selinux issue
John Oliver
joliver at john-oliver.net
Tue Feb 10 20:45:50 UTC 2009
On Tue, Feb 10, 2009 at 02:58:38PM -0500, Daniel J Walsh wrote:
> It is very rare that any app would need execstack, apps having this
> privledge are potentially subject to buffer overflow attack.
>
> http://people.redhat.com/~drepper/selinux-mem.html
>
> First thing to try is see if the execstack flag is set on the library,
> if it is you can remove it and see if the app works.\
>
> Query
>
> # execstack -q /etc/httpd/modules/vcapache.so
[root at localhost targeted]# execstack -q /etc/httpd/modules/vcapache.so
? /etc/httpd/modules/vcapache.so
> Remove
> # execstack -c /etc/httpd/modules/vcapache.so
>
> Test,
[root at localhost targeted]# service httpd start
Starting httpd: httpd: Syntax error on line 211 of
/etc/httpd/conf/httpd.conf: Syntax error on line 1 of
/etc/httpd/conf.d/valicert.conf: Cannot load
/etc/httpd/modules/vcapache.so into server:
/etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc:
Permission denied
[FAILED]
> If it breaks and you want to put the flag back on.
>
> # execstack -s /etc/httpd/modules/vcapache.so
>
> If removing the flag does not work for you, you can create custom policy
> to allow vcapache to run
>
> # grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack
> # semodule -i myexecstack.pp
Will that make it automagically work until the day the server is
scrapped? Or do I need to put "semodule -i myexecstack.pp" in rc.local
or something? Or is there a place I can put the myexecstack.pp file
where selinux will read it each time the machine boots?
Thanks for the info!!!
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
More information about the fedora-selinux-list
mailing list