apache2 failing to start

Ubaidul Khan ukhanlists at hotmail.com
Fri Aug 3 15:43:09 UTC 2007


Ken,

Thank you for your response.

>you can first use execstack to check whether your program really need 
>executable stack(you must have prelink firstly):

I checked to see if the library requires executable stack and execstack 
returns unknown(? - when it is unknown whether the object  requires  or  
doesn't  require  exe-cutable stack).

# execstack -q libclntsh.so.10.1
? libclntsh.so.10.1

I don't think it was prelinked since these libraries are distributed by 
oracle as binary files( all I did was downloaded the archive from oracle's 
website and extracted them into /opt/oracle/app/instant-client-10.1).  Then 
I downloaded the php-5.1.6-11 SRPM and linked against the oci libraries in 
the following manner:

configure \
  --with-oci8=instantclient,/opt/oracle/app/instant-client-10.1/

>i wonder why is your libraries usr_t, not lib_t, if your libs are lib_t, 
>httpd_t can execute those files

I think this happened because I made the directory path 
/opt/oracle/app/instant-client-10.1/ as root.  This path inherited the 
default context.  I imagine it would be more sensible to store the libraries 
in /usr/lib or /usr/lib64.

I am still puzzled by the executable stack dilemma.  I noticed this goes 
away, when disable selinux(setenforce 0).

Look forward to your correspondence.

>From: Ken YANG <spng.yang at gmail.com>
>To: Ubaidul Khan <ukhanlists at hotmail.com>
>CC: fedora-selinux-list at redhat.com
>Subject: Re: apache2 failing to start
>Date: Fri, 03 Aug 2007 13:10:27 +0800
>
>Ubaidul Khan wrote:
> > Hello,
> >
> > We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I
> > could link php with Oracle Instant Client Libraries(oci).  OCI is
> > installed under /opt with the following contexts:
> >
> > # ls -lZ
> > drwxr-xr-x  root root system_u:object_r:usr_t          oracle
> >
> > [root at saleen_webvm1 instant-client-10.1]# pwd
> > /opt/oracle/app/instant-client-10.1
> > [root at saleen_webvm1 instant-client-10.1]# ls -alZ
> > drwxr-xr-x  root root system_u:object_r:usr_t          .
> > drwxr-xr-x  root root system_u:object_r:usr_t          ..
> > -rw-r--r--  root root system_u:object_r:usr_t          classes12.jar
> > drwxr-xr-x  root root system_u:object_r:usr_t          docs
> > -rw-r--r--  root root system_u:object_r:usr_t          glogin.sql
> > lrwxrwxrwx  root root system_u:object_r:usr_t          libclntsh.so
> > -rwxr-xr-x  root root system_u:object_r:usr_t          libclntsh.so.10.1
> > -rwxr-xr-x  root root system_u:object_r:usr_t          libnnz10.so
> > lrwxrwxrwx  root root system_u:object_r:usr_t          libocci.so
> > -rwxr-xr-x  root root system_u:object_r:usr_t          libocci.so.10.1
> > -rwxr-xr-x  root root system_u:object_r:usr_t          libociei.so
> > -rwxr-xr-x  root root system_u:object_r:usr_t          libocijdbc10.so
> > -rwxr-xr-x  root root system_u:object_r:usr_t          libsqlplus.so
> > -rw-r--r--  root root system_u:object_r:usr_t          ojdbc14.jar
> > -rw-r--r--  root root system_u:object_r:usr_t          README_IC.htm
> > drwxr-xr-x  root root system_u:object_r:usr_t          sdk
> > -rwxr-xr-x  root root system_u:object_r:usr_t          sqlplus
> > -rw-r--r--  root root system_u:object_r:usr_t          tnsnames.ora
> >
> > When try to start apache, I get some errors in audit.log and apache
> > fails to start.
> >
> > type=AVC msg=audit(1186086032.546:60): avc:  denied  { execstack } for
> > pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0
> > tcontext=user_u:system_r:httpd_t:s0 tclass=process
> > type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10
> > success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0
> > ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> > subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1186088202.755:61): avc:  denied  { execute } for
> > pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819
> > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
> > tclass=file
> > type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9
> > success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880
> > pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> > subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC_PATH msg=audit(1186088202.755:61):
> > path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1"
> >
> > audit2allow is telling me to add the following rules:
> >
> > # audit2allow < audit.log
> > allow httpd_t self:process execstack;
> > allow httpd_t usr_t:file execute;
> >
> > My question/concerns are the following:
> >
> > 1.  What risks do I incur by making the process stack executable?
>
>it will incur the security risk, such as buffer overflow.
>Stack memory is not executable on most OSes these days, and
>will not change.
>
>you can first use execstack to check whether your program
>really need executable stack(you must have prelink firstly):
>
>for example:
>
>#execstack -q /usr/lib/vmware/lib/libart_lgpl_2.so.2/libart_lgpl_2.so.2
>X libart_lgpl_2.so.2
>
>and use execstack to remove the p_flags field of PT_GNU_STACK header
>entry, and run program to see whether it really need stack to be
>executable:
>
>execstack -c libart_lgpl_2.so.2
>
>if yes, you also can use boolean to allow stack to be executed:
>
>setsebool [-P] allow_execstack 1
>
>this will make all program stack executable, and there are still:
>
>allow_java_execstack,allow_mplayer_execstack
>
>use these booleans, you will not need write policy for executable
>stack.
>
>
> > 2.  If I am reading the second rule correctly, its asking to allow
> > httpd_t to execute user_t files?
>
>i wonder why is your libraries usr_t, not lib_t, if your libs are
>lib_t, httpd_t can execute those files
>
> >
> > Thanks for your help
> >
> > _________________________________________________________________
> > Now you can see trouble…before he arrives
> > 
>http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
>

_________________________________________________________________
Now you can see trouble…before he arrives 
http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507




More information about the fedora-selinux-list mailing list