[root@localhost ~]# service httpd start
Starting httpd: httpd: Syntax error on line 209 of /etc/httpd/conf/httpd.conf: Syntax error on line 1 of /etc/httpd/conf.d/valicert.conf: Cannot load /etc/httpd/modules/vcapache.so into server: /etc/httpd/modules/vcapache.so: cannot enable executable stack as shared object requires: Permission denied
[FAILED]

[root@localhost ~]# tail -2 /var/log/messages
Feb 9 12:59:54 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l d41f81b1-555f-4992-be21-4e4ac141f620
Feb 9 13:03:10 localhost setroubleshoot: SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t). For complete SELinux messages. run sealert -l 072e94cc-778b-44a7-b407-ea6616385489

[root@localhost ~]# sealert -l 072e94cc-778b-44a7-b407-ea6616385489

Summary:

SELinux is preventing httpd (httpd_t) "execstack" to <Unknown> (httpd_t).

Detailed Description:

SELinux denied access requested by httpd. It is not expected that this access is
required by httpd and this access may signal an intrusion attempt. It is also
possible that the specific version or configuration of the application is
causing it to require additional access.

Allowing Access:

You can generate a local policy module to allow this access - see FAQ
(http://fedora.redhat.com/docs/selinu...fc5/#id2961385) Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended.
Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Additional Information:

Source Context root:system_r:httpd_t
Target Context root:system_r:httpd_t
Target Objects None [ process ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages httpd-2.2.3-22.el5
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name catchall
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
Wed Dec 17 11:42:39 EST 2008 i686 i686
Alert Count 1
First Seen Mon Feb 9 13:03:09 2009
Last Seen Mon Feb 9 13:03:09 2009
Local ID 072e94cc-778b-44a7-b407-ea6616385489
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1234184589.996:31): avc: denied { execstack } for pid=2957 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontext=root:system_r:httpd_t:s0 tclass=process

host=localhost.localdomain type=SYSCALL msg=audit(1234184589.996:31): arch=40000003 syscall=125 success=no exit=-13 a0=bf80d000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=2956 pid=2957 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)






How do I make this particular module work? If I do an "ls -Z" on /etc/httpd/modules/ it has the same permissions as every other module...

-rwxr-xr-x root root system_ubject_r:httpd_modules_t mod_vhost_alias.so
-rwxr-xr-x root root system_ubject_r:httpd_modules_t vcapache.so

Running '( sealert -l d41f81b1-555f-4992-be21-4e4ac141f620; sealert -l 072e94cc-778b-44a7-b407-ea6616385489 ) | audit2allow' should yield one line for local policy modification: "allow httpd_t self:process execstack;". But disabling memory protection is bad idea (as in attack vector). See Ulrich Drepper's SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) for more.

* Here's a quick check to see if any is enabled that shouldn't be: 'sesearch --allow | grep "allow.*self:process.*exec" ' (improvements welcome).

What package or product does this "vcapache.so" belong to?

I do not want to disable selinux or any of it's "features". I just want to tell it that vcapache.so is OK to load. "chcon -t blahblah filename" works for some of these things, but I don't know what "blahblah" would be... I was hoping sealert would tell me.

This file is part of the Tumbleweed certificate validator.

So you're telling me you agree seatbelts are crucial with respect to survival chances of drivers but that, for some obscure reason, you should be exempt from using them?..


Their VA/SV SW is sold commercially AFAIK. If you bought it you might be entitled to access support. I would raise it with them anyway and copy in some RHEL mailing list.


It's your decision but please note you have been warned.
Look for 'chcon' in relation to 'unconfined_execmem_exec_t'.

Err, no... I want this particular module to be able to reach the controls while belted in. I specifically said I did not want to disable selinux.

That's... counter-intuitive to my understanding of selinux. What I'm trying to accomplish isn't some outlandish task that has never been done before. selinux stops things from doing things they aren't supposed to do, but there's always a way to tell it that yes, this application is allowed to do X. That's all I'm asking... not how to "trick" anybody, just allow this module to do whatever it needs to do.

Contacting their support is, I suppose, an option if I must, but will probably be a headache.

Awesome. Your understanding of current RH safety measures, host security and SE Linux probably exceeds mine.

Someone else decided to be helpful and provided:


I hope that helps anyone else who runs into this problem.