selinux issue
Stephen Smalley
sds at tycho.nsa.gov
Tue Feb 10 20:46:57 UTC 2009
On Tue, 2009-02-10 at 12:45 -0800, John Oliver wrote:
> On Tue, Feb 10, 2009 at 02:58:38PM -0500, Daniel J Walsh wrote:
> > It is very rare that any app would need execstack, apps having this
> > privledge are potentially subject to buffer overflow attack.
> >
> > http://people.redhat.com/~drepper/selinux-mem.html
> >
> > First thing to try is see if the execstack flag is set on the library,
> > if it is you can remove it and see if the app works.\
> >
> > Query
> >
> > # execstack -q /etc/httpd/modules/vcapache.so
>
> [root at localhost targeted]# execstack -q /etc/httpd/modules/vcapache.so
> ? /etc/httpd/modules/vcapache.so
>
> > Remove
> > # execstack -c /etc/httpd/modules/vcapache.so
Did you try this?
> >
> > Test,
>
> [root at localhost targeted]# service httpd start
> Starting httpd: httpd: Syntax error on line 211 of
> /etc/httpd/conf/httpd.conf: Syntax error on line 1 of
> /etc/httpd/conf.d/valicert.conf: Cannot load
> /etc/httpd/modules/vcapache.so into server:
> /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc:
> Permission denied
> [FAILED]
> > If it breaks and you want to put the flag back on.
> >
> > # execstack -s /etc/httpd/modules/vcapache.so
> >
> > If removing the flag does not work for you, you can create custom policy
> > to allow vcapache to run
> >
> > # grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack
> > # semodule -i myexecstack.pp
>
> Will that make it automagically work until the day the server is
> scrapped? Or do I need to put "semodule -i myexecstack.pp" in rc.local
> or something? Or is there a place I can put the myexecstack.pp file
> where selinux will read it each time the machine boots?
>
> Thanks for the info!!!
semodule -i installs the module
under /etc/selinux/targeted/modules/active/modules and keeps it around
until you explicitly remove it with semodule -r.
BTW, there may also be a boolean that you can change instead, like
setsebool -P httpd_execmem=1
You can look for existing rules with sesearch, e.g.
sesearch -AC -s httpd_t -p execstack
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list