Bug 504394 - SELinux prevents HTTPD from loading Zend extensions
SELinux prevents HTTPD from loading Zend extensions
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
i386 Linux
low Severity high
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-06-05 22:07 EDT by Bruce
Modified: 2009-07-15 04:17 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-07-15 04:17:32 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Dump of AVC Denial Alerts (54.24 KB, text/plain)
2009-06-08 14:11 EDT, Bruce
no flags Details

  None (edit)
Description Bruce 2009-06-05 22:07:29 EDT
It will not allow ZendDebugger, ZendExtensionManager or ZendOptimizer to load. The recommended actions below do not work.

Summary: SELinux is preventing the httpd (httpd_t) from executing /usr/local/Zend/lib/ZendExtensionManager.so. Detailed Description: SELinux has denied the httpd from executing /usr/local/Zend/lib/ZendExtensionManager.so. If httpd is supposed to be able to execute /usr/local/Zend/lib/ZendExtensionManager.so, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this httpd is not supposed to execute /usr/local/Zend/lib/ZendExtensionManager.so, this could signal a intrusion attempt. Allowing Access: If you want to allow httpd to execute /usr/local/Zend/lib/ZendExtensionManager.so: chcon -t bin_t '/usr/local/Zend/lib/ZendExtensionManager.so' If this fix works, please update the file context on disk, with the following command: semanage fcontext -a -t bin_t '/usr/local/Zend/lib/ZendExtensionManager.so' Please specify the full path to the executable, Please file a bug report against this selinux-policy to make sure this becomes the default labeling.
Comment 1 Bruce 2009-06-08 12:03:55 EDT
FYI: I have been able to get the Zend extensions to load on my Fedora 9 testing server by setting SELinux enforcement to permissive, by bypassing the Zend Extension Manager and loading the required extensions explicitly and by loading the Zend Debugger extension last. The extensions now load and run as expected.

Zend support says that it is a problem with SELinux and can offer no insight.

I have had constant and annoying prolems with SELinux since I set up this testing server. Every time I update the system I am getting new policy alerts that just keep blinking. The SELinux security manager interface is arcane and obtuse when it comes to dealing with these policy behaviors and alerts. It provides no useful information or direction on how to manage this system (unless perhaps you are one of the designers of SELinux). The online instructions for taking action (creating or changing policy rules) are even less helpful. I have heard from other Zend users who say just 'turn it off.' 

Can someone who knows shed some light on what this thing is doing and how it can be managed by somone who has other more pressing tasks at hand? Or should it just be gutted and ignored?
Comment 2 Daniel Walsh 2009-06-08 13:30:08 EDT
SELinux is all about labelling 


Seems to be labelled incorrectly for apache to be able to use them.

What is the label on this file?

ls -lZ /usr/local/Zend/lib/ZendExtensionManager.so

What is the complete message that setroubleshoot reported, the AVC message.
Comment 3 Bruce 2009-06-08 14:11:40 EDT
Created attachment 346903 [details]
Dump of AVC Denial Alerts
Comment 4 Bruce 2009-06-08 14:18:03 EDT
What is the context of 'labeling'? Can't find any reference to this use of the term related to file properties. Is this an SELinux property?

ls -lZ currently returns the following:
unconfined_u:object_r:usr_t:s0 for Optimizer-3.3.3 (folder)
unconfined_u:object_r:bin_t:s0 for ZendExtensionManager.so

I have attached a dump of the AVC denials to date.
Comment 5 Miroslav Grepl 2009-06-09 07:15:30 EDT
You can check default SELinux security context using of 'matchpathcon'. For example:

# matchpathcon /usr/lib/php/modules/ZendDebugger.so
/usr/lib/php/modules/ZendDebugger.so	system_u:object_r:textrel_shlib_t:s0

If you see the different label from the output 

# ls -lZ  /usr/lib/php/modules/ZendDebugger.so

you can use 'restorecon' for the fix. In your case execute 

# restorecon -R -v /usr/lib/php/modules/

This should fix some your issues.
Comment 6 Miroslav Grepl 2009-06-09 07:37:30 EDT
The next issue from your log regarding 'ZendOptimizer.so'. Just execute what setroubleshoot suggests:

chcon -t textrel_shlib_t /usr/local/Zend/lib/Optimizer-3.3.3/php-5.2.x/ZendOptimizer.so

The issue regarding 'ZendExtensionManager.so'. Execute 

chcon -t textrel_shlib_t /usr/local/Zend/lib/*.so
Comment 7 Bug Zapper 2009-06-09 23:43:53 EDT
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 8 Miroslav Grepl 2009-06-18 11:58:21 EDT
Fixed in selinux-policy-3.3.1-135.fc9
Comment 9 Bug Zapper 2009-07-15 04:17:32 EDT
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.