Bug 619868

Summary: SELinux is preventing /usr/local/bin/php from making the program stack executable.
Product: [Fedora] Fedora Reporter: Renato <renato>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: dwalsh, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:8348a06b89c4a6cbc9c0d3434284c389fa8f72e86768630be348ffec5adfb1a1
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-07-30 18:48:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Renato 2010-07-30 18:26:43 UTC
Sumário:

SELinux is preventing /usr/local/bin/php from making the program stack
executable.

Descrição detalhada:

[SElinux está em modo permissivo. Esse acesso não foi negado.]

The php application attempted to make its stack executable. This is a potential
security problem. This should never ever be necessary. Stack memory is not
executable on most OSes these days and this will not change. Executable stack
memory is one of the biggest security problems. An execstack error might in fact
be most likely raised by malicious code. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If php does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report.

Permitindo acesso:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust php to run
correctly, you can change the context of the executable to execmem_exec_t.
"chcon -t execmem_exec_t '/usr/local/bin/php'" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t execmem_exec_t '/usr/local/bin/php'"

Comando de correção:

chcon -t execmem_exec_t '/usr/local/bin/php'

Informações adicionais:

Contexto de origem            unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contexto de destino           unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Objetos de destino            None [ process ]
Origem                        httpd
Caminho da origem             /usr/local/apache2/bin/httpd
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         
Pacotes RPM de destino        
RPM da política              selinux-policy-3.6.32-41.fc12
Selinux habilitado            True
Tipo de política             targeted
MLS habilitado                True
Modo reforçado               Permissive
Nome do plugin                allow_execstack
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.31.5-127.fc12.i686
                              #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686
Contador de alertas           8
Visto pela primeira vez em    Qua 14 Jul 2010 16:25:58 BRT
Visto pela última vez em     Qui 29 Jul 2010 14:39:57 BRT
ID local                      9cd84d25-53a6-424b-af3a-097db204ea50
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1280425197.892:697): avc:  denied  { execstack } for  pid=10513 comm="php" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1280425197.892:697): arch=40000003 syscall=125 success=yes exit=0 a0=bf8bf000 a1=1000 a2=1000007 a3=bf8bf280 items=0 ppid=8288 pid=10513 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=57 comm="php" exe="/usr/local/bin/php" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,allow_execstack,httpd,unconfined_t,unconfined_t,process,execstack
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;

Comment 1 Daniel Walsh 2010-07-30 18:48:35 UTC
Bug report tells you what you can do.  You really should update this machine.

This php script might be dangerous also.