Daniel J Walsh wrote:
On 08/14/2009 09:16 AM, Rob Crittenden wrote:
> I'm having a problem where Apache is segfaulting when SELinux is enabled
> because of an AVC. I'm using freeIPA which defines a mod_python handler.
>
> The AVCs are:
>
> type=AVC msg=audit(1250255388.275:27650): avc: denied { execute } for
> pid=7849 comm="httpd"
> path=2F746D702F6666696A7435517772202864656C6574656429 dev=sda1
> ino=442585 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file
>
> type=AVC msg=audit(1250255388.288:27652): avc: denied { execute } for
> pid=7850 comm="httpd"
> path=2F6465762F73686D2F6666696D436E667967202864656C6574656429 dev=tmpfs
> ino=33960 scontext=unconfined_u:system_r:httpd_t:s0
> tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file
>
> audit2allow generated this:
>
> module test 1.0;
>
> require {
> type httpd_tmp_t;
> type httpd_t;
> type httpd_tmpfs_t;
> class file execute;
> }
>
> #============= httpd_t ==============
> allow httpd_t httpd_tmp_t:file execute;
> allow httpd_t httpd_tmpfs_t:file execute;
>
> I'm a bit stumped. What should I look for, something doing an exec,
> something messing in /tmp, both?
>
> thanks
>
> rob
>
>
Apache executing something in /tmp, just feels like a very bad idea. I am not sure
mod_python is doing this, but I would look for some configuration that is putting files in
/tmp.
Ok, the core dumps were relatively enlightening. They at least pointed
out what import things were choking on.
Turns out that the python ctypes module creates a file in /tmp and
executes it. It seems, oddly enough, to actually execute gcc and
ldconfig. Quite bizarre. By not importing that module it makes SELinux
happy again.
rob