On Tue, 2009-05-05 at 16:29 -0700, John Oliver wrote:
I had this problem weeks and weeks ago:
[root@mda-vm1h ~]# service httpd configtest httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: Permission denied
I solved it by creating an selinux module and "baking" it into my kickstart. Built many machines, all worked perfectly.
Now, I have three virtual machines I installed with the same kickstart, and I'm getting the same problem.
[root@mda-vm1h ~]# ls -lZ /etc/httpd/modules/vcapache.so -rwxr-xr-x root root system_u:object_r:httpd_modules_t /etc/httpd/modules/vcapache.so
type=AVC msg=audit(1241564879.792:4671): avc: denied { execheap } for pid=28957 comm="httpd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process type=SYSCALL msg=audit(1241564879.792:4671): arch=40000003 syscall=125 success=no exit=-13 a0=ffa000 a1=1b8000 a2=5 a3=bf8b7eb0 items=0 ppid=28953 pid=28957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="httpd" exe="/usr/sbin/httpd" subj=user_u:system_r:initrc_t:s0 key=(null)
[root@mda-vm1h ~]# semodule -l amavis 1.1.0 ccs 1.0.0 clamav 1.1.0 dcc 1.1.0 evolution 1.1.0 iscsid 1.0.0 mozilla 1.1.0 mplayer 1.1.0 nagios 1.1.0 oddjob 1.0.1 pcscd 1.0.0 pyzor 1.1.0 razor 1.1.0 ricci 1.0.0 smartmon 1.1.0 valicert 1.0
There it is, at the end. I removed and reinstalled it with no effect. It's data, so I can't cat it out, but that module worked... unless this is some new, different problem.
Is there more magic sauce that has to be added?
The first one looks like it was an execmod denial rather than an execheap denial, offhand. So I suspect this may be a new denial rather than the same old one. If you generate a module for it via audit2allow -M and insert that, does it still recur?