apache2 failing to start
Ubaidul Khan
ukhanlists at hotmail.com
Fri Aug 3 15:43:09 UTC 2007
Ken,
Thank you for your response.
>you can first use execstack to check whether your program really need
>executable stack(you must have prelink firstly):
I checked to see if the library requires executable stack and execstack
returns unknown(? - when it is unknown whether the object requires or
doesn't require exe-cutable stack).
# execstack -q libclntsh.so.10.1
? libclntsh.so.10.1
I don't think it was prelinked since these libraries are distributed by
oracle as binary files( all I did was downloaded the archive from oracle's
website and extracted them into /opt/oracle/app/instant-client-10.1). Then
I downloaded the php-5.1.6-11 SRPM and linked against the oci libraries in
the following manner:
configure \
--with-oci8=instantclient,/opt/oracle/app/instant-client-10.1/
>i wonder why is your libraries usr_t, not lib_t, if your libs are lib_t,
>httpd_t can execute those files
I think this happened because I made the directory path
/opt/oracle/app/instant-client-10.1/ as root. This path inherited the
default context. I imagine it would be more sensible to store the libraries
in /usr/lib or /usr/lib64.
I am still puzzled by the executable stack dilemma. I noticed this goes
away, when disable selinux(setenforce 0).
Look forward to your correspondence.
>From: Ken YANG <spng.yang at gmail.com>
>To: Ubaidul Khan <ukhanlists at hotmail.com>
>CC: fedora-selinux-list at redhat.com
>Subject: Re: apache2 failing to start
>Date: Fri, 03 Aug 2007 13:10:27 +0800
>
>Ubaidul Khan wrote:
> > Hello,
> >
> > We are running RHEL 5 x86_64 and I compiled php from Source RPM, so I
> > could link php with Oracle Instant Client Libraries(oci). OCI is
> > installed under /opt with the following contexts:
> >
> > # ls -lZ
> > drwxr-xr-x root root system_u:object_r:usr_t oracle
> >
> > [root at saleen_webvm1 instant-client-10.1]# pwd
> > /opt/oracle/app/instant-client-10.1
> > [root at saleen_webvm1 instant-client-10.1]# ls -alZ
> > drwxr-xr-x root root system_u:object_r:usr_t .
> > drwxr-xr-x root root system_u:object_r:usr_t ..
> > -rw-r--r-- root root system_u:object_r:usr_t classes12.jar
> > drwxr-xr-x root root system_u:object_r:usr_t docs
> > -rw-r--r-- root root system_u:object_r:usr_t glogin.sql
> > lrwxrwxrwx root root system_u:object_r:usr_t libclntsh.so
> > -rwxr-xr-x root root system_u:object_r:usr_t libclntsh.so.10.1
> > -rwxr-xr-x root root system_u:object_r:usr_t libnnz10.so
> > lrwxrwxrwx root root system_u:object_r:usr_t libocci.so
> > -rwxr-xr-x root root system_u:object_r:usr_t libocci.so.10.1
> > -rwxr-xr-x root root system_u:object_r:usr_t libociei.so
> > -rwxr-xr-x root root system_u:object_r:usr_t libocijdbc10.so
> > -rwxr-xr-x root root system_u:object_r:usr_t libsqlplus.so
> > -rw-r--r-- root root system_u:object_r:usr_t ojdbc14.jar
> > -rw-r--r-- root root system_u:object_r:usr_t README_IC.htm
> > drwxr-xr-x root root system_u:object_r:usr_t sdk
> > -rwxr-xr-x root root system_u:object_r:usr_t sqlplus
> > -rw-r--r-- root root system_u:object_r:usr_t tnsnames.ora
> >
> > When try to start apache, I get some errors in audit.log and apache
> > fails to start.
> >
> > type=AVC msg=audit(1186086032.546:60): avc: denied { execstack } for
> > pid=2852 comm="httpd" scontext=user_u:system_r:httpd_t:s0
> > tcontext=user_u:system_r:httpd_t:s0 tclass=process
> > type=SYSCALL msg=audit(1186086032.546:60): arch=c000003e syscall=10
> > success=no exit=-13 a0=7fff9c992000 a1=1000 a2=1000007 a3=4 items=0
> > ppid=2851 pid=2852 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > sgid=0 fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> > subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC msg=audit(1186088202.755:61): avc: denied { execute } for
> > pid=2881 comm="httpd" name="libclntsh.so.10.1" dev=xvda3 ino=2703819
> > scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:usr_t:s0
> > tclass=file
> > type=SYSCALL msg=audit(1186088202.755:61): arch=c000003e syscall=9
> > success=no exit=-13 a0=0 a1=ec0b08 a2=5 a3=802 items=0 ppid=2880
> > pid=2881 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) comm="httpd" exe="/usr/sbin/httpd"
> > subj=user_u:system_r:httpd_t:s0 key=(null)
> > type=AVC_PATH msg=audit(1186088202.755:61):
> > path="/opt/oracle/app/instant-client-10.1/libclntsh.so.10.1"
> >
> > audit2allow is telling me to add the following rules:
> >
> > # audit2allow < audit.log
> > allow httpd_t self:process execstack;
> > allow httpd_t usr_t:file execute;
> >
> > My question/concerns are the following:
> >
> > 1. What risks do I incur by making the process stack executable?
>
>it will incur the security risk, such as buffer overflow.
>Stack memory is not executable on most OSes these days, and
>will not change.
>
>you can first use execstack to check whether your program
>really need executable stack(you must have prelink firstly):
>
>for example:
>
>#execstack -q /usr/lib/vmware/lib/libart_lgpl_2.so.2/libart_lgpl_2.so.2
>X libart_lgpl_2.so.2
>
>and use execstack to remove the p_flags field of PT_GNU_STACK header
>entry, and run program to see whether it really need stack to be
>executable:
>
>execstack -c libart_lgpl_2.so.2
>
>if yes, you also can use boolean to allow stack to be executed:
>
>setsebool [-P] allow_execstack 1
>
>this will make all program stack executable, and there are still:
>
>allow_java_execstack,allow_mplayer_execstack
>
>use these booleans, you will not need write policy for executable
>stack.
>
>
> > 2. If I am reading the second rule correctly, its asking to allow
> > httpd_t to execute user_t files?
>
>i wonder why is your libraries usr_t, not lib_t, if your libs are
>lib_t, httpd_t can execute those files
>
> >
> > Thanks for your help
> >
> > _________________________________________________________________
> > Now you can see trouble…before he arrives
> >
>http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507
> >
> >
> > --
> > fedora-selinux-list mailing list
> > fedora-selinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> >
>
_________________________________________________________________
Now you can see trouble
before he arrives
http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_protection_0507
More information about the fedora-selinux-list
mailing list