FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 04-09-2010, 11:36 AM
Shintaro Fujiwara
 
Default execstack and execmem

Hi, I'm recently working on F12 web server and I got httpd_t execstack
and execmem.
Can I allow those ?
The server I'm woking on right now is a test server which have copied
all the contents from FC6 which I have move on permissive mode for
half a year.
I have not read a log at all on FC6 server.
I'm trying to move all the contents that I have now on F12.
I already succeeded another web server which has no script stuff so
the problem may caused by the script which I have written for certain
web-pages.

The server I'm working I can't touch couple of days, but some script I
wrote wants to do that, I guess.
The script has a type httpd_sys_content_t still, so that may be a problem.
Yes, it's in the documentroot of Apache.

Maybe I should put the script outside of documentroot or label other
than httpd stuff with local.pp.

I could not have time to read that thouroughly, but I can report on Monday.

I will report this matter till I get the right answer and I run the
server right.

Thanks in advance.
-------------------------------------------
segatex--SELinux tool

http://sourceforge.net/projects/segatex/
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-09-2010, 11:55 AM
Dominick Grift
 
Default execstack and execmem

On Fri, Apr 09, 2010 at 08:36:39PM +0900, Shintaro Fujiwara wrote:
> Hi, I'm recently working on F12 web server and I got httpd_t execstack
> and execmem.
> Can I allow those ?
> The server I'm woking on right now is a test server which have copied
> all the contents from FC6 which I have move on permissive mode for
> half a year.
> I have not read a log at all on FC6 server.
> I'm trying to move all the contents that I have now on F12.
> I already succeeded another web server which has no script stuff so
> the problem may caused by the script which I have written for certain
> web-pages.
>
> The server I'm working I can't touch couple of days, but some script I
> wrote wants to do that, I guess.
> The script has a type httpd_sys_content_t still, so that may be a problem.
> Yes, it's in the documentroot of Apache.
>
> Maybe I should put the script outside of documentroot or label other
> than httpd stuff with local.pp.
>
> I could not have time to read that thouroughly, but I can report on Monday.
>
> I will report this matter till I get the right answer and I run the
> server right.

Could you enclose avc denials of the particular events please? You may have mislabelled files, as you suggested yourself.

>
> Thanks in advance.
> -------------------------------------------
> segatex--SELinux tool
>
> http://sourceforge.net/projects/segatex/
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 04-09-2010, 01:35 PM
Shintaro Fujiwara
 
Default execstack and execmem

Thanks, Domiick.

I will give you report this matter on Monday evening JST.
The server is in my offince and I can't read the log.

On Monday, I will fix this problem and try to silence the log in a
proper manner.

But I will report this.

I believe this kind of things, say, writing your own scripts stuff
will happen on ordinary system and SELinux Labeling should be proper,
but default, when I restorecon -R /var/www/html , the label would be
httpd_t such, so I say to myself, when I write a script, I should
either label it differently in a clean SELinux manner or I should copy
it in /etc or whatever the script should work right and move it.

This kind of thing sould be a common sense like guru says, but in a
ordinary system maintained by ordinary admin like me makes mistakes
easily and wonder why this kind of log, you know, execmem or execstack
emerges.

So the best conclusion would be, if SELinux is wise enough, SELinux
reads the code of my script and label it automatically.
Hey, you fool, don't label this and that, kind a thig, you know.

But, as you pointed out, I have some clue in this so, I will work on
that as soon as I could get back to my new server.

Thanks.


Admin, Signal School Intranet, GSDF Japan


-------------------------------------------
segatex--SELinux tool

http://sourceforge.net/projects/segatex/


2010/4/9 Dominick Grift <domg472@gmail.com>:
> On Fri, Apr 09, 2010 at 08:36:39PM +0900, Shintaro Fujiwara wrote:
>> Hi, I'm recently working on F12 web server and I got httpd_t execstack
>> and execmem.
>> Can I allow those ?
>> The server I'm woking on right now is a test server which have copied
>> all the contents from FC6 which I have move on permissive mode for
>> half a year.
>> I have not read a log at all on FC6 server.
>> I'm trying to move all the contents that I have now on F12.
>> I already succeeded another web server which has no script stuff so
>> the problem may caused by the script which I have written for certain
>> web-pages.
>>
>> The server I'm working I can't touch couple of days, but some script I
>> wrote wants to do that, I guess.
>> The script has a type httpd_sys_content_t still, so that may be a problem.
>> Yes, it's in the documentroot of Apache.
>>
>> Maybe I should put the script outside of documentroot or label other
>> than httpd stuff with local.pp.
>>
>> I could not have time to read that thouroughly, but I can report on Monday.
>>
>> I will report this matter till I get the right answer and I run the
>> server right.
>
> Could you enclose avc denials of the particular events please? You may have mislabelled files, as you suggested yourself.
>
>>
>> Thanks in advance.
>> -------------------------------------------
>> segatex--SELinux tool
>>
>> http://sourceforge.net/projects/segatex/
>> --
>> selinux mailing list
>> selinux@lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>



--
http://intrajp.no-ip.com/ Home Page
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:21 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org