[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: denied execheap, for httpd with zend optimizer (fc5)



Hi again,

Can anyone verify that Zend Optimizer generates a execheap denial in FC5? Or is it just my problem? Zend Optimizer is needed to run binary php code, which is common for commercial php projects.

Simple steps to install Zend Optimizer and verify the problem:
0. you have to have httpd and php installed (yum install httpd php)

1. Download and unpack Zend Optimizer 3
   http://www.zend.com/products/zend_optimizer
(requires a zend.com user, which can be created for free at the download site)

2. Run ./install in the unpacked dir of Zend Optimizer
   It will ask few questions, but defaults should be fine.

3. Allow execheap, give zend files correct security context, and remove their execstack requirement:
   setsebool allow_execheap 1
chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/ -name \*.so`
   execstack -c `find /usr/local/Zend/lib/ -name \*.so`

4. restart httpd:
   service httpd restart

5. check /var/log/messages (whether an avc execheap denial occured, when httpd restarted)

Send an e-mail to the list or to me with your results. If it is a common problem, then I'll report a bug.

Regards,
Jaak

Jaak Simm wrote:
One additional comment. The command line version of php works with zend optimizer, no selinux troubles there.
Only httpd with php and zend optimizer creates the execheap problem.

The context of Zend Optimizer's .so files is:
system_u:object_r:httpd_modules_t

Is execheap allowed in some contexts and disabled in others?

Regards,
Jaak

Jaak Simm wrote:
Hi all,

I'm installing Zend Optimizer 3.0 for httpd in FC5. After giving correct security context with chcon and removing execstack requirement from its .so files I'm still stuck with "denied {execheap}" error in the /var/log/messages, when the httpd starts: May 20 21:33:26 web2 kernel: audit(1148150006.772:751): avc: denied { execheap } for pid=2584 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process

I have enabled allow_execheap:
# getsebool allow_execheap
allow_execheap --> on

Also restarted the computer, but "denied {execheap}" message is present and Zend Optimizer does not work.

Any comments and hints from selinux gurus, besides disabling selinux?

Thanks,
Jaak

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]