selinux denying access to "unknown"
John Oliver
joliver at john-oliver.net
Thu Feb 26 21:18:12 UTC 2009
On Mon, Feb 23, 2009 at 01:18:34PM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> John Oliver wrote:
> > System is a fresh install of RHEL 5.2
> >
> > [root at testbed ~]# service httpd start
> > Starting httpd: [FAILED]
> >
> > [root at testbed ~]# tail -1 /var/log/messages
> > Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing
> > /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
> > For complete SELinux messages. run sealert -l
> > bda3d483-5ff5-4465-a9af-c2896cd7adb0
> >
> > [root at testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
> > Summary
> > SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access
> > to
> > <Unknown> (httpd_t).
> >
> > Detailed Description
> > SELinux denied access requested by /usr/sbin/httpd. It is not
> > expected that
> > this access is required by /usr/sbin/httpd and this access may
> > signal an
> > intrusion attempt. It is also possible that the specific version or
> > configuration of the application is causing it to require additional
> > access.
> > Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> > against this
> > package.
> >
> > Allowing Access
> > Sometimes labeling problems can cause SELinux denials. You could
> > try to
> > restore the default system file context for <Unknown>, restorecon -v
> > <Unknown>. There is currently no automatic way to allow this access.
> > Instead, you can generate a local policy module to allow this access
> > - see
> > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you
> > can
> > disable SELinux protection entirely for the application. Disabling
> > SELinux
> > protection is not recommended. Please file a
> > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> > package.
> > Changing the "httpd_disable_trans" boolean to true will disable
> > SELinux
> > protection this application: "setsebool -P httpd_disable_trans=1."
> >
> > The following command will allow this access:
> > setsebool -P httpd_disable_trans=1
> >
> > Additional Information
> >
> > Source Context root:system_r:httpd_t:s0
> > Target Context root:system_r:httpd_t:s0
> > Target Objects None [ process ]
> > Affected RPM Packages httpd-2.2.3-6.el5 [application]
> > Policy RPM selinux-policy-2.4.6-30.el5
> > Selinux Enabled True
> > Policy Type targeted
> > MLS Enabled True
> > Enforcing Mode Enforcing
> > Plugin Name plugins.disable_trans
> > Host Name testbed
> > Platform Linux testbed
> > 2.6.18-8.el5 #1
> > SMP Fri Jan 26 14:15:21 EST 2007 i686 i686
> > Alert Count 2
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > avc: denied { execstack } for comm="httpd" egid=0 euid=0
> > exe="/usr/sbin/httpd"
> > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177
> > scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
> > suid=0
> > tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
> >
> >
> >
> >
> >
> > How am I supposed to figure out what it's unhappy about if it won't tell
> > me?
> >
> Is there anything in the apache logs?
No.
> http://people.redhat.com/~drepper/selinux-mem.html
>
> execstack is very rarely required and usually indicates something built
> incorrectly or a hack.
>
> You could look for libraries/binaries that require execstack by using
> the following command
>
> find /bin -exec execstack -q {} \; 2> /dev/null | grep ^X
That returns nothing.
I cannot find anything being logged anywhere.
I have no idea what "Unknown" is or why it won't tell me.
--
***********************************************************************
* John Oliver http://www.john-oliver.net/ *
* *
***********************************************************************
More information about the fedora-selinux-list
mailing list