"denied" error message

"denied" error message

[Bill Tangren]

I have the following error message showing up in my audit logs. This is on an 
SELinux-enabled web server (running RHEL ES 4, fully patched). This is actually 
an selinux error, so if this not the correct place to ask this question, please 
let me know.

**********
type=AVC msg=audit(1185389440.164:7579569): avc:  denied  { execute } for 
pid=26076 comm="aa_pap8" name="ld.so.cache" dev=md3 ino=2529627 
scontext=user_u:system_r:httpd_sys_script_t tcontext=root:object_r:ld_so_cache_t 
tclass=file

type=SYSCALL msg=audit(1185389440.164:7579569): arch=40000003 syscall=90 
per=400000 success=no exit=-13 a0=bffff074 a1=2 a2=a54fd4 a3=3 items=0 pid=26076 
auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 
comm="aa_pap8" exe="/location/of/bin/aa_pap8"

type=AVC_PATH msg=audit(1185389440.164:7579569):  path="/etc/ld.so.cache"

**********

A web page of ours is calling a script that is calling this program 
/location/of/bin/aa_pap8. The security context on the program is

-rwxr-xr-x  apache   AA  system_u:object_r:httpd_sys_content_t  aa_pap8

The security context on ls.so.cache is

-rw-r--r--  root     root  root:object_r:ld_so_cache_t  /etc/ld.so.cache

Does anyone know why this error is occurring? The program is running correctly. 
I'd just like to know where the error is coming from.

Thanks,

Bill Tangren

Re: "denied" error message

[Bill Tangren]

Bill Tangren wrote:
> I have the following error message showing up in my audit logs. This is 
> on an SELinux-enabled web server (running RHEL ES 4, fully patched). 
> This is actually an selinux error, so if this not the correct place to 
> ask this question, please let me know.
> 

Never mind. I got at least a partial answer by googling NSA's selinux mailing 
list archive. I quote from one of those pages:

"Typically, that audit message suggests that kernel is translating PROT_READ 
requests by that binary to PROT_READ|PROT_EXECUTE in order to provide 
compatibility with "legacy" binaries that presumed read-implies-exec logic."

This is an old program that is calling shared libraries. It isn't hurting the 
program, but it is filling up my audit logs. I guess I'll leave it alone.

Thanks anyway.

Re: "denied" error message

[Stephen Smalley]

On Wed, 2007-07-25 at 16:03 -0400, Bill Tangren wrote:
> Bill Tangren wrote:
> > I have the following error message showing up in my audit logs. This is 
> > on an SELinux-enabled web server (running RHEL ES 4, fully patched). 
> > This is actually an selinux error, so if this not the correct place to 
> > ask this question, please let me know.
> > 
> 
> Never mind. I got at least a partial answer by googling NSA's selinux mailing 
> list archive. I quote from one of those pages:
> 
> "Typically, that audit message suggests that kernel is translating PROT_READ 
> requests by that binary to PROT_READ|PROT_EXECUTE in order to provide 
> compatibility with "legacy" binaries that presumed read-implies-exec logic."
> 
> This is an old program that is calling shared libraries. It isn't hurting the 
> program, but it is filling up my audit logs. I guess I'll leave it alone.
> 
> Thanks anyway.
> 

Options:
- Rebuild the program with current compiler toolchain.
- Try to mark the program as not requiring an executable stack,
	cp /location/of/bin/aa_pap8 /location/of/bin/aa_pap8.orig
	execstack -c /location/of/bin/aa_pap8
- Modify your policy to dontaudit the permission or to allow it, as
required.

-- 
Stephen Smalley
National Security Agency