Description of problem: Zend Optimizer, a binary plug-in for php, is denied for execheap, even if allow_execheap is set to 1. Selinux boolean allow_execheap should disable execheap denial all-together. This happens when Zend optimizer is used together with php and httpd. When starting httpd with php and Zend Optimizer following denials occur: May 23 22:54:35 web2 kernel: audit(1148414075.256:3): avc: denied { ioctl } for pid=2079 comm="httpd" name="0" dev=devpts ino=2 scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file May 23 22:35:18 web2 kernel: audit(1148412918.741:4): avc: denied { execheap } for pid=2120 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process Version-Release number of selected component (if applicable): selinux-policy-targeted-2.2.38-1.fc5 How reproducible: Always Steps to Reproduce: 1. make sure httpd and php are installed 2. Download and unpack Zend Optimizer 3 http://www.zend.com/products/zend_optimizer (requires a zend.com user, which can be created for free at the download site) 3. Run ./install in the unpacked dir of Zend Optimizer It will ask few questions, but defaults should be fine. 4. Allow execheap, give zend files correct security context, and remove their execstack requirement: setsebool allow_execheap 1 chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/ -name \*.so` execstack -c `find /usr/local/Zend/lib/ -name \*.so` 5. restart httpd: service httpd restart Actual results: denied execheap (can be seen in /var/log/messages) and zend does not work due to that Expected results: not denied execheap, since allow_execheap=1
This is probably a bug in Zend that is rewuiring this access. Have a look at http://people.redhat.com/~drepper/selinux-mem.html to explain this permission. allow_execheap and friends only affect the unconfined domains. unconfined_t, initrc_t etc. So if you want this to work with SELinux you will need to create a policy module grep execmem /var/log/messages | audit2allow -M Zend semodule -i Zend.pp