Red Hat Bugzilla – Bug 504394
SELinux prevents HTTPD from loading Zend extensions
Last modified: 2009-07-15 04:17:32 EDT
It will not allow ZendDebugger, ZendExtensionManager or ZendOptimizer to load. The recommended actions below do not work.
Summary: SELinux is preventing the httpd (httpd_t) from executing /usr/local/Zend/lib/ZendExtensionManager.so. Detailed Description: SELinux has denied the httpd from executing /usr/local/Zend/lib/ZendExtensionManager.so. If httpd is supposed to be able to execute /usr/local/Zend/lib/ZendExtensionManager.so, this could be a labeling problem. Most confined domains are allowed to execute files labeled bin_t. So you could change the labeling on this file to bin_t and retry the application. If this httpd is not supposed to execute /usr/local/Zend/lib/ZendExtensionManager.so, this could signal a intrusion attempt. Allowing Access: If you want to allow httpd to execute /usr/local/Zend/lib/ZendExtensionManager.so: chcon -t bin_t '/usr/local/Zend/lib/ZendExtensionManager.so' If this fix works, please update the file context on disk, with the following command: semanage fcontext -a -t bin_t '/usr/local/Zend/lib/ZendExtensionManager.so' Please specify the full path to the executable, Please file a bug report against this selinux-policy to make sure this becomes the default labeling.
FYI: I have been able to get the Zend extensions to load on my Fedora 9 testing server by setting SELinux enforcement to permissive, by bypassing the Zend Extension Manager and loading the required extensions explicitly and by loading the Zend Debugger extension last. The extensions now load and run as expected.
Zend support says that it is a problem with SELinux and can offer no insight.
I have had constant and annoying prolems with SELinux since I set up this testing server. Every time I update the system I am getting new policy alerts that just keep blinking. The SELinux security manager interface is arcane and obtuse when it comes to dealing with these policy behaviors and alerts. It provides no useful information or direction on how to manage this system (unless perhaps you are one of the designers of SELinux). The online instructions for taking action (creating or changing policy rules) are even less helpful. I have heard from other Zend users who say just 'turn it off.'
Can someone who knows shed some light on what this thing is doing and how it can be managed by somone who has other more pressing tasks at hand? Or should it just be gutted and ignored?
SELinux is all about labelling
Seems to be labelled incorrectly for apache to be able to use them.
What is the label on this file?
ls -lZ /usr/local/Zend/lib/ZendExtensionManager.so
What is the complete message that setroubleshoot reported, the AVC message.
Created attachment 346903 [details]
Dump of AVC Denial Alerts
What is the context of 'labeling'? Can't find any reference to this use of the term related to file properties. Is this an SELinux property?
ls -lZ currently returns the following:
unconfined_u:object_r:usr_t:s0 for Optimizer-3.3.3 (folder)
unconfined_u:object_r:bin_t:s0 for ZendExtensionManager.so
I have attached a dump of the AVC denials to date.
You can check default SELinux security context using of 'matchpathcon'. For example:
# matchpathcon /usr/lib/php/modules/ZendDebugger.so
If you see the different label from the output
# ls -lZ /usr/lib/php/modules/ZendDebugger.so
you can use 'restorecon' for the fix. In your case execute
# restorecon -R -v /usr/lib/php/modules/
This should fix some your issues.
The next issue from your log regarding 'ZendOptimizer.so'. Just execute what setroubleshoot suggests:
chcon -t textrel_shlib_t /usr/local/Zend/lib/Optimizer-3.3.3/php-5.2.x/ZendOptimizer.so
The issue regarding 'ZendExtensionManager.so'. Execute
chcon -t textrel_shlib_t /usr/local/Zend/lib/*.so
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '9'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 9's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 9 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Fixed in selinux-policy-3.3.1-135.fc9
Fedora 9 changed to end-of-life (EOL) status on 2009-07-10. Fedora 9 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version.
Thank you for reporting this bug and we are sorry it could not be fixed.