SELinux

Set_Killer

Selinux denied access to php_exec(). I have tryed to allow it with

audit2allow -a -M httpd

and then

semodule -i httpd

but it doesn't work. audit2why shows many lines like

type=AVC msg=audit(1246431002.917:67): avc: denied { execute_no_trans } for pid=4621 comm="ldd" path="/usr/bin/mencoder" dev=hdb1 ino=24527774 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:unconfined_execmem_exec_t:s0 tclass=file

Was caused by:

Missing or disabled TE allow rule.

Allow rules may exist but be disabled by boolean settings; check boolean settings.

You can see the necessary allow rules by running audit2allow with this audit message as input.

and

type=AVC msg=audit(1246408757.234:70): avc: denied { execute_no_trans } for pid=3203 comm="ldd" path="/lib64/ld-2.5.so" dev=hdb1 ino=6127890 scontext=root:system_r:httpd_t:s0 tcontext=system_u:object_r:ld_so_t:s0 tclass=file

Was caused by:

Unknown - would be allowed by active policy

Possible mismatch between this policy and the one under which the audit message was generated.

Possible mismatch between current in-memory boolean settings vs. permanent ones.

the OS is CentOS 5.3. PHP safe_mode is Off.

howto fix that?

thanks in advance

Set_Killer

The problem is solved with:

setsebool -P httpd_disable_trans on

thanks to Evolution from The IRC.

patricidy6r

Thanks a bunch. I was having the same problem with SELinux for a few weeks and didn't know what to do. My sysadmin pretty much gave up on it. I spent hours on Google trying to find a solution but no help. I didn't know that I would get the fix in this forum and that it would be so easy! Thanks so much!