Description of problem: nodejs segfaults when used with SELinux enforcing and setsebool httpd_execmem off. Instead of segfaulting, it should issue an AVC denial. Version-Release number of selected component (if applicable): 0.10.6-1.fc20 How reproducible: Run a PHP script using Apache such as: <?php shell_exec( "/usr/bin/node /var/www/virtual-hosts/example.com/bin/topojson -p -o /tmp/outfile /tmp/infile" ); ?> Steps to Reproduce: 1. # setenforce 1 2. # setsebool httpd_execmem off 3. Run a PHP script using Apache: <?php shell_exec( "/usr/bin/node /var/www/virtual-hosts/example.com/bin/topojson -p -o /tmp/outfile /tmp/infile" ); ?> Actual results: /var/log/messages contains this message: Jun 13 14:30:32 ce008 kernel: [4067406.839668] node[27735]: segfault at 20 ip 00007f14cf27905f sp 00007fffb431eda0 error 4 in libv8.so.3.14.5[7f14cef2c000+54f000] Expected results: /var/log/messages should contain a SELinux AVC denial message referencing "execmem" to give us a clue to enable httpd_execmem. Additional info: Apache 2.2.23-1.fc17 PHP 5.4.14-1.fc17 selinux-policy.noarch 3.10.0-167.fc17 topojson github commit 7d07ec67a62ca57dbfd4472cb2a8bbc6fe8bd2f5
This works for me: % cat /var/www/html/nodetest.php <?php header("Content-Type: text/plain"); system("/usr/bin/node -pe process.version"); % sudo getsebool httpd_execmem httpd_execmem --> off % curl http://localhost/nodetest.php % sudo ausearch -m avc -ts recent ---- time->Thu Jun 13 18:20:27 2013 type=SYSCALL msg=audit(1371172827.650:870): arch=c000003e syscall=9 success=no exit=-13 a0=3d57a8f77000 a1=1000 a2=7 a3=22 items=0 ppid=6700 pid=6886 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="node" exe="/usr/bin/node" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1371172827.650:870): avc: denied { execmem } for pid=6886 comm="node" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process ---- time->Thu Jun 13 18:20:27 2013 type=SYSCALL msg=audit(1371172827.650:869): arch=c000003e syscall=9 success=no exit=-13 a0=3dd9286f000 a1=1000 a2=7 a3=32 items=0 ppid=6700 pid=6886 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 ses=4294967295 tty=(none) comm="node" exe="/usr/bin/node" subj=system_u:system_r:httpd_t:s0 key=(null) type=AVC msg=audit(1371172827.650:869): avc: denied { execmem } for pid=6886 comm="node" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_t:s0 tclass=process % sudo setsebool httpd_execmem on % curl http://localhost/nodetest.php v0.10.10 I'm not sure why you're not getting an AVC. You appear to be using a Rawhide nodejs on F17?? That is...unsupported...to say the least. We don't support nodejs on F17 at all due to its OpenSSL not being compatible. Please let us know if you can reproduce on F18 or later.