Any idea what it was trying to do?

Dan

Not a clue, but it is reproducible - occurs with a slight delay 
right after starting the httpd server. 
Is this helpful in any way, or should I be looking for 
something else?

[root@cobra phantom]# strace -o log /usr/sbin/httpd -X

...

[root@cobra phantom]# cat log|grep PROT_EXEC|grep -v MAP_DENYWRITE
mprotect(0xbff8f000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = 0

...

[root@cobra phantom]# grep PROT_GROWSDOWN -C 10 log
old_mmap(NULL, 60240, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 27, 0) =
0x891000
old_mmap(0x89f000, 4096, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 27, 0xe000) = 0x89f000
close(27)                               = 0
open("/usr/lib/libbeecrypt.so.6", O_RDONLY) = 27
read(27, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0p\353\304"..., 512) = 512
fstat64(27, {st_mode=S_IFREG|0755, st_size=116656, ...}) = 0
old_mmap(NULL, 118156, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 27, 0) =
0xae2000
old_mmap(0xafc000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 27, 0x19000) = 0xafc000
mprotect(0xe1a000, 3820, PROT_READ|PROT_WRITE) = 0
mprotect(0xe1a000, 3820, PROT_READ)     = 0
mprotect(0xbff8f000, 4096, PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = 0
close(27)                               = 0
access("/etc/selinux/", F_OK)           = 0
open("/etc/selinux/config", O_RDONLY|O_LARGEFILE) = 27
fstat64(27, {st_mode=S_IFREG|0644, st_size=440, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xb7d8d000
read(27, "# This file controls the state o"..., 4096) = 440
close(27)                               = 0
munmap(0xb7d8d000, 4096)                = 0
open("/proc/mounts", O_RDONLY|O_LARGEFILE) = 27
fstat64(27, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0

Can no longer reproduce.

Nope - it's back, and it happens every time I start up the webserver.
Not sure what causes it - I use the server for very simple stuff,
and probably never use the functionality that's broken by the denial.

execstack -q /usr/lib/libbeecrypt.so.6

- /usr/lib/libbeecrypt.so.6

uname -a

Linux cobra.ivg2.net 2.6.11-1.1275_FC4 #1 Wed Apr 27 14:20:44 EDT 2005 i686
athlon i386 GNU/Linux

Attach full strace log, please.
Any reason you aren't running a newer kernel (or more generally, updated against
latest rawhide)?

It's available at http://ivan.ivg2.net/httpd.log - 500 K.
(running on the same webserver, actually...)

This is a new log - not the same as before - it probably looks different.
It does report one case of PROT_WRITE | PROT_EXEC, which is what
interested me. 

Log was generated by running httpd -X from the console as sysadm,
until I got the denial I wanted, and then I killed it.

I don't run a newer kernel, because this one's reasonably recent, 
and it's a pain to change kernels, since I have to reinstall
the Nvidia driver yet again - isn't latest 1276 or something?
I'll update it today. 

Actually, I just discovered that the latest rawhide kernels don't boot on my
hardware.  Presently running 1.1286; anything newer causes /sbin/init to die for
me even with selinux=0.

Anyway, from your log, the last opened so file was /usr/lib/libgcrypt.so.11,
which doesn't exist on my system and I don't know where you got it.  execstack
-q and rpm -q -f it, please.

[phantom@cobra ~]$ execstack -q /usr/lib/libgcrypt.so.11
X /usr/lib/libgcrypt.so.11

[phantom@cobra ~]$ rpm -qf /usr/lib/libgcrypt.so.11
libgcrypt11-1.2.1-10.rhfc3.at

...doh..

I guess I'll be getting rid of that, to test with the one
from Fedora.

... no execstack with the one from Fedora.
Close the bug?

Sorry about that...

See, if extras had all the stuff I wanted, 
and was kept up to date, I wouldn't have to use
so many external repositories...

By the way, where's the official "Extras (development)" located now - 
I'm not quite sure I have the right URL.