[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Problem with interbase (firebird-1.5) on FC4 box, httpd-2.0.54, php-interbase-5.0.4-10.5



Daniel Paul wrote:
Hello again,

execstack -c /usr/lib/modules/interbase.so does not solve the problem, execstack -s and -c show the same behaviour (same error message, see below).
Maybe some more information:
ls -Z for interbase shows:
-rwxr-xr-x  root     root     system_u:object_r:lib_t interbase.so

BTW: /usr/lib/httpd/libphp5.so has the same context data:
-rwxr-xr-x  root     root     system_u:object_r:lib_t libphp5.so

(shouldn't it be -> t=httpd_modules_t ?)

Tell me if you need more input to solve the problem...

Daniel




Daniel Paul wrote:
Hello there,

because I need interbase (firebird) support in php, I recompiled the
actual php-5.0.4-10.5 package with interbase support
(--with-interbase=shared). When I start httpd there is the following
message in error_log:

PHP Warning:  PHP Startup: Unable to load dynamic library
'/usr/lib/php/modules/interbase.so' - object requires: cannot enable
executable stack as shared object requires: Permission denied in Unknown
on line 0
try

execstack -c  /usr/lib/php/modules/interbase.so

execstack is a security problem

http://people.redhat.com/drepper/selinux-mem.html

phpinfo() shows that php has read the interbase.ini file which contains a
reference to the interbase.so module, but interbase support is disabled
(nothing shows up regarding interbase). With selinux set to permissive
mode (instead of enforcing), there is no such message and phpinfo() shows
me, that interbase support is enabled.

audit.log shows the following:

type=AVC msg=audit(1138630853.033:10): avc:  denied  { execstack } for
pid=1886 comm="httpd" scontext=root:system_r:httpd_t
tcontext=root:system_r:httpd_t tclass=process
type=SYSCALL msg=audit(1138630853.033:10): arch=40000003 syscall=125
success=no exit=-13 a0=bf8a3000 a1=1000 a2=1000007 a3=d5a000 items=0
pid=1886 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="httpd" exe="/usr/sbin/httpd"

Any help would be truly appreciated.

After you execute

execstack -c /usr/lib/modules/interbase.so

Are you still seeing avc messages?

Dan
Thanks in advance,

Daniel

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

--
fedora-selinux-list mailing list
fedora-selinux-list redhat com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]