apache2 failing to start

Ken YANG spng.yang at gmail.com
Wed Aug 15 10:59:44 UTC 2007


Ubaidul Khan wrote:
> Ken,
> 
> Thank you for your response.
> 
>> you can first use execstack to check whether your program really need
>> executable stack(you must have prelink firstly):
> 
> I checked to see if the library requires executable stack and execstack
> returns unknown(? - when it is unknown whether the object  requires  or 
> doesn't  require  exe-cutable stack).
> 
> # execstack -q libclntsh.so.10.1
> ? libclntsh.so.10.1

sorry for reply late, i had just finished a business trip for more than
10 days.

"?" is outputted, if your lib has not PT_GNU_STACK, and "-", if your
lib need not to be exectuable.

> 
> I don't think it was prelinked since these libraries are distributed by
> oracle as binary files( all I did was downloaded the archive from
> oracle's website and extracted them into
> /opt/oracle/app/instant-client-10.1).  Then I downloaded the
> php-5.1.6-11 SRPM and linked against the oci libraries in the following
> manner:
> 
> configure \
>  --with-oci8=instantclient,/opt/oracle/app/instant-client-10.1/

even if the libraries are distributed by third party, it will also be
prelinked, because prelink is run in cron job.

> 
>> i wonder why is your libraries usr_t, not lib_t, if your libs are
>> lib_t, httpd_t can execute those files
> 
> I think this happened because I made the directory path
> /opt/oracle/app/instant-client-10.1/ as root.  This path inherited the
> default context.  I imagine it would be more sensible to store the
> libraries in /usr/lib or /usr/lib64.

no, those should be labeled with lib_t, in fs with extended attribute
support, the context will inherit from containing directory and creating
process, if no corresponding transition policy.

you can restorecon all files the package install

> 
> I am still puzzled by the executable stack dilemma.  I noticed this goes
> away, when disable selinux(setenforce 0).

you should never disable selinux, if you want to test your package, you
can make selinux permissive, in which selinux will not prohibit anything
and still generate audit messages. but your command is right,
"setenforce 0" will make selinux in permissive mode.

executable stack is normal, many programs need that, e.g. nested
function. beside the methods i mentioned, you also can label your
program with "unconfined_execmem_exec_t" to run:

chcon -t unconfined_execmem_exec_t PROGRAM

or

runcon -c -t unconfined_execmem_exec_t PROGRAM ...



> 
> Look forward to your correspondence.
> 
>> From: Ken YANG <spng.yang at gmail.com>
>> To: Ubaidul Khan <ukhanlists at hotmail.com>
>> CC: fedora-selinux-list at redhat.com
>> Subject: Re: apache2 failing to start
>> Date: Fri, 03 Aug 2007 13:10:27 +0800
>>
>> Ubaidul Khan wrote:
>> > Hello,
>> >
>> > We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I
>> > could link php with Oracle Instant Client Libraries(oci).  OCI is
>> > installed under /opt with the following contexts:
>> >
>> > # ls -lZ
>> > drwxr-xr-x  root root system_u:object_r:usr_t          oracle
>> >
>> > [root at saleen_webvm1 instant-client-10.1]# pwd
>> > /opt/oracle/app/instant-client-10.1
>> > [root at saleen_webvm1 instant-client-10.1]# ls -alZ
>> > drwxr-xr-x  root root system_u:object_r:usr_t          .
>> > drwxr-xr-x  root root system_u:object_r:usr_t          ..
>> > -rw-r--r--  root root system_u:object_r:usr_t          classes12.jar
>> > drwxr-xr-x  root root system_u:object_r:usr_t          docs
>> > -rw-r--r--  root root system_u:object_r:usr_t          glogin.sql
>> > lrwxrwxrwx  root root system_u:object_r:usr_t          libclntsh.so
>> > -rwxr-xr-x  root root system_u:object_r:usr_t         
>> libclntsh.so.10.1
>> > -rwxr-xr-x  root root system_u:object_r:usr_t          libnnz10.so
>> > lrwxrwxrwx  root root system_u:object_r:usr_t          libocci.so
>> > -rwxr-xr-x  root root system_u:object_r:usr_t          libocci.so.10.1
>> > -rwxr-xr-x  root root system_u:object_r:usr_t          libociei.so
>> > -rwxr-xr-x  root root system_u:object_r:usr_t          libocijdbc10.so
>> > -rwxr-xr-x  root root system_u:object_r:usr_t          libsqlplus.so
>> > -rw-r--r--  root root system_u:object_r:usr_t          ojdbc14.jar
>> > -rw-r--r--  root root system_u:object_r:usr_t          README_IC.htm
>> > drwxr-xr-x  root root system_u:object_r:usr_t          sdk
>> > -rwxr-xr-x  root root system_u:object_r:usr_t          sqlplus
>> > -rw-r--r--  root root system_u:object_r:usr_t          tnsnames.ora
>> >
>> > When try to start apache, I get some errors in audit.log and apache
>> > fails to start.
>> >
>> > type=AVC msg=audit(1186086032.546:60): avc:  denied  { execstack } for
>> > pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0
>> > tcontext=user_u:system_r:httpd_t:s0 tclass=process
>> > type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10
>> > success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0
>> > ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
>> > subj=user_u:system_r:httpd_t:s0 key=(null)
>> > type=AVC msg=audit(1186088202.755:61): avc:  denied  { execute } for
>> > pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819
>> > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
>> > tclass=file
>> > type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9
>> > success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880
>> > pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
>> > subj=user_u:system_r:httpd_t:s0 key=(null)
>> > type=AVC_PATH msg=audit(1186088202.755:61):
>> > path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1"
>> >
>> > audit2allow is telling me to add the following rules:
>> >
>> > # audit2allow < audit.log
>> > allow httpd_t self:process execstack;
>> > allow httpd_t usr_t:file execute;
>> >
>> > My question/concerns are the following:
>> >
>> > 1.  What risks do I incur by making the process stack executable?
>>
>> it will incur the security risk, such as buffer overflow.
>> Stack memory is not executable on most OSes these days, and
>> will not change.
>>
>> you can first use execstack to check whether your program
>> really need executable stack(you must have prelink firstly):
>>
>> for example:
>>
>> #execstack -q /usr/lib/vmware/lib/libart_lgpl_2.so.2/libart_lgpl_2.so.2
>> X libart_lgpl_2.so.2
>>
>> and use execstack to remove the p_flags field of PT_GNU_STACK header
>> entry, and run program to see whether it really need stack to be
>> executable:
>>
>> execstack -c libart_lgpl_2.so.2
>>
>> if yes, you also can use boolean to allow stack to be executed:
>>
>> setsebool [-P] allow_execstack 1
>>
>> this will make all program stack executable, and there are still:
>>
>> allow_java_execstack,allow_mplayer_execstack
>>
>> use these booleans, you will not need write policy for executable
>> stack.
>>
>>
>> > 2.  If I am reading the second rule correctly, its asking to allow
>> > httpd_t to execute user_t files?
>>
>> i wonder why is your libraries usr_t, not lib_t, if your libs are
>> lib_t, httpd_t can execute those files
>>
>> >
>> > Thanks for your help
>> >
>> > _________________________________________________________________
>> > Now you can see trouble…before he arrives
>> >
>> http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507
>>
>> >
>> >
>> > --
>> > fedora-selinux-list mailing list
>> > fedora-selinux-list at redhat.com
>> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>> >
>>
> 
> _________________________________________________________________
> Now you can see trouble卋efore he arrives
> http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507
> 
> 
> 




More information about the fedora-selinux-list mailing list