denied execheap, for httpd with zend optimizer (fc5)

Daniel J Walsh dwalsh at redhat.com
Wed May 24 15:35:30 UTC 2006 

Jaak Simm wrote:
> Hi again,
>
> Can anyone verify that Zend Optimizer generates a execheap denial in 
> FC5? Or is it just my problem? Zend Optimizer is needed to run binary 
> php code, which is common for commercial php projects.
>
> Simple steps to install Zend Optimizer and verify the problem:
> 0. you have to have httpd and php installed (yum install httpd php)
>
> 1. Download and unpack Zend Optimizer 3
>    http://www.zend.com/products/zend_optimizer
>    (requires a zend.com user, which can be created  for free at the 
> download site)
>
> 2. Run ./install in the unpacked dir of Zend Optimizer
>    It will ask few questions, but defaults should be fine.
>
> 3. Allow execheap, give zend files correct security context, and 
> remove their execstack requirement:
>    setsebool allow_execheap 1
>    chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/ 
> -name \*.so`
>    execstack -c `find /usr/local/Zend/lib/ -name \*.so`
allow_execheap only effects "unconfined processes.  If you want this 
rule for httpd you will need to build a policy module.

grep execheap /var/log/messages | audit2allow -m Zend
semodule -i Zend.pp

Should add this rule. 

You might want to read up on execheap on the following

http://people.redhat.com/~drepper/selinux-mem.html

And report this as a bug to the Zend people.


>
> 4. restart httpd:
>    service httpd restart
>
> 5. check /var/log/messages (whether an avc execheap denial occured, 
> when httpd restarted)
>
> Send an e-mail to the list or to me with your results. If it is a 
> common problem, then I'll report a bug.
>
> Regards,
> Jaak
>
> Jaak Simm wrote:
>> One additional comment. The command line version of php works with 
>> zend optimizer, no selinux troubles there.
>> Only httpd with php and zend optimizer creates the execheap problem.
>>
>> The context of Zend Optimizer's .so files is:
>> system_u:object_r:httpd_modules_t
>>
>> Is execheap allowed in some contexts and disabled in others?
>>
>> Regards,
>> Jaak
>>
>> Jaak Simm wrote:
>>> Hi all,
>>>
>>> I'm installing Zend Optimizer 3.0 for httpd in FC5. After giving 
>>> correct security context with chcon and removing execstack 
>>> requirement from its .so files I'm still stuck with "denied 
>>> {execheap}" error in the /var/log/messages, when the httpd starts:
>>> May 20 21:33:26 web2 kernel: audit(1148150006.772:751): avc:  
>>> denied  { execheap } for  pid=2584 comm="httpd" 
>>> scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 
>>> tclass=process
>>>
>>> I have enabled allow_execheap:
>>> # getsebool allow_execheap
>>> allow_execheap --> on
>>>
>>> Also restarted the computer, but "denied {execheap}" message is 
>>> present and Zend Optimizer does not work.
>>>
>>> Any comments and hints from selinux gurus, besides disabling selinux?
>>>
>>> Thanks,
>>> Jaak
>>>
>>> -- 
>>> fedora-selinux-list mailing list
>>> fedora-selinux-list at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>>
>> -- 
>> fedora-selinux-list mailing list
>> fedora-selinux-list at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
> -- 
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list

More information about the fedora-selinux-list mailing list