[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

selinux issue



I know jack-diddly about selinux.  Up until now, I've simply disabled it
each time I ran into a headache like this.  I'm having this issue on a
RHEL5.3 machine.  The problem does not show up on several existing
RHEL5.2 machines... I don't know if that's because my predecessor knew
the magic recipe, or because of a some difference between 5.2 and 5.3

[root@localhost ~]# service httpd start
Starting httpd: httpd: Syntax error on line 209 of
/etc/httpd/conf/httpd.conf: Syntax error on line 1 of
/etc/httpd/conf.d/valicert.conf: Cannot load
/etc/httpd/modules/vcapache.so into server:
/etc/httpd/modules/vcapache.so: cannot enable executable stack as shared
object requires: Permission denied
[FAILED]

[root@localhost ~]# tail -2 /var/log/messages
Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd
(httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620
Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd
(httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489

[root@localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489

Summary:

SELinux is preventing httpd (httpd_t) "execstack" to <Unknown>
(httpd_t).

Detailed Description:

SELinux denied access requested by httpd. It is not expected that this
access is
required by httpd and this access may signal an intrusion attempt. It is
also
possible that the specific version or configuration of the application
is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can
disable SELinux protection altogether. Disabling SELinux protection is
not recommended.
Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
package.

Additional Information:

Source Context root:system_r:httpd_t
Target Context root:system_r:httpd_t
Target Objects None [ process ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.2.3-22.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
Wed Dec 17 11:42:39 EST 2008 i686 i686
Alert Count 1
First Seen Mon Feb 9 13:03:09 2009
Last Seen Mon Feb 9 13:03:09 2009
Local ID 072e94cc-778b-44a7-b407-ea6616385489
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc:
denied { execstack } for pid=2957 comm="httpd"
scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0
tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31):
arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000
a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0
euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd"
exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)






How do I make this particular module work? If I do an "ls -Z" on
/etc/httpd/modules/ it has the same permissions as every other module...

-rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so
-rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapache.so

-- 
***********************************************************************
* John Oliver                             http://www.john-oliver.net/ *
*                                                                     *
***********************************************************************

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Fedora Users]     [Fedora Legacy]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite Photos]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

Powered by Linux

Google
  Web www.spinics.net