selinux problem I solved months ago

Stephen Smalley sds at tycho.nsa.gov
Wed May 6 11:28:40 UTC 2009 

On Tue, 2009-05-05 at 16:29 -0700, John Oliver wrote:
> I had this problem weeks and weeks ago:
> 
> [root at mda-vm1h ~]# service httpd configtest
> httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax
> error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load
> /etc/httpd/modules/vcapache.so into server:
> /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc:
> Permission denied
> 
> I solved it by creating an selinux module and "baking" it into my
> kickstart.  Built many machines, all worked perfectly.
> 
> Now, I have three virtual machines I installed with the same kickstart,
> and I'm getting the same problem.
> 
> [root at mda-vm1h ~]# ls -lZ /etc/httpd/modules/vcapache.so
> -rwxr-xr-x  root root system_u:object_r:httpd_modules_t
> /etc/httpd/modules/vcapache.so
> 
> type=AVC msg=audit(1241564879.792:4671): avc:  denied  { execheap } for
> pid=28957 comm="httpd" scontext=user_u:system_r:initrc_t:s0
> tcontext=user_u:system_r:initrc_t:s0 tclass=process
> type=SYSCALL msg=audit(1241564879.792:4671): arch=40000003 syscall=125
> success=no exit=-13 a0=ffa000 a1=1b8000 a2=5 a3=bf8b7eb0 items=0
> ppid=28953 pid=28957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts1 comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:initrc_t:s0 key=(null)
> 
> [root at mda-vm1h ~]# semodule -l
> amavis  1.1.0
> ccs     1.0.0
> clamav  1.1.0
> dcc     1.1.0
> evolution       1.1.0
> iscsid  1.0.0
> mozilla 1.1.0
> mplayer 1.1.0
> nagios  1.1.0
> oddjob  1.0.1
> pcscd   1.0.0
> pyzor   1.1.0
> razor   1.1.0
> ricci   1.0.0
> smartmon        1.1.0
> valicert        1.0
> 
> There it is, at the end.  I removed and reinstalled it with no effect.
> It's data, so I can't cat it out, but that module worked... unless this
> is some new, different problem.
> 
> Is there more magic sauce that has to be added?

The first one looks like it was an execmod denial rather than an
execheap denial, offhand.  So I suspect this may be a new denial rather
than the same old one.  If you generate a module for it via audit2allow
-M and insert that, does it still recur?

-- 
Stephen Smalley
National Security Agency

More information about the selinux mailing list