selinux issue

Stephen Smalley sds at tycho.nsa.gov
Tue Feb 10 20:46:57 UTC 2009 

On Tue, 2009-02-10 at 12:45 -0800, John Oliver wrote:
> On Tue, Feb 10, 2009 at 02:58:38PM -0500, Daniel J Walsh wrote:
> > It is very rare that any app would need execstack, apps having this
> > privledge are potentially subject to buffer overflow attack.
> > 
> > http://people.redhat.com/~drepper/selinux-mem.html
> > 
> > First thing to try is see if the execstack flag is set on the library,
> > if it is you can remove it and see if the app works.\
> > 
> > Query
> > 
> > # execstack -q /etc/httpd/modules/vcapache.so
> 
> [root at localhost targeted]# execstack -q /etc/httpd/modules/vcapache.so
> ? /etc/httpd/modules/vcapache.so
> 
> > Remove
> > # execstack -c  /etc/httpd/modules/vcapache.so

Did you try this?

> > 
> > Test,
> 
> [root at localhost targeted]# service httpd start
> Starting httpd: httpd: Syntax error on line 211 of
> /etc/httpd/conf/httpd.conf: Syntax error on line 1 of
> /etc/httpd/conf.d/valicert.conf: Cannot load
> /etc/httpd/modules/vcapache.so into server:
> /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc:
> Permission denied
>                                                            [FAILED]
> > If it breaks and you want to put the flag back on.
> > 
> > # execstack -s  /etc/httpd/modules/vcapache.so
> > 
> > If removing the flag does not work for you, you can create custom policy
> > to allow vcapache to run
> > 
> > # grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack
> > # semodule -i myexecstack.pp
> 
> Will that make it automagically work until the day the server is
> scrapped?  Or do I need to put "semodule -i myexecstack.pp" in rc.local
> or something?  Or is there a place I can put the myexecstack.pp file
> where selinux will read it each time the machine boots?
> 
> Thanks for the info!!!

semodule -i installs the module
under /etc/selinux/targeted/modules/active/modules and keeps it around
until you explicitly remove it with semodule -r.

BTW, there may also be a boolean that you can change instead, like
	setsebool -P httpd_execmem=1

You can look for existing rules with sesearch, e.g.
	sesearch -AC -s httpd_t -p execstack

-- 
Stephen Smalley
National Security Agency

More information about the fedora-selinux-list mailing list