FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 07-10-2008, 12:47 AM
Dan Thurman
 
Default Problems with mod_mono on httpd

The issue relates to using the mod_mono module (I think):

Jul 9 17:28:31 bronze kernel: mono[8896]: segfault at 0 ip 08069d02 sp
bf8a6540 error 6 in mono[8047000+1f4000]
Jul 9 17:28:32 bronze setroubleshoot: SELinux is preventing mono
(httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
Jul 9 17:28:32 bronze setroubleshoot: SELinux is preventing mono
(httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux
messages. run sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e


# sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
==========================================
Summary:

SELinux is preventing mono (httpd_t) "execmem" to <Unknown> (httpd_t).

Detailed Description:

SELinux denied access requested by mono. It is not expected that this
access is

required by mono and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
disable
SELinux protection altogether. Disabling SELinux protection is not
recommended.

Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
against this package.

Additional Information:

Source Context system_u:system_r:httpd_t:s0
Target Context system_u:system_r:httpd_t:s0
Target Objects None [ process ]
Source mono
Source Path /usr/bin/mono
Port <Unknown>
Host bronze.cdkkt.com
Source RPM Packages mono-core-1.9.1-2.fc9
Target RPM Packages
Policy RPM selinux-policy-3.3.1-74.fc9

Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name bronze.cdkkt.com
Platform Linux bronze.cdkkt.com
2.6.25.9-76.fc9.i686 #1 SMP

Fri Jun 27 16:14:35 EDT 2008 i686 i686
Alert Count 26
First Seen Tue Jul 8 16:54:41 2008
Last Seen Wed Jul 9 17:28:31 2008
Local ID 2cb69eb1-baf7-4631-936c-9f6c80436e2e
Line Numbers

Raw Audit Messages

host=bronze.cdkkt.com type=AVC msg=audit(1215649711.436:45): avc:
denied { execmem } for pid=8896 comm="mono"
scontext=system_u:system_r:httpd_t:s0
tcontext=system_u:system_r:httpd_t:s0 tclass=process


host=bronze.cdkkt.com type=SYSCALL msg=audit(1215649711.436:45):
arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=10000
a2=7 a3=22 items=0 ppid=1 pid=8896 auid=4294967295 uid=48 gid=48 euid=48
suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:httpd_t:s0 key=(null)


How can I fix this please?
Dan

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 07-10-2008, 03:33 PM
Daniel J Walsh
 
Default Problems with mod_mono on httpd

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Thurman wrote:
> The issue relates to using the mod_mono module (I think):
>
> Jul 9 17:28:31 bronze kernel: mono[8896]: segfault at 0 ip 08069d02 sp
> bf8a6540 error 6 in mono[8047000+1f4000]
> Jul 9 17:28:32 bronze setroubleshoot: SELinux is preventing mono
> (httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux
> messages. run sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
> Jul 9 17:28:32 bronze setroubleshoot: SELinux is preventing mono
> (httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux
> messages. run sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
>
> # sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
> ==========================================
> Summary:
>
> SELinux is preventing mono (httpd_t) "execmem" to <Unknown> (httpd_t).
>
> Detailed Description:
>
> SELinux denied access requested by mono. It is not expected that this
> access is
> required by mono and this access may signal an intrusion attempt. It is
> also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_u:system_r:httpd_t:s0
> Target Objects None [ process ]
> Source mono
> Source Path /usr/bin/mono
> Port <Unknown>
> Host bronze.cdkkt.com
> Source RPM Packages mono-core-1.9.1-2.fc9
> Target RPM Packages Policy RPM
> selinux-policy-3.3.1-74.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name bronze.cdkkt.com
> Platform Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
> Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count 26
> First Seen Tue Jul 8 16:54:41 2008
> Last Seen Wed Jul 9 17:28:31 2008
> Local ID 2cb69eb1-baf7-4631-936c-9f6c80436e2e
> Line Numbers
> Raw Audit Messages
> host=bronze.cdkkt.com type=AVC msg=audit(1215649711.436:45): avc:
> denied { execmem } for pid=8896 comm="mono"
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=process
>
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1215649711.436:45):
> arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=10000
> a2=7 a3=22 items=0 ppid=1 pid=8896 auid=4294967295 uid=48 gid=48 euid=48
> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> How can I fix this please?
> Dan
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can add it using audit2allow

# grep http /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh2K9IACgkQrlYvE4MpobPCzwCglYTzWFBP4P hbYBTtAjbVtvMy
sZwAmgPtHe6O1Uub3w41R43SqLaslLlt
=K5F9
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:58 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org