Posted on by leo2013

SELinux is preventing httpd from using the execstack access on a process

 SELinux is preventing httpd from using the execstack access on a process

软件环境:

  • Linux – Centos 7
  • Webserver – httpd
  • SELinux enabled

使用下面的命令来查看httpd的运行状态:

$> sudo systemctl status httpd

输出如下结果:

httpd.service – The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Fri 2016-06-03 10:09:25 SGT; 15min ago
 Main PID: 1824 (httpd)
   Status: "Total requests: 0; Current requests/sec: 0; Current traffic:   0 B/sec"
   CGroup: /system.slice/httpd.service
           ├─1824 /usr/sbin/httpd -DFOREGROUND
           ├─3271 /usr/sbin/httpd -DFOREGROUND
           ├─3272 /usr/sbin/httpd -DFOREGROUND
           ├─3273 /usr/sbin/httpd -DFOREGROUND
           ├─3274 /usr/sbin/httpd -DFOREGROUND
           └─3275 /usr/sbin/httpd -DFOREGROUND

Jun 03 10:09:21 oracle-12c.localdomain python[2741]: SELinux is preventing /usr/sbin/httpd from using the execstack access on a process.
                                                     
                                                     *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************…
Jun 03 10:09:21 oracle-12c.localdomain python[2741]: SELinux is preventing /usr/sbin/httpd from using the execstack access on a process.
                                                     
                                                     *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************…
Jun 03 10:09:24 oracle-12c.localdomain python[2741]: SELinux is preventing /usr/sbin/httpd from using the execmem access on a process.
                                                     
                                                     *****  Plugin catchall_boolean (89.3 confidence) suggests   ******************…

 

插一句,systemctl是Centos 7新引入的管理系统和服务的应用,原先的init(系统启动的第一个程序,进程ID为1)被systemd替代。不过service还仍然可用,所以也可以使用下面的命令查看httpd的状态:

$> service httpd status

输出结果是一样的。

从上面的输出结果来看,是SELinux在作怪,因此我们看看SELinux的状态,

$>  getenforce

Permissive

这个状态的意思SELinux不会阻止任何网络服务,只会记录log,但是这里我们看到它阻止了httpd访问execstack,因此是SELinux的bug,关于这个bug的描述,请看redhat的官网介绍:

https://bugzilla.redhat.com/show_bug.cgi?id=680608

好了,怎么解决这个问题呢?有2个办法,

  1. 直接禁止SELinux
  2. 通知SElinux,允许httpd访问execstack

我们这里说第二种办法,执行下面的命令,

$> sudo setsebool -P httpd_execmem 1

让后需要重启httpd

$> sudo systemctl restart httpd

此时我们再查看httpd的状态:

$> systemctl status httpd

httpd.service – The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled)
   Active: active (running) since Fri 2016-06-03 10:25:04 SGT; 2s ago
  Process: 6071 ExecStop=/bin/kill -WINCH ${MAINPID} (code=exited, status=0/SUCCESS)
 Main PID: 6078 (httpd)
   Status: "Processing requests…"
   CGroup: /system.slice/httpd.service
           ├─6078 /usr/sbin/httpd -DFOREGROUND
           ├─6080 /usr/sbin/httpd -DFOREGROUND
           ├─6081 /usr/sbin/httpd -DFOREGROUND
           ├─6082 /usr/sbin/httpd -DFOREGROUND
           ├─6085 /usr/sbin/httpd -DFOREGROUND
           └─6087 /usr/sbin/httpd -DFOREGROUND

Jun 03 10:25:04 oracle-12c.localdomain systemd[1]: Started The Apache HTTP Server.

下面说什么是execstack,

英文解释:

execstack is a program which sets, clears, or queries executable stack flag of ELF binaries and shared libraries.

execstack是一个程序,用来设置,清理和查询ELF二进制文件和动态库的栈标志。更多解释查看:

http://linux.die.net/man/8/execstack

i

 

版权所有,禁止转载. 如需转载,请先征得博主的同意,并且表明文章转载自:IT夜班车,否则按侵权处理i.

More from my site

    分享到:

留言

你的邮箱是保密的 必填的信息用*表示