selinux problem I solved months ago
Stephen Smalley
sds at tycho.nsa.gov
Wed May 6 11:28:40 UTC 2009
On Tue, 2009-05-05 at 16:29 -0700, John Oliver wrote:
> I had this problem weeks and weeks ago:
>
> [root at mda-vm1h ~]# service httpd configtest
> httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax
> error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load
> /etc/httpd/modules/vcapache.so into server:
> /etc/httpd/modules/vcapache.so: cannot restore segment prot after reloc:
> Permission denied
>
> I solved it by creating an selinux module and "baking" it into my
> kickstart. Built many machines, all worked perfectly.
>
> Now, I have three virtual machines I installed with the same kickstart,
> and I'm getting the same problem.
>
> [root at mda-vm1h ~]# ls -lZ /etc/httpd/modules/vcapache.so
> -rwxr-xr-x root root system_u:object_r:httpd_modules_t
> /etc/httpd/modules/vcapache.so
>
> type=AVC msg=audit(1241564879.792:4671): avc: denied { execheap } for
> pid=28957 comm="httpd" scontext=user_u:system_r:initrc_t:s0
> tcontext=user_u:system_r:initrc_t:s0 tclass=process
> type=SYSCALL msg=audit(1241564879.792:4671): arch=40000003 syscall=125
> success=no exit=-13 a0=ffa000 a1=1b8000 a2=5 a3=bf8b7eb0 items=0
> ppid=28953 pid=28957 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0 fsgid=0 tty=pts1 comm="httpd" exe="/usr/sbin/httpd"
> subj=user_u:system_r:initrc_t:s0 key=(null)
>
> [root at mda-vm1h ~]# semodule -l
> amavis 1.1.0
> ccs 1.0.0
> clamav 1.1.0
> dcc 1.1.0
> evolution 1.1.0
> iscsid 1.0.0
> mozilla 1.1.0
> mplayer 1.1.0
> nagios 1.1.0
> oddjob 1.0.1
> pcscd 1.0.0
> pyzor 1.1.0
> razor 1.1.0
> ricci 1.0.0
> smartmon 1.1.0
> valicert 1.0
>
> There it is, at the end. I removed and reinstalled it with no effect.
> It's data, so I can't cat it out, but that module worked... unless this
> is some new, different problem.
>
> Is there more magic sauce that has to be added?
The first one looks like it was an execmod denial rather than an
execheap denial, offhand. So I suspect this may be a new denial rather
than the same old one. If you generate a module for it via audit2allow
-M and insert that, does it still recur?
--
Stephen Smalley
National Security Agency
More information about the selinux
mailing list