System is a fresh install of RHEL 5.2
[root@testbed ~]# service httpd start Starting httpd: [FAILED]
[root@testbed ~]# tail -1 /var/log/messages Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
[root@testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0 Summary SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
Detailed Description SELinux denied access requested by /usr/sbin/httpd. It is not expected that this access is required by /usr/sbin/httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown>. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 - or you can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "httpd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P httpd_disable_trans=1."
The following command will allow this access: setsebool -P httpd_disable_trans=1
Additional Information
Source Context root:system_r:httpd_t:s0 Target Context root:system_r:httpd_t:s0 Target Objects None [ process ] Affected RPM Packages httpd-2.2.3-6.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name testbed Platform Linux testbed 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 Alert Count 2 Line Numbers
Raw Audit Messages
avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
How am I supposed to figure out what it's unhappy about if it won't tell me?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
John Oliver wrote:
System is a fresh install of RHEL 5.2
[root@testbed ~]# service httpd start Starting httpd: [FAILED]
[root@testbed ~]# tail -1 /var/log/messages Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
[root@testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0 Summary SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
Detailed Description SELinux denied access requested by /usr/sbin/httpd. It is not expected that this access is required by /usr/sbin/httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown>. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access
can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "httpd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P httpd_disable_trans=1."
The following command will allow this access: setsebool -P httpd_disable_trans=1Additional Information
Source Context root:system_r:httpd_t:s0 Target Context root:system_r:httpd_t:s0 Target Objects None [ process ] Affected RPM Packages httpd-2.2.3-6.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name testbed Platform Linux testbed 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 Alert Count 2 Line Numbers
Raw Audit Messages
avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
How am I supposed to figure out what it's unhappy about if it won't tell me?
Is there anything in the apache logs?
http://people.redhat.com/~drepper/selinux-mem.html
execstack is very rarely required and usually indicates something built incorrectly or a hack.
You could look for libraries/binaries that require execstack by using the following command
find /bin -exec execstack -q {} ; 2> /dev/null | grep ^X
On Mon, Feb 23, 2009 at 01:18:34PM -0500, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
John Oliver wrote:
System is a fresh install of RHEL 5.2
[root@testbed ~]# service httpd start Starting httpd: [FAILED]
[root@testbed ~]# tail -1 /var/log/messages Feb 23 17:33:34 testbed setroubleshoot: SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0
[root@testbed ~]# sealert -l bda3d483-5ff5-4465-a9af-c2896cd7adb0 Summary SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to <Unknown> (httpd_t).
Detailed Description SELinux denied access requested by /usr/sbin/httpd. It is not expected that this access is required by /usr/sbin/httpd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access Sometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for <Unknown>, restorecon -v <Unknown>. There is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access
can disable SELinux protection entirely for the application. Disabling SELinux protection is not recommended. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Changing the "httpd_disable_trans" boolean to true will disable SELinux protection this application: "setsebool -P httpd_disable_trans=1."
The following command will allow this access: setsebool -P httpd_disable_trans=1Additional Information
Source Context root:system_r:httpd_t:s0 Target Context root:system_r:httpd_t:s0 Target Objects None [ process ] Affected RPM Packages httpd-2.2.3-6.el5 [application] Policy RPM selinux-policy-2.4.6-30.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.disable_trans Host Name testbed Platform Linux testbed 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686 Alert Count 2 Line Numbers
Raw Audit Messages
avc: denied { execstack } for comm="httpd" egid=0 euid=0 exe="/usr/sbin/httpd" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=15177 scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0 suid=0 tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
How am I supposed to figure out what it's unhappy about if it won't tell me?
Is there anything in the apache logs?
No.
http://people.redhat.com/~drepper/selinux-mem.html
execstack is very rarely required and usually indicates something built incorrectly or a hack.
You could look for libraries/binaries that require execstack by using the following command
find /bin -exec execstack -q {} ; 2> /dev/null | grep ^X
That returns nothing.
I cannot find anything being logged anywhere.
I have no idea what "Unknown" is or why it won't tell me.
selinux@lists.fedoraproject.org
-
Daniel J Walsh -
John Oliver