Bug 192891 - denied execheap, if allow_execheap=1 (for Zend Optimizer)
Summary: denied execheap, if allow_execheap=1 (for Zend Optimizer)
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 5
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-05-23 20:06 UTC by Jaak Simm
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-05-24 17:18:47 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jaak Simm 2006-05-23 20:06:59 UTC
Description of problem:

Zend Optimizer, a binary plug-in for php, is denied for execheap, even if
allow_execheap is set to 1. Selinux boolean allow_execheap should disable
execheap denial all-together. This happens when Zend optimizer is used together
with php and httpd.
When starting httpd with php and Zend Optimizer following denials occur:

May 23 22:54:35 web2 kernel: audit(1148414075.256:3): avc:  denied  { ioctl }
for  pid=2079 comm="httpd" name="0" dev=devpts ino=2
scontext=root:system_r:httpd_t:s0 tcontext=root:object_r:devpts_t:s0 tclass=chr_file
May 23 22:35:18 web2 kernel: audit(1148412918.741:4): avc:  denied  { execheap }
for  pid=2120 comm="httpd" scontext=root:system_r:httpd_t:s0
tcontext=root:system_r:httpd_t:s0 tclass=process


Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.2.38-1.fc5

How reproducible:
Always

Steps to Reproduce:
1. make sure httpd and php are installed

2. Download and unpack Zend Optimizer 3
   http://www.zend.com/products/zend_optimizer
   (requires a zend.com user, which can be created  for free at the download site)

3. Run ./install in the unpacked dir of Zend Optimizer
   It will ask few questions, but defaults should be fine.

4. Allow execheap, give zend files correct security context, and remove their
execstack requirement:
   setsebool allow_execheap 1
   chcon -t httpd_modules_t -u system_u `find /usr/local/Zend/lib/ -name \*.so`
   execstack -c `find /usr/local/Zend/lib/ -name \*.so`

5. restart httpd:
   service httpd restart


Actual results:
denied execheap (can be seen in /var/log/messages) and zend does not work due to
that

Expected results:
not denied execheap, since allow_execheap=1

Comment 1 Daniel Walsh 2006-05-24 17:18:47 UTC
This is probably a bug in Zend that is rewuiring this access.  

Have a look at 
http://people.redhat.com/~drepper/selinux-mem.html

to explain this permission.

allow_execheap and friends only affect the unconfined domains.  unconfined_t,
initrc_t etc.  So if you want this to work with SELinux you will need to create
a policy module 

grep execmem /var/log/messages | audit2allow -M Zend 
semodule -i Zend.pp



Note You need to log in before you can comment on or make changes to this bug.