denied execheap, for httpd with zend optimizer (fc5)

Jaak Simm jaaksimm at firm.ee
Tue May 23 08:13:41 UTC 2006 

Hi again,

Can anyone verify that Zend Optimizer generates a execheap denial in 
FC5? Or is it just my problem? Zend Optimizer is needed to run binary 
php code, which is common for commercial php projects.

Simple steps to install Zend Optimizer and verify the problem:
0. you have to have httpd and php installed (yum install httpd php)

1. Download and unpack Zend Optimizer 3
    http://www.zend.com/products/zend_optimizer
    (requires a zend.com user, which can be created  for free at the 
download site)

2. Run ./install in the unpacked dir of Zend Optimizer
    It will ask few questions, but defaults should be fine.

3. Allow execheap, give zend files correct security context, and remove 
their execstack requirement:
    setsebool allow_execheap 1
    chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/ 
-name \*.so`
    execstack -c `find /usr/local/Zend/lib/ -name \*.so`

4. restart httpd:
    service httpd restart

5. check /var/log/messages (whether an avc execheap denial occured, when 
httpd restarted)

Send an e-mail to the list or to me with your results. If it is a common 
problem, then I'll report a bug.

Regards,
Jaak

Jaak Simm wrote:
> One additional comment. The command line version of php works with 
> zend optimizer, no selinux troubles there.
> Only httpd with php and zend optimizer creates the execheap problem.
>
> The context of Zend Optimizer's .so files is:
> system_u:object_r:httpd_modules_t
>
> Is execheap allowed in some contexts and disabled in others?
>
> Regards,
> Jaak
>
> Jaak Simm wrote:
>> Hi all,
>>
>> I'm installing Zend Optimizer 3.0 for httpd in FC5. After giving 
>> correct security context with chcon and removing execstack 
>> requirement from its .so files I'm still stuck with "denied 
>> {execheap}" error in the /var/log/messages, when the httpd starts:
>> May 20 21:33:26 web2 kernel: audit(1148150006.772:751): avc:  denied  
>> { execheap } for  pid=2584 comm="httpd" 
>> scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 
>> tclass=process
>>
>> I have enabled allow_execheap:
>> # getsebool allow_execheap
>> allow_execheap --> on
>>
>> Also restarted the computer, but "denied {execheap}" message is 
>> present and Zend Optimizer does not work.
>>
>> Any comments and hints from selinux gurus, besides disabling selinux?
>>
>> Thanks,
>> Jaak
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list