Description of problem: On a fully up2date FC3 system as of today, the php-snmp support fails to load at httpd startup time due to an SELinux config issue. /var/log/messages shows: Jul 26 01:06:38 garibaldi kernel: audit(1122336398.845:3): avc: denied { execmem } for pid=3712 comm="httpd" scontext=user_u:system_r:httpd_t tcontext=user_u:system_r:httpd_t tclass=process whilst /var/log/httpd/error_log shows: PHP Warning: Unknown(): Unable to load dynamic library '/usr/lib/php4/snmp.so' - libbeecrypt.so.6: cannot enable executable stack as shared object requires: Permission denied in Unknown on line 0 Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-3.16 php-snmp-4.3.11-2.6 How reproducible: service httpd start Additional info: This is due to src/policy/domains/program/apache.te containing: general_domain_access(httpd_t) which comes from src/policy/macros/core_macros.te and which in turn includes: allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem};
execstack -c libbeecrypt.so.6:
That does work. I guess this should be put against the beecrypt component, so that libbeecrypt without exec stack set. So that's what I'm doing.
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you!
execstack -q libbeecrypt.so.6 - libbeecrypt.so.6