selinux and apache modules linked against libs in non-standard places

From: Aleksandar Milivojevic (amilivojevic_at_pbl.ca)
Date: 01/31/05

  • Next message: David Cary Hart: "Re: Linux Source Code? Where?"
    Date: Mon, 31 Jan 2005 14:58:23 -0600
    To: Fedora <fedora-list@redhat.com>
    
    

    I have PHP module linked against library in non-standard place. When
    starting Apache web server, it loads PHP module, which in turn attempts
    to load this library. This is what I get in /var/log/messages each time
    I start Apache:

    kernel: audit(1107201979.916:0): avc: denied { execute } for pid=3248
    path=/opt/foobar/lib/libfoobar.so.1.0.0.1 dev=dm-1 ino=560573
    scontext=root:system_r:httpd_t tcontext=system_u:object_r:usr_t tclass=file

    I believe this is due to the fact that Apache is restricted in what
    files it can open using SELinux policies. How to allow Apache to use an
    library in non-standard place (/opt/foobar/lib for example)? Preferably
    in a way that will not be overwritten when system is updated (if
    possible, of course).

    -- 
    Aleksandar Milivojevic <amilivojevic@pbl.ca>    Pollard Banknote Limited
    Systems Administrator                           1499 Buffalo Place
    Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7
    -- 
    fedora-list mailing list
    fedora-list@redhat.com
    To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
    

  • Next message: David Cary Hart: "Re: Linux Source Code? Where?"

    Relevant Pages

    • Re: 10.3.9 and Apache
      ... > This is what all the "AddLanguage" lines do, tell Apache to use content ... # begin entropy.ch PHP module activation ... And the include file has the load and add module lines. ... True enough once I found httpd.conf, just some odd default file locations. ...
      (comp.sys.mac.system)
    • Re: Re-compiling PHP changes server responsiveness
      ... This is just a warning message and doesn't stop apache working or not. ... examine it further as I don't reboot or restart Apache very often. ... may be being hit by the php module load order problem. ... Rename the extensions.ini back to it's original state. ...
      (freebsd-questions)
    • Help: PHP4 Module problem
      ... I use Apache 2.2.8 and I want to install PHP4 support. ... start a test php script I see nothing just blank page. ... Google and said that I should add --enable-so when I configure the Apache ... So is there any solution to make the PHP module run well? ...
      (comp.infosystems.www.servers.unix)
    • Re: Apache + php
      ... >like apache is not linking to the php module. ... >access the pages is that firefox does not know what to do with the phtml ...
      (Ubuntu)
    • Re: SecurityReason: PHP 5.2.6 SAPI php_getuid() overload
      ... Am I right that this vulnerability exists only in the Apache 1.x flavour ... of the PHP module? ... and BG/SGare initialized before .htaccess processing. ...
      (Bugtraq)