selinux issue

John Oliver joliver at john-oliver.net
Tue Feb 10 19:20:28 UTC 2009


I know jack-diddly about selinux.  Up until now, I've simply disabled it
each time I ran into a headache like this.  I'm having this issue on a
RHEL5.3 machine.  The problem does not show up on several existing
RHEL5.2 machines... I don't know if that's because my predecessor knew
the magic recipe, or because of a some difference between 5.2 and 5.3

[root at localhost ~]# service httpd start
Starting httpd: httpd: Syntax error on line 209 of
/etc/httpd/conf/httpd.conf: Syntax error on line 1 of
/etc/httpd/conf.d/valicert.conf: Cannot load
/etc/httpd/modules/vcapache.so into server:
/etc/httpd/modules/vcapache.so: cannot enable executable stack as shared
object requires: Permission denied
[FAILED]

[root at localhost ~]# tail -2 /var/log/messages
Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd
(httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620
Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd
(httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489

[root at localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489

Summary:

SELinux is preventing httpd (httpd_t) "execstack" to <Unknown>
(httpd_t).

Detailed Description:

SELinux denied access requested by httpd. It is not expected that this
access is
required by httpd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
package.

Additional Information:

Source Context root:system_r:httpd_t
Target Context root:system_r:httpd_t
Target Objects None [ process ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.2.3-22.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
Wed Dec 17 11:42:39 EST 2008 i686 i686
Alert Count 1
First Seen Mon Feb 9 13:03:09 2009
Last Seen Mon Feb 9 13:03:09 2009
Local ID 072e94cc-778b-44a7-b407-ea6616385489
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc:
denied { execstack } for pid=2957 comm="httpd"
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31):
arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd"
exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)






How do I make this particular module work? If I do an "ls -Z" on
/etc/httpd/modules/ it has the same permissions as every other module...

-rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so
-rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapache.so

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************




More information about the fedora-selinux-list mailing list