selinux issue

Daniel J Walsh dwalsh at redhat.com
Tue Feb 10 19:58:38 UTC 2009


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Oliver wrote:
> I know jack-diddly about selinux.  Up until now, I've simply disabled it
> each time I ran into a headache like this.  I'm having this issue on a
> RHEL5.3 machine.  The problem does not show up on several existing
> RHEL5.2 machines... I don't know if that's because my predecessor knew
> the magic recipe, or because of a some difference between 5.2 and 5.3
> 
> [root at localhost ~]# service httpd start
> Starting httpd: httpd: Syntax error on line 209 of
> /etc/httpd/conf/httpd.conf: Syntax error on line 1 of
> /etc/httpd/conf.d/valicert.conf: Cannot load
> /etc/httpd/modules/vcapache.so into server:
> /etc/httpd/modules/vcapache.so: cannot enable executable stack as shared
> object requires: Permission denied
> [FAILED]
> 
> [root at localhost ~]# tail -2 /var/log/messages
> Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd
> (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux
> messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620
> Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd
> (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux
> messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489
> 
> [root at localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489
> 
> Summary:
> 
> SELinux is preventing httpd (httpd_t) "execstack" to <Unknown>
> (httpd_t).
> 
> Detailed Description:
> 
> SELinux denied access requested by httpd. It is not expected that this
> access is
> required by httpd and this access may signal an intrusion attempt. It is
> also
> possible that the specific version or configuration of the application
> is
> causing it to require additional access.
> 
> Allowing Access:
> 
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can
> disable SELinux protection altogether. Disabling SELinux protection is
> not recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
> package.
> 
> Additional Information:
> 
> Source Context root:system_r:httpd_t
> Target Context root:system_r:httpd_t
> Target Objects None [ process ]
> Source httpd
> Source Path /usr/sbin/httpd
> Port <Unknown>
> Host localhost.localdomain
> Source RPM Packages httpd-2.2.3-22.el5
> Target RPM Packages
> Policy RPM selinux-policy-2.4.6-203.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
> Wed Dec 17 11:42:39 EST 2008 i686 i686
> Alert Count 1
> First Seen Mon Feb 9 13:03:09 2009
> Last Seen Mon Feb 9 13:03:09 2009
> Local ID 072e94cc-778b-44a7-b407-ea6616385489
> Line Numbers
> 
> Raw Audit Messages
> 
> host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc:
> denied { execstack } for pid=2957 comm="httpd"
> scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
> tclass=process
> 
> host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31):
> arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000
> a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0
> euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd"
> exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
> 
> 
> 
> 
> 
> 
> How do I make this particular module work? If I do an "ls -Z" on
> /etc/httpd/modules/ it has the same permissions as every other module...
> 
> -rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so
> -rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapach

It is very rare that any app would need execstack, apps having this
privledge are potentially subject to buffer overflow attack.

http://people.redhat.com/~drepper/selinux-mem.html

First thing to try is see if the execstack flag is set on the library,
if it is you can remove it and see if the app works.\

Query

# execstack -q /etc/httpd/modules/vcapache.so

Remove
# execstack -c  /etc/httpd/modules/vcapache.so

Test,

If it breaks and you want to put the flag back on.

# execstack -s  /etc/httpd/modules/vcapache.so

If removing the flag does not work for you, you can create custom policy
to allow vcapache to run

# grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack
# semodule -i myexecstack.pp
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmR3G4ACgkQrlYvE4MpobN5iACgtrlcz7TnkjSj3yx47GYsMj/z
oRMAoMnpmN/GclT53/ynX6u0HdwwXXV4
=ARrO
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list