FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 02-17-2008, 09:28 PM
"Daniel B. Thurman"
 
Default (Re)Starting httpd reveals php pdf.so stack permission errors...

# setenforce 1* (If set to 0, no following errors are generated)

# service httpd restart

<Generates the following errors>



/etc/log/httpd/errors_log:

=================

PHP Warning:* PHP Startup: Unable to load dynamic library

'/usr/lib/php/modules/pdf.so' - libpdf.so.6: cannot enable executable

stack as shared object requires: Permission denied in Unknown on line 0



# ls -lZ /usr/lib/php/modules/pdf.so

-rwxr-xr-x* root root system_ubject_r:textrel_shlib_t:s0 /usr/lib/php/modules/pdf.so



# find / -xdev -name libpdf.so.6

<does not exist>



/etc/log/audit/audit_log:

===============

type=AVC msg=audit(1203285527.123:3893): avc:* denied* { execstack } for* pid=21241 comm="httpd" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process

type=SYSCALL msg=audit(1203285527.123:3893): arch=40000003 syscall=125 success=no exit=-13 a0=bfca1000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=1 pid=21241 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)



SEAlert:

=================================================

Summary

*** SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" to <Unknown>

*** (httpd_t).



Detailed Description

*** SELinux denied access requested by /usr/sbin/httpd. It is not expected that

*** this access is required by /usr/sbin/httpd and this access may signal an

*** intrusion attempt. It is also possible that the specific version or

*** configuration of the application is causing it to require additional access.



Allowing Access

*** You can generate a local policy module to allow this access - see

*** http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable

*** SELinux protection altogether. Disabling SELinux protection is not

*** recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi

*** against this package.



Additional Information*******



Source Context*************** system_u:system_r:httpd_t:s0

Target Context*************** system_u:system_r:httpd_t:s0

Target Objects*************** None [ process ]

Affected RPM Packages******** httpd-2.2.8-1.fc8 [application]

Policy RPM******************* selinux-policy-3.0.8-84.fc8

Selinux Enabled************** True

Policy Type****************** targeted

MLS Enabled****************** True

Enforcing Mode*************** Enforcing

Plugin Name****************** plugins.catchall

Host Name******************** gold.cdkkt.com

Platform********************* Linux gold.cdkkt.com 2.6.23.15-137.fc8 #1 SMP Sun

***************************** Feb 10 17:48:34 EST 2008 i686 i686

Alert Count****************** 10

First Seen******************* Sun 17 Feb 2008 04:50:41 AM PST

Last Seen******************** Sun 17 Feb 2008 01:46:21 PM PST

Local ID********************* b2d0de85-f78b-4945-8d01-1ef26660fe47

Line Numbers*****************



Raw Audit Messages***********



avc: denied { execstack } for comm=httpd egid=0 euid=0 exe=/usr/sbin/httpd

exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=20396

scontext=system_u:system_r:httpd_t:s0 sgid=0 subj=system_u:system_r:httpd_t:s0

suid=0 tclass=process tcontext=system_u:system_r:httpd_t:s0 tty=(none) uid=0





--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 04:58 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org