execstack and execmem
Shintaro Fujiwara
shintaro.fujiwara at gmail.com
Fri Apr 9 13:35:58 UTC 2010
Thanks, Domiick.
I will give you report this matter on Monday evening JST.
The server is in my offince and I can't read the log.
On Monday, I will fix this problem and try to silence the log in a
proper manner.
But I will report this.
I believe this kind of things, say, writing your own scripts stuff
will happen on ordinary system and SELinux Labeling should be proper,
but default, when I restorecon -R /var/www/html , the label would be
httpd_t such, so I say to myself, when I write a script, I should
either label it differently in a clean SELinux manner or I should copy
it in /etc or whatever the script should work right and move it.
This kind of thing sould be a common sense like guru says, but in a
ordinary system maintained by ordinary admin like me makes mistakes
easily and wonder why this kind of log, you know, execmem or execstack
emerges.
So the best conclusion would be, if SELinux is wise enough, SELinux
reads the code of my script and label it automatically.
Hey, you fool, don't label this and that, kind a thig, you know.
But, as you pointed out, I have some clue in this so, I will work on
that as soon as I could get back to my new server.
Thanks.
Admin, Signal School Intranet, GSDF Japan
-------------------------------------------
segatex--SELinux tool
http://sourceforge.net/projects/segatex/
2010/4/9 Dominick Grift <domg472 at gmail.com>:
> On Fri, Apr 09, 2010 at 08:36:39PM +0900, Shintaro Fujiwara wrote:
>> Hi, I'm recently working on F12 web server and I got httpd_t execstack
>> and execmem.
>> Can I allow those ?
>> The server I'm woking on right now is a test server which have copied
>> all the contents from FC6 which I have move on permissive mode for
>> half a year.
>> I have not read a log at all on FC6 server.
>> I'm trying to move all the contents that I have now on F12.
>> I already succeeded another web server which has no script stuff so
>> the problem may caused by the script which I have written for certain
>> web-pages.
>>
>> The server I'm working I can't touch couple of days, but some script I
>> wrote wants to do that, I guess.
>> The script has a type httpd_sys_content_t still, so that may be a problem.
>> Yes, it's in the documentroot of Apache.
>>
>> Maybe I should put the script outside of documentroot or label other
>> than httpd stuff with local.pp.
>>
>> I could not have time to read that thouroughly, but I can report on Monday.
>>
>> I will report this matter till I get the right answer and I run the
>> server right.
>
> Could you enclose avc denials of the particular events please? You may have mislabelled files, as you suggested yourself.
>
>>
>> Thanks in advance.
>> -------------------------------------------
>> segatex--SELinux tool
>>
>> http://sourceforge.net/projects/segatex/
>> --
>> selinux mailing list
>> selinux at lists.fedoraproject.org
>> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
--
http://intrajp.no-ip.com/ Home Page
More information about the selinux
mailing list