fedora-selinux July 2008 archive
Main Archive Page > Month Archives  > fedora-selinux archives
fedora-selinux: Re: Problems with mod_mono on httpd

Re: Problems with mod_mono on httpd

From: Daniel J Walsh <dwalsh_at_nospam>
Date: Thu Jul 10 2008 - 15:33:38 GMT
To: dant@cdkkt.com


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan Thurman wrote:
> The issue relates to using the mod_mono module (I think):
>
> Jul 9 17:28:31 bronze kernel: mono[8896]: segfault at 0 ip 08069d02 sp
> bf8a6540 error 6 in mono[8047000+1f4000]
> Jul 9 17:28:32 bronze setroubleshoot: SELinux is preventing mono
> (httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux
> messages. run sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
> Jul 9 17:28:32 bronze setroubleshoot: SELinux is preventing mono
> (httpd_t) "execmem" to <Unknown> (httpd_t). For complete SELinux
> messages. run sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
>
> # sealert -l 2cb69eb1-baf7-4631-936c-9f6c80436e2e
> ==========================================
> Summary:
>
> SELinux is preventing mono (httpd_t) "execmem" to <Unknown> (httpd_t).
>
> Detailed Description:
>
> SELinux denied access requested by mono. It is not expected that this
> access is
> required by mono and this access may signal an intrusion attempt. It is
> also
> possible that the specific version or configuration of the application is
> causing it to require additional access.
>
> Allowing Access:
>
> You can generate a local policy module to allow this access - see FAQ
> (http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) Or you can
> disable
> SELinux protection altogether. Disabling SELinux protection is not
> recommended.
> Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi)
> against this package.
>
> Additional Information:
>
> Source Context system_u:system_r:httpd_t:s0
> Target Context system_u:system_r:httpd_t:s0
> Target Objects None [ process ]
> Source mono
> Source Path /usr/bin/mono
> Port <Unknown>
> Host bronze.cdkkt.com
> Source RPM Packages mono-core-1.9.1-2.fc9
> Target RPM Packages Policy RPM
> selinux-policy-3.3.1-74.fc9
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name catchall
> Host Name bronze.cdkkt.com
> Platform Linux bronze.cdkkt.com
> 2.6.25.9-76.fc9.i686 #1 SMP
> Fri Jun 27 16:14:35 EDT 2008 i686 i686
> Alert Count 26
> First Seen Tue Jul 8 16:54:41 2008
> Last Seen Wed Jul 9 17:28:31 2008
> Local ID 2cb69eb1-baf7-4631-936c-9f6c80436e2e
> Line Numbers
> Raw Audit Messages
> host=bronze.cdkkt.com type=AVC msg=audit(1215649711.436:45): avc:
> denied { execmem } for pid=8896 comm="mono"
> scontext=system_u:system_r:httpd_t:s0
> tcontext=system_u:system_r:httpd_t:s0 tclass=process
>
> host=bronze.cdkkt.com type=SYSCALL msg=audit(1215649711.436:45):
> arch=40000003 syscall=192 per=400000 success=no exit=-13 a0=0 a1=10000
> a2=7 a3=22 items=0 ppid=1 pid=8896 auid=4294967295 uid=48 gid=48 euid=48
> suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295
> comm="mono" exe="/usr/bin/mono" subj=system_u:system_r:httpd_t:s0
> key=(null)
>
> How can I fix this please?
> Dan
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
You can add it using audit2allow

# grep http /var/log/audit/audit.log | audit2allow -M myhttp # semodule -i myhttp.pp

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh2K9IACgkQrlYvE4MpobPCzwCglYTzWFBP4PhbYBTtAjbVtvMy sZwAmgPtHe6O1Uub3w41R43SqLaslLlt
=K5F9
-----END PGP SIGNATURE----- -- fedora-selinux-list mailing list fedora-selinux-list@redhat.com https://www.redhat.com/mailman/listinfo/fedora-selinux-list