Apache crashing in F-11

Rob Crittenden rcritten at redhat.com
Fri Aug 14 15:00:10 UTC 2009 

Daniel J Walsh wrote:
> On 08/14/2009 09:16 AM, Rob Crittenden wrote:
>> I'm having a problem where Apache is segfaulting when SELinux is enabled
>> because of an AVC. I'm using freeIPA which defines a mod_python handler.
>>
>> The AVCs are:
>>
>> type=AVC msg=audit(1250255388.275:27650): avc:  denied  { execute } for
>>  pid=7849 comm="httpd"
>> path=2F746D702F6666696A7435517772202864656C6574656429 dev=sda1
>> ino=442585 scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:httpd_tmp_t:s0 tclass=file
>>
>> type=AVC msg=audit(1250255388.288:27652): avc:  denied  { execute } for
>>  pid=7850 comm="httpd"
>> path=2F6465762F73686D2F6666696D436E667967202864656C6574656429 dev=tmpfs
>> ino=33960 scontext=unconfined_u:system_r:httpd_t:s0
>> tcontext=unconfined_u:object_r:httpd_tmpfs_t:s0 tclass=file
>>
>> audit2allow generated this:
>>
>> module test 1.0;
>>
>> require {
>>         type httpd_tmp_t;
>>         type httpd_t;
>>         type httpd_tmpfs_t;
>>         class file execute;
>> }
>>
>> #============= httpd_t ==============
>> allow httpd_t httpd_tmp_t:file execute;
>> allow httpd_t httpd_tmpfs_t:file execute;
>>
>> I'm a bit stumped. What should I look for, something doing an exec,
>> something messing in /tmp, both?
>>
>> thanks
>>
>> rob
>>
>>
> Apache executing something in /tmp, just feels like a very bad idea.  I am not sure mod_python is doing this, but I would look for some configuration that is putting files in /tmp.
>

Ok, the core dumps were relatively enlightening. They at least pointed 
out what import things were choking on.

Turns out that the python ctypes module creates a file in /tmp and 
executes it. It seems, oddly enough, to actually execute gcc and 
ldconfig. Quite bizarre. By not importing that module it makes SELinux 
happy again.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-selinux-list/attachments/20090814/f4824d66/attachment.bin>

More information about the fedora-selinux-list mailing list