[F8] (Re)Starting httpd reveals php pdf.so stack permission errors...
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 18 14:31:45 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Daniel B. Thurman wrote:
> # setenforce 1 (If set to 0, no following errors are generated)
> # service httpd restart
> <Generates the following errors>
>
> /etc/log/httpd/errors_log:
> =================
> PHP Warning: PHP Startup: Unable to load dynamic library
> '/usr/lib/php/modules/pdf.so' - libpdf.so.6: cannot enable executable
> stack as shared object requires: Permission denied in Unknown on line 0
>
> # ls -lZ /usr/lib/php/modules/pdf.so
> -rwxr-xr-x root root
> system_u:object_r:textrel_shlib_t:s0 /usr/lib/php/modules/pdf.so
>
> # find / -xdev -name libpdf.so.6
> <does not exist>
>
> /etc/log/audit/audit_log:
> ===============
> type=AVC msg=audit(1203285527.123:3893): avc: denied { execstack } for
> pid=21241 comm="httpd" scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=process
> type=SYSCALL msg=audit(1203285527.123:3893): arch=40000003 syscall=125
> success=no exit=-13 a0=bfca1000 a1=1000 a2=1000007 a3=fffff000 items=0
> ppid=1 pid=21241 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> subj=system_u:system_r:httpd_t:s0 key=(null)
>
> SEAlert:
> =================================================
> Summary
> SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" to
> <Unknown>
> (httpd_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/httpd. It is not
> expected that
> this access is required by /usr/sbin/httpd and this access may
> signal an
> intrusion attempt. It is also possible that the specific version or
> configuration of the application is causing it to require additional
> access.
>
> Allowing Access
> You can generate a local policy module to allow this access - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this package.
>
> Additional Information
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_u:system_r:httpd_t:s0
> Target Objects None [ process ]
> Affected RPM Packages httpd-2.2.8-1.fc8 [application]
> Policy RPM selinux-policy-3.0.8-84.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.catchall
> Host Name gold.cdkkt.com
> Platform Linux gold.cdkkt.com 2.6.23.15-137.fc8 #1
> SMP Sun
> Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count 10
> First Seen Sun 17 Feb 2008 04:50:41 AM PST
> Last Seen Sun 17 Feb 2008 01:46:21 PM PST
> Local ID b2d0de85-f78b-4945-8d01-1ef26660fe47
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execstack } for comm=httpd egid=0 euid=0
> exe=/usr/sbin/httpd
> exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20396
> scontext=system_u:system_r:httpd_t:s0 sgid=0
> subj=system_u:system_r:httpd_t:s0
> suid=0 tclass=process tcontext=system_u:system_r:httpd_t:s0 tty=(none)
> uid=0
>
>
>
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
This should be reported as a bug to whoever supplied
/usr/lib/php/modules/pdf.so
You can try
execstack -c /usr/lib/php/modules/pdf.so
And see if that removes th problem.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAke5ltAACgkQrlYvE4MpobMdyACeKMpU5KQQYKxXsuC/6dEflZhh
N1wAoINBYK6BTSuYC/9Kcg4zuW//9D9w
=n+th
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list