Ubaidul Khan wrote:
Hello,
We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I
could link php with Oracle Instant Client Libraries(oci). OCI is
installed under /opt with the following contexts:
# ls -lZ
drwxr-xr-x root root system_u:object_r:usr_t oracle
[root@saleen_webvm1 instant-client-10.1]# pwd
/opt/oracle/app/instant-client-10.1
[root@saleen_webvm1 instant-client-10.1]# ls -alZ
drwxr-xr-x root root system_u:object_r:usr_t .
drwxr-xr-x root root system_u:object_r:usr_t ..
-rw-r--r-- root root system_u:object_r:usr_t classes12.jar
drwxr-xr-x root root system_u:object_r:usr_t docs
-rw-r--r-- root root system_u:object_r:usr_t glogin.sql
lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so
-rwxr-xr-x root root system_u:object_r:usr_t libclntsh.so.10.1
-rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so
lrwxrwxrwx root root system_u:object_r:usr_t libocci.so
-rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1
-rwxr-xr-x root root system_u:object_r:usr_t libociei.so
-rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so
-rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so
-rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar
-rw-r--r-- root root system_u:object_r:usr_t README_IC.htm
drwxr-xr-x root root system_u:object_r:usr_t sdk
-rwxr-xr-x root root system_u:object_r:usr_t sqlplus
-rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora
When try to start apache, I get some errors in audit.log and apache
fails to start.
type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for
pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0
tcontext=user_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10
success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0
ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for
pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819
scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
tclass=file
type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9
success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880
pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
subj=user_u:system_r:httpd_t:s0 key=(null)
type=AVC_PATH msg=audit(1186088202.755:61):
path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1"
audit2allow is telling me to add the following rules:
# audit2allow < audit.log
allow httpd_t self:process execstack;
allow httpd_t usr_t:file execute;
My question/concerns are the following:
1. What risks do I incur by making the process stack executable?
it will incur the security risk, such as buffer overflow.
Stack memory is not executable on most OSes these days, and
will not change.
you can first use execstack to check whether your program
really need executable stack(you must have prelink firstly):
for example:
#execstack -q /usr/lib/vmware/lib/libart_lgpl_2.so.2/libart_lgpl_2.so.2
X libart_lgpl_2.so.2
and use execstack to remove the p_flags field of PT_GNU_STACK header
entry, and run program to see whether it really need stack to be
executable:
execstack -c libart_lgpl_2.so.2
if yes, you also can use boolean to allow stack to be executed:
setsebool [-P] allow_execstack 1
this will make all program stack executable, and there are still:
allow_java_execstack,allow_mplayer_execstack
use these booleans, you will not need write policy for executable
stack.
2. If I am reading the second rule correctly, its asking to allow
httpd_t to execute user_t files?
i wonder why is your libraries usr_t, not lib_t, if your libs are
lib_t, httpd_t can execute those files
Thanks for your help
_________________________________________________________________
Now you can see trouble卋efore he arrives
http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507
--
fedora-selinux-list mailing list
fedora-selinux-list(a)redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list