I know jack-diddly about selinux. Up until now, I've simply disabled it each time I ran into a headache like this. I'm having this issue on a RHEL5.3 machine. The problem does not show up on several existing RHEL5.2 machines... I don't know if that's because my predecessor knew the magic recipe, or because of a some difference between 5.2 and 5.3
[root@localhost ~]# service httpd start Starting httpd: httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot enable executable stack as shared object requires: Permission denied [FAILED]
[root@localhost ~]# tail -2 /var/log/messages Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620 Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489
[root@localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489
Summary:
SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t).
Detailed Description:
SELinux denied access requested by httpd. It is not expected that this access is required by httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:httpd_t Target Context root:system_r:httpd_t Target Objects None [ process ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.2.3-22.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 Alert Count 1 First Seen Mon Feb 9 13:03:09 2009 Last Seen Mon Feb 9 13:03:09 2009 Local ID 072e94cc-778b-44a7-b407-ea6616385489 Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc: denied { execstack } for pid=2957 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31): arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
How do I make this particular module work? If I do an "ls -Z" on /etc/httpd/modules/ it has the same permissions as every other module...
-rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so -rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapache.so
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
John Oliver wrote:
I know jack-diddly about selinux. Up until now, I've simply disabled it each time I ran into a headache like this. I'm having this issue on a RHEL5.3 machine. The problem does not show up on several existing RHEL5.2 machines... I don't know if that's because my predecessor knew the magic recipe, or because of a some difference between 5.2 and 5.3
[root@localhost ~]# service httpd start Starting httpd: httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot enable executable stack as shared object requires: Permission denied [FAILED]
[root@localhost ~]# tail -2 /var/log/messages Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620 Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489
[root@localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489
Summary:
SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t).
Detailed Description:
SELinux denied access requested by httpd. It is not expected that this access is required by httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.
Allowing Access:
You can generate a local policy module to allow this access - see FAQ (http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Additional Information:
Source Context root:system_r:httpd_t Target Context root:system_r:httpd_t Target Objects None [ process ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host localhost.localdomain Source RPM Packages httpd-2.2.3-22.el5 Target RPM Packages Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name catchall Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP Wed Dec 17 11:42:39 EST 2008 i686 i686 Alert Count 1 First Seen Mon Feb 9 13:03:09 2009 Last Seen Mon Feb 9 13:03:09 2009 Local ID 072e94cc-778b-44a7-b407-ea6616385489 Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc: denied { execstack } for pid=2957 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process
host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31): arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)
How do I make this particular module work? If I do an "ls -Z" on /etc/httpd/modules/ it has the same permissions as every other module...
-rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so -rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapach
It is very rare that any app would need execstack, apps having this privledge are potentially subject to buffer overflow attack.
http://people.redhat.com/~drepper/selinux-mem.html
First thing to try is see if the execstack flag is set on the library, if it is you can remove it and see if the app works.\
Query
# execstack -q /etc/httpd/modules/vcapache.so
Remove # execstack -c /etc/httpd/modules/vcapache.so
Test,
If it breaks and you want to put the flag back on.
# execstack -s /etc/httpd/modules/vcapache.so
If removing the flag does not work for you, you can create custom policy to allow vcapache to run
# grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack # semodule -i myexecstack.pp
On Tue, Feb 10, 2009 at 02:58:38PM -0500, Daniel J Walsh wrote:
It is very rare that any app would need execstack, apps having this privledge are potentially subject to buffer overflow attack.
http://people.redhat.com/~drepper/selinux-mem.html
First thing to try is see if the execstack flag is set on the library, if it is you can remove it and see if the app works.\
Query
# execstack -q /etc/httpd/modules/vcapache.so
[root@localhost targeted]# execstack -q /etc/httpd/modules/vcapache.so ? /etc/httpd/modules/vcapache.so
Remove # execstack -c /etc/httpd/modules/vcapache.so
Test,
[root@localhost targeted]# service httpd start Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: Permission denied [FAILED]
If it breaks and you want to put the flag back on.
# execstack -s /etc/httpd/modules/vcapache.so
If removing the flag does not work for you, you can create custom policy to allow vcapache to run
# grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack # semodule -i myexecstack.pp
Will that make it automagically work until the day the server is scrapped? Or do I need to put "semodule -i myexecstack.pp" in rc.local or something? Or is there a place I can put the myexecstack.pp file where selinux will read it each time the machine boots?
Thanks for the info!!!
On Tue, 2009-02-10 at 12:45 -0800, John Oliver wrote:
On Tue, Feb 10, 2009 at 02:58:38PM -0500, Daniel J Walsh wrote:
It is very rare that any app would need execstack, apps having this privledge are potentially subject to buffer overflow attack.
http://people.redhat.com/~drepper/selinux-mem.html
First thing to try is see if the execstack flag is set on the library, if it is you can remove it and see if the app works.\
Query
# execstack -q /etc/httpd/modules/vcapache.so
[root@localhost targeted]# execstack -q /etc/httpd/modules/vcapache.so ? /etc/httpd/modules/vcapache.so
Remove # execstack -c /etc/httpd/modules/vcapache.so
Did you try this?
Test,
[root@localhost targeted]# service httpd start Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc: Permission denied [FAILED]
If it breaks and you want to put the flag back on.
# execstack -s /etc/httpd/modules/vcapache.so
If removing the flag does not work for you, you can create custom policy to allow vcapache to run
# grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack # semodule -i myexecstack.pp
Will that make it automagically work until the day the server is scrapped? Or do I need to put "semodule -i myexecstack.pp" in rc.local or something? Or is there a place I can put the myexecstack.pp file where selinux will read it each time the machine boots?
Thanks for the info!!!
semodule -i installs the module under /etc/selinux/targeted/modules/active/modules and keeps it around until you explicitly remove it with semodule -r.
BTW, there may also be a boolean that you can change instead, like setsebool -P httpd_execmem=1
You can look for existing rules with sesearch, e.g. sesearch -AC -s httpd_t -p execstack
On Tue, Feb 10, 2009 at 02:58:38PM -0500, Daniel J Walsh wrote:
# grep execstack /var/log/audit/audit.log | audit2allow -M myexecstack # semodule -i myexecstack.pp
[root@localhost ~]# semodule -i valicert.pp tomcat homedir /usr/share/tomcat5 or its parent directory conflicts with a defined context in /etc/selinux/targeted/contexts/files/file_contexts, /usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account. If it is a system account please make sure its login shell is /sbin/nologin.
The tomcat user appears to require a valid shell. And I cannot find any reference to /usr/share/tomcat5 in /etc/selinux/targeted/contexts/files/file_contexts
Thanks!
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
John Oliver -
Stephen Smalley