Bug 619868 - SELinux is preventing /usr/local/bin/php from making the program stack executable.
SELinux is preventing /usr/local/bin/php from making the program stack execut...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
i386 Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:8348a06b89c...
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-07-30 14:26 EDT by Renato
Modified: 2010-07-30 14:48 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-30 14:48:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Renato 2010-07-30 14:26:43 EDT
Sumário:

SELinux is preventing /usr/local/bin/php from making the program stack
executable.

Descrição detalhada:

[SElinux está em modo permissivo. Esse acesso não foi negado.]

The php application attempted to make its stack executable. This is a potential
security problem. This should never ever be necessary. Stack memory is not
executable on most OSes these days and this will not change. Executable stack
memory is one of the biggest security problems. An execstack error might in fact
be most likely raised by malicious code. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If php does not work and you need it to work, you can
configure SELinux temporarily to allow this access until the application is
fixed. Please file a bug report.

Permitindo acesso:

Sometimes a library is accidentally marked with the execstack flag, if you find
a library with this flag you can clear it with the execstack -c LIBRARY_PATH.
Then retry your application. If the app continues to not work, you can turn the
flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust php to run
correctly, you can change the context of the executable to execmem_exec_t.
"chcon -t execmem_exec_t '/usr/local/bin/php'" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t execmem_exec_t '/usr/local/bin/php'"

Comando de correção:

chcon -t execmem_exec_t '/usr/local/bin/php'

Informações adicionais:

Contexto de origem            unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contexto de destino           unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Objetos de destino            None [ process ]
Origem                        httpd
Caminho da origem             /usr/local/apache2/bin/httpd
Porta                         <Desconhecido>
Máquina                      (removed)
Pacotes RPM de origem         
Pacotes RPM de destino        
RPM da política              selinux-policy-3.6.32-41.fc12
Selinux habilitado            True
Tipo de política             targeted
MLS habilitado                True
Modo reforçado               Permissive
Nome do plugin                allow_execstack
Nome da máquina              (removed)
Plataforma                    Linux (removed) 2.6.31.5-127.fc12.i686
                              #1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686
Contador de alertas           8
Visto pela primeira vez em    Qua 14 Jul 2010 16:25:58 BRT
Visto pela última vez em     Qui 29 Jul 2010 14:39:57 BRT
ID local                      9cd84d25-53a6-424b-af3a-097db204ea50
Números de linha             

Mensagens de auditoria não p 

node=(removed) type=AVC msg=audit(1280425197.892:697): avc:  denied  { execstack } for  pid=10513 comm="php" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

node=(removed) type=SYSCALL msg=audit(1280425197.892:697): arch=40000003 syscall=125 success=yes exit=0 a0=bf8bf000 a1=1000 a2=1000007 a3=bf8bf280 items=0 ppid=8288 pid=10513 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=57 comm="php" exe="/usr/local/bin/php" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  selinux-policy-3.6.32-41.fc12,allow_execstack,httpd,unconfined_t,unconfined_t,process,execstack
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'

allow unconfined_t self:process execstack;
Comment 1 Daniel Walsh 2010-07-30 14:48:35 EDT
Bug report tells you what you can do.  You really should update this machine.

This php script might be dangerous also.

Note You need to log in before you can comment on or make changes to this bug.