selinux denying access to "unknown"
Daniel J Walsh
dwalsh at redhat.com
Mon Feb 23 18:18:34 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
John Oliver wrote:
> System is a fresh install of RHEL 5.2
>
> [root at testbed ~]# service httpd start
> Starting httpd: [FAILED]
>
> [root at testbed ~]# tail -1 /var/log/messages
> Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing
> /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
> For complete SELinux messages. run sealert -l
> bda3d483-5ff5-4465-a9af-c2896cd7adb0
>
> [root at testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
> Summary
> SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access
> to
> <Unknown> (httpd_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/httpd. It is not
> expected that
> this access is required by /usr/sbin/httpd and this access may
> signal an
> intrusion attempt. It is also possible that the specific version or
> configuration of the application is causing it to require additional
> access.
> Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this
> package.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for <Unknown>, restorecon -v
> <Unknown>. There is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access
> - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you
> can
> disable SELinux protection entirely for the application. Disabling
> SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
> Changing the "httpd_disable_trans" boolean to true will disable
> SELinux
> protection this application: "setsebool -P httpd_disable_trans=1."
>
> The following command will allow this access:
> setsebool -P httpd_disable_trans=1
>
> Additional Information
>
> Source Context root:system_r:httpd_t:s0
> Target Context root:system_r:httpd_t:s0
> Target Objects None [ process ]
> Affected RPM Packages httpd-2.2.3-6.el5 [application]
> Policy RPM selinux-policy-2.4.6-30.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.disable_trans
> Host Name testbed
> Platform Linux testbed
> 2.6.18-8.el5 #1
> SMP Fri Jan 26 14:15:21 EST 2007 i686 i686
> Alert Count 2
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execstack } for comm="httpd" egid=0 euid=0
> exe="/usr/sbin/httpd"
> exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177
> scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
> suid=0
> tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
>
>
>
>
>
> How am I supposed to figure out what it's unhappy about if it won't tell
> me?
>
Is there anything in the apache logs?
http://people.redhat.com/~drepper/selinux-mem.html
execstack is very rarely required and usually indicates something built
incorrectly or a hack.
You could look for libraries/binaries that require execstack by using
the following command
find /bin -exec execstack -q {} \; 2> /dev/null | grep ^X
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmi6HoACgkQrlYvE4MpobOjqACg2EzNG7y2KTHLFgoLvGQx393W
FlYAoJLs1APDPela4U5nrJ7MGS7XCSmy
=2p9Y
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list