FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-23-2009, 04:53 PM
John Oliver
 
Default selinux denying access to "unknown"

System is a fresh install of RHEL 5.2

[root@testbed ~]# service httpd start
Starting httpd: [FAILED]

[root@testbed ~]# tail -1 /var/log/messages
Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing
/usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
For complete SELinux messages. run sealert -l
bda3d483-5ff5-4465-a9af-c2896cd7adb0

[root@testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
Summary
SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access
to
<Unknown> (httpd_t).

Detailed Description
SELinux denied access requested by /usr/sbin/httpd. It is not
expected that
this access is required by /usr/sbin/httpd and this access may
signal an
intrusion attempt. It is also possible that the specific version or
configuration of the application is causing it to require additional
access.
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
against this
package.

Allowing Access
Sometimes labeling problems can cause SELinux denials. You could
try to
restore the default system file context for <Unknown>, restorecon -v
<Unknown>. There is currently no automatic way to allow this access.
Instead, you can generate a local policy module to allow this access
- see
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you
can
disable SELinux protection entirely for the application. Disabling
SELinux
protection is not recommended. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.
Changing the "httpd_disable_trans" boolean to true will disable
SELinux
protection this application: "setsebool -P httpd_disable_trans=1."

The following command will allow this access:
setsebool -P httpd_disable_trans=1

Additional Information

Source Context root:system_r:httpd_t:s0
Target Context root:system_r:httpd_t:s0
Target Objects None [ process ]
Affected RPM Packages httpd-2.2.3-6.el5 [application]
Policy RPM selinux-policy-2.4.6-30.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.disable_trans
Host Name testbed
Platform Linux testbed
2.6.18-8.el5 #1
SMP Fri Jan 26 14:15:21 EST 2007 i686 i686
Alert Count 2
Line Numbers

Raw Audit Messages

avc: denied { execstack } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177
scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0
tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0





How am I supposed to figure out what it's unhappy about if it won't tell
me?

--
************************************************** *********************
* John Oliver http://www.john-oliver.net/ *
* *
************************************************** *********************

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-23-2009, 05:18 PM
Daniel J Walsh
 
Default selinux denying access to "unknown"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

John Oliver wrote:
> System is a fresh install of RHEL 5.2
>
> [root@testbed ~]# service httpd start
> Starting httpd: [FAILED]
>
> [root@testbed ~]# tail -1 /var/log/messages
> Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing
> /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
> For complete SELinux messages. run sealert -l
> bda3d483-5ff5-4465-a9af-c2896cd7adb0
>
> [root@testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
> Summary
> SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access
> to
> <Unknown> (httpd_t).
>
> Detailed Description
> SELinux denied access requested by /usr/sbin/httpd. It is not
> expected that
> this access is required by /usr/sbin/httpd and this access may
> signal an
> intrusion attempt. It is also possible that the specific version or
> configuration of the application is causing it to require additional
> access.
> Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> against this
> package.
>
> Allowing Access
> Sometimes labeling problems can cause SELinux denials. You could
> try to
> restore the default system file context for <Unknown>, restorecon -v
> <Unknown>. There is currently no automatic way to allow this access.
> Instead, you can generate a local policy module to allow this access
> - see
> http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you
> can
> disable SELinux protection entirely for the application. Disabling
> SELinux
> protection is not recommended. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
> Changing the "httpd_disable_trans" boolean to true will disable
> SELinux
> protection this application: "setsebool -P httpd_disable_trans=1."
>
> The following command will allow this access:
> setsebool -P httpd_disable_trans=1
>
> Additional Information
>
> Source Context root:system_r:httpd_t:s0
> Target Context root:system_r:httpd_t:s0
> Target Objects None [ process ]
> Affected RPM Packages httpd-2.2.3-6.el5 [application]
> Policy RPM selinux-policy-2.4.6-30.el5
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.disable_trans
> Host Name testbed
> Platform Linux testbed
> 2.6.18-8.el5 #1
> SMP Fri Jan 26 14:15:21 EST 2007 i686 i686
> Alert Count 2
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execstack } for comm="httpd" egid=0 euid=0
> exe="/usr/sbin/httpd"
> exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177
> scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
> suid=0
> tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
>
>
>
>
>
> How am I supposed to figure out what it's unhappy about if it won't tell
> me?
>
Is there anything in the apache logs?

http://people.redhat.com/~drepper/selinux-mem.html

execstack is very rarely required and usually indicates something built
incorrectly or a hack.

You could look for libraries/binaries that require execstack by using
the following command

find /bin -exec execstack -q {} ; 2> /dev/null | grep ^X


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkmi6HoACgkQrlYvE4MpobOjqACg2EzNG7y2KT HLFgoLvGQx393W
FlYAoJLs1APDPela4U5nrJ7MGS7XCSmy
=2p9Y
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 02-26-2009, 08:18 PM
John Oliver
 
Default selinux denying access to "unknown"

On Mon, Feb 23, 2009 at 01:18:34PM -0500, Daniel J Walsh wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> John Oliver wrote:
> > System is a fresh install of RHEL 5.2
> >
> > [root@testbed ~]# service httpd start
> > Starting httpd: [FAILED]
> >
> > [root@testbed ~]# tail -1 /var/log/messages
> > Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing
> > /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
> > For complete SELinux messages. run sealert -l
> > bda3d483-5ff5-4465-a9af-c2896cd7adb0
> >
> > [root@testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
> > Summary
> > SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access
> > to
> > <Unknown> (httpd_t).
> >
> > Detailed Description
> > SELinux denied access requested by /usr/sbin/httpd. It is not
> > expected that
> > this access is required by /usr/sbin/httpd and this access may
> > signal an
> > intrusion attempt. It is also possible that the specific version or
> > configuration of the application is causing it to require additional
> > access.
> > Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
> > against this
> > package.
> >
> > Allowing Access
> > Sometimes labeling problems can cause SELinux denials. You could
> > try to
> > restore the default system file context for <Unknown>, restorecon -v
> > <Unknown>. There is currently no automatic way to allow this access.
> > Instead, you can generate a local policy module to allow this access
> > - see
> > http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you
> > can
> > disable SELinux protection entirely for the application. Disabling
> > SELinux
> > protection is not recommended. Please file a
> > http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> > package.
> > Changing the "httpd_disable_trans" boolean to true will disable
> > SELinux
> > protection this application: "setsebool -P httpd_disable_trans=1."
> >
> > The following command will allow this access:
> > setsebool -P httpd_disable_trans=1
> >
> > Additional Information
> >
> > Source Context root:system_r:httpd_t:s0
> > Target Context root:system_r:httpd_t:s0
> > Target Objects None [ process ]
> > Affected RPM Packages httpd-2.2.3-6.el5 [application]
> > Policy RPM selinux-policy-2.4.6-30.el5
> > Selinux Enabled True
> > Policy Type targeted
> > MLS Enabled True
> > Enforcing Mode Enforcing
> > Plugin Name plugins.disable_trans
> > Host Name testbed
> > Platform Linux testbed
> > 2.6.18-8.el5 #1
> > SMP Fri Jan 26 14:15:21 EST 2007 i686 i686
> > Alert Count 2
> > Line Numbers
> >
> > Raw Audit Messages
> >
> > avc: denied { execstack } for comm="httpd" egid=0 euid=0
> > exe="/usr/sbin/httpd"
> > exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177
> > scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
> > suid=0
> > tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
> >
> >
> >
> >
> >
> > How am I supposed to figure out what it's unhappy about if it won't tell
> > me?
> >
> Is there anything in the apache logs?

No.

> http://people.redhat.com/~drepper/selinux-mem.html
>
> execstack is very rarely required and usually indicates something built
> incorrectly or a hack.
>
> You could look for libraries/binaries that require execstack by using
> the following command
>
> find /bin -exec execstack -q {} ; 2> /dev/null | grep ^X

That returns nothing.

I cannot find anything being logged anywhere.

I have no idea what "Unknown" is or why it won't tell me.

--
************************************************** *********************
* John Oliver http://www.john-oliver.net/ *
* *
************************************************** *********************

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 09:46 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org