u:object_r:usr_t          libnnz10.so
lrwxrwxrwx  root root system_u:object_r:usr_t          libocci.so
-rwxr-xr-x  root root system_u:object_r:usr_t          libocci.so.10.1
-rwxr-xr-x  root root system_u:object_r:usr_t          libociei.so
-rwxr-xr-x  root root system_u:object_r:usr_t          libocijdbc10.so
-rwxr-xr-x  root root system_u:object_r:usr_t          libsqlplus.so
-rw-r--r--  root root system_u:object_r:usr_t          ojdbc14.jar
-rw-r--r--  root root system_u:object_r:usr_t          README_IC.htm
drwxr-xr-x  root root system_u:object_r:usr_t          sdk
-rwxr-xr-x  root root system_u:object_r:usr_t          sqlplus
-rw-r--r--  root root system_u:object_r:usr_t          tnsnames.ora

When try to start apache, I get some errors in audit.log and apache fails to 
start.

type=AVC msg=audit(1186086032.546:60): avc:  denied  { execstack } for  
pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0 
tcontext=user_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10 
success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0 
ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 
fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" 
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186088202.755:61): avc:  denied  { execute } for  
pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819 
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0 
tclass=file
type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9 
success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880 pid=2881 
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) 
comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:httpd_t:s0 
key=(null)
type=AVC_PATH msg=audit(1186088202.755:61):  
path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1"

audit2allow is telling me to add the following rules:

# audit2allow < audit.log
allow httpd_t self:process execstack;
allow httpd_t usr_t:file execute;

My question/concerns are the following:

1.  What risks do I incur by making the process stack executable?
2.  If I am reading the second rule correctly, its asking to allow httpd_t 
to execute user_t files?

Thanks for your help

_________________________________________________________________
Now you can see trouble…before he arrives 
http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507

More information about the fedora-selinux-list mailing list