Bug 164231 - php-snmp fails to load due to SELinux execmem denial
php-snmp fails to load due to SELinux execmem denial
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: beecrypt (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Paul Nasrat
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-25 22:50 EDT by Jonathan Larmour
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-14 14:25:40 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jonathan Larmour 2005-07-25 22:50:06 EDT
Description of problem:

On a fully up2date FC3 system as of today, the php-snmp support fails to load at
httpd startup time due to an SELinux config issue. /var/log/messages shows:

Jul 26 01:06:38 garibaldi kernel: audit(1122336398.845:3): avc:  denied  {
execmem } for  pid=3712 comm="httpd" scontext=user_u:system_r:httpd_t
tcontext=user_u:system_r:httpd_t tclass=process

whilst /var/log/httpd/error_log shows:
PHP Warning:  Unknown(): Unable to load dynamic library '/usr/lib/php4/snmp.so'
- libbeecrypt.so.6: cannot enable executable stack as shared object requires:
Permission denied in Unknown on line 0

Version-Release number of selected component (if applicable):

selinux-policy-targeted-1.17.30-3.16
php-snmp-4.3.11-2.6

How reproducible:

service httpd start

Additional info:

This is due to src/policy/domains/program/apache.te containing:
general_domain_access(httpd_t)
which comes from src/policy/macros/core_macros.te and which in turn includes:
allow $1 self:process ~{ptrace setcurrent setexec setfscreate setrlimit execmem};
Comment 1 Daniel Walsh 2005-07-26 14:40:56 EDT
execstack -c libbeecrypt.so.6:
Comment 2 Jonathan Larmour 2005-08-04 07:28:49 EDT
That does work.

I guess this should be put against the beecrypt component, so that libbeecrypt
without exec stack set. So that's what I'm doing.
Comment 3 Matthew Miller 2006-07-10 19:29:11 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 4 Paul Nasrat 2006-08-14 14:25:40 EDT
execstack -q libbeecrypt.so.6
- libbeecrypt.so.6

Note You need to log in before you can comment on or make changes to this bug.