Bug 192891

Summary: denied execheap, if allow_execheap=1 (for Zend Optimizer)
Product: [Fedora] Fedora Reporter: Jaak Simm <jaaksimm>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: drepper
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-05-24 17:18:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jaak Simm 2006-05-23 20:06:59 UTC
Description of problem:

Zend Optimizer, a binary plug-in for php, is denied for execheap, even if
allow_execheap is set to 1. Selinux boolean allow_execheap should disable
execheap denial all-together. This happens when Zend optimizer is used together
with php and httpd.
When starting httpd with php and Zend Optimizer following denials occur:

May 23 22:54:35 web2 kernel: audit(1148414075.256:3): avc:  denied  { ioctl }
for  pid=2079 comm="httpd" name="0" dev=devpts ino=2
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file
May 23 22:35:18 web2 kernel: audit(1148412918.741:4): avc:  denied  { execheap }
for  pid=2120 comm="httpd" scontext=root:system_r:httpd_t:s0
tcontext=root:system_r:httpd_t:s0 tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.38-1.fc5

How reproducible:
Always

Steps to Reproduce:
1. make sure httpd and php are installed

2. Download and unpack Zend Optimizer 3
   http://www.zend.com/products/zend_optimizer
   (requires a zend.com user, which can be created  for free at the download site)

3. Run ./install in the unpacked dir of Zend Optimizer
   It will ask few questions, but defaults should be fine.

4. Allow execheap, give zend files correct security context, and remove their
execstack requirement:
   setsebool allow_execheap 1
   chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/ -name \*.so`
   execstack -c `find /usr/local/Zend/lib/ -name \*.so`

5. restart httpd:
   service httpd restart


Actual results:
denied execheap (can be seen in /var/log/messages) and zend does not work due to
that

Expected results:
not denied execheap, since allow_execheap=1

Comment 1 Daniel Walsh 2006-05-24 17:18:47 UTC
This is probably a bug in Zend that is rewuiring this access.  

Have a look at 
http://people.redhat.com/~drepper/selinux-mem.html

to explain this permission.

allow_execheap and friends only affect the unconfined domains.  unconfined_t,
initrc_t etc.  So if you want this to work with SELinux you will need to create
a policy module 

grep execmem /var/log/messages | audit2allow -M Zend 
semodule -i Zend.pp