Bug 192891 - denied execheap, if allow_execheap=1 (for Zend Optimizer)
denied execheap, if allow_execheap=1 (for Zend Optimizer)
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
5
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-05-23 16:06 EDT by Jaak Simm
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-05-24 13:18:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jaak Simm 2006-05-23 16:06:59 EDT
Description of problem:

Zend Optimizer, a binary plug-in for php, is denied for execheap, even if
allow_execheap is set to 1. Selinux boolean allow_execheap should disable
execheap denial all-together. This happens when Zend optimizer is used together
with php and httpd.
When starting httpd with php and Zend Optimizer following denials occur:

May 23 22:54:35 web2 kernel: audit(1148414075.256:3): avc:  denied  { ioctl }
for  pid=2079 comm="httpd" name="0" dev=devpts ino=2
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file
May 23 22:35:18 web2 kernel: audit(1148412918.741:4): avc:  denied  { execheap }
for  pid=2120 comm="httpd" scontext=root:system_r:httpd_t:s0
tcontext=root:system_r:httpd_t:s0 tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.38-1.fc5

How reproducible:
Always

Steps to Reproduce:
1. make sure httpd and php are installed

2. Download and unpack Zend Optimizer 3
   http://www.zend.com/products/zend_optimizer
   (requires a zend.com user, which can be created  for free at the download site)

3. Run ./install in the unpacked dir of Zend Optimizer
   It will ask few questions, but defaults should be fine.

4. Allow execheap, give zend files correct security context, and remove their
execstack requirement:
   setsebool allow_execheap 1
   chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/ -name \*.so`
   execstack -c `find /usr/local/Zend/lib/ -name \*.so`

5. restart httpd:
   service httpd restart


Actual results:
denied execheap (can be seen in /var/log/messages) and zend does not work due to
that

Expected results:
not denied execheap, since allow_execheap=1
Comment 1 Daniel Walsh 2006-05-24 13:18:47 EDT
This is probably a bug in Zend that is rewuiring this access.  

Have a look at 
http://people.redhat.com/~drepper/selinux-mem.html

to explain this permission.

allow_execheap and friends only affect the unconfined domains.  unconfined_t,
initrc_t etc.  So if you want this to work with SELinux you will need to create
a policy module 

grep execmem /var/log/messages | audit2allow -M Zend 
semodule -i Zend.pp

Note You need to log in before you can comment on or make changes to this bug.