Zend Server & SELinux

[dciit]

It turns out that this solution is not permanent. The next time I started the computer and started apache, the same error arose:

Permission denied: make_sock: could not bind to address 127.0.0.1:10083

And the SE Troubleshoot Browser shows:

SELinux is preventing httpd (httpd_t) "name_bind" to <Unknown> (amanda_port_t).

Does anyone have an idea how to permanently make this problem go away, other than to disable SELinux?

[kalsajad]

i follow all the levels but also have trouble with SElinux:

[sajad@sajad ~]$ su
Password:
[root@sajad sajad]# setenforce 0
[root@sajad sajad]# set
set setkeycodes setserial
setarch setleds setsid
setcap setmetamode setsysfont
setenforce setpci setterm
setfacl setquota setup
setfattr setregdomain setup-nsssysinit.sh
setfiles setroubleshootd setxkbmap
setfont setsebool
[root@sajad sajad]# /usr/local/zend/bin/zendctl.sh stop
Stopping Zend Server 5.0.3 ..

Stopping Zend Server Monitor node [OK]
Stopping httpd: [FAILED]
Stopping Session Clustering daemon [OK]
Stopping JobQueue [OK]
Stopping Zend Server GUI [Lighttpd] [OK]

Zend Server stopped.
[root@sajad sajad]# yum install prelink
Loaded plugins: presto, refresh-packagekit
updates/primary_db | 4.9 MB 00:59
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package prelink.x86_64 0:0.4.3-3.fc13 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Updating:
prelink x86_64 0.4.3-3.fc13 updates 994 k

Transaction Summary
================================================================================
Upgrade 1 Package(s)

Total download size: 994 k
Is this ok [y/N]: y
Downloading Packages:
Setting up and reading Presto delta metadata
updates/prestodelta | 481 kB 00:39
Processing delta metadata
Package(s) data still to download: 994 k
prelink-0.4.3-3.fc13.x86_64.rpm | 994 kB 00:54
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Updating : prelink-0.4.3-3.fc13.x86_64 1/2
Cleanup : prelink-0.4.3-2.fc13.x86_64 2/2
ERROR:dbus.proxies:Introspect error on :1.426:/org/freedesktop/PackageKit: dbus.exceptions.DBusException: org.freedesktop.DBus.Error.NoReply: Message did not receive a reply (timeout by message bus)
Unable to send message to PackageKit

Updated:
prelink.x86_64 0:0.4.3-3.fc13

Complete!
[root@sajad sajad]# semanage port -a -t http_port_t -p tcp 10083
/usr/sbin/semanage: Port tcp/10083 already defined
[root@sajad sajad]# execstack -c /usr/local/zend/lib/apache2/libphp5.so /usr/local/zend/lib/libssl.so.0.9.8 /usr/lib64/libclntsh.so.11.1 /usr/lib64/libnnz11.so /usr/local/zend/lib/libcrypto.so.0.9.8 /usr/local/zend/lib/debugger/php-5.*.x/ZendDebugger.so /usr/local/zend/lib/php_extensions/curl.so
[root@sajad sajad]#
[root@sajad sajad]#
[root@sajad sajad]# chcon -R system_u:object_r:httpd_log_t /usr/local/zend/var/log
[root@sajad sajad]# chcon -R system_u:object_r:httpd_tmp_t /usr/local/zend/tmp
[root@sajad sajad]# chcon -R system_u:object_r:tmp_t /usr/local/zend/tmp/pagecache /usr/local/zend/tmp/datacache
[root@sajad sajad]# chcon -t textrel_shlib_t /usr/local/zend/lib/apache2/libphp5.so /usr/lib*/libclntsh.so.11.1 /usr/lib*/libociicus.so /usr/lib*/libnnz11.so
[root@sajad sajad]# /usr/local/zend/bin/zendctl.sh start
Starting Zend Server 5.0.3 ..

Starting Zend Server Monitor node [OK]
[ 17.10.2010 22:10:53 SYSTEM] watchdog for monitor is running.
[ 17.10.2010 22:10:53 SYSTEM] monitor is not running.
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
Starting Session Clustering daemon [OK]
[ 17.10.2010 22:10:57 SYSTEM] watchdog for scd is running.
[ 17.10.2010 22:10:57 SYSTEM] scd is running.
Starting JobQueue [OK]
[ 17.10.2010 22:10:57 SYSTEM] watchdog for jqd is running.
[ 17.10.2010 22:10:57 SYSTEM] jqd is running.
spawn-fcgi: child spawned successfully: PID: 9475
Starting Zend Server GUI [Lighttpd] [OK]
[ 17.10.2010 22:10:59 SYSTEM] watchdog for lighttpd is running.
[ 17.10.2010 22:10:59 SYSTEM] lighttpd is running.

Zend Server started...
[root@sajad sajad]# /usr/local/zend/bin/zendctl.sh start
Starting Zend Server 5.0.3 ..

monitor watchdog is up and running.. [OK]
[ 17.10.2010 22:12:20 SYSTEM] watchdog for monitor is running.
[ 17.10.2010 22:12:20 SYSTEM] monitor is running.
Starting httpd:
scd watchdog is up and running.. [OK]
[ 17.10.2010 22:12:20 SYSTEM] watchdog for scd is running.
[ 17.10.2010 22:12:20 SYSTEM] scd is running.
jqd watchdog is up and running.. [OK]
[ 17.10.2010 22:12:20 SYSTEM] watchdog for jqd is running.
[ 17.10.2010 22:12:20 SYSTEM] jqd is running.
spawn-fcgi: socket is already in use, can't spawn
lighttpd watchdog is up and running.. [OK]
[ 17.10.2010 22:12:21 SYSTEM] watchdog for lighttpd is running.
[ 17.10.2010 22:12:21 SYSTEM] lighttpd is running.

Zend Server started...
[root@sajad sajad]# /usr/local/zend/bin/zendctl.sh stop
Stopping Zend Server 5.0.3 ..

Stopping Zend Server Monitor node [OK]
Stopping httpd: [ OK ]
Stopping Session Clustering daemon [OK]
Stopping JobQueue [OK]
Stopping Zend Server GUI [Lighttpd] [OK]

Zend Server stopped.
[root@sajad sajad]# /usr/local/zend/bin/zendctl.sh start
Starting Zend Server 5.0.3 ..

Starting Zend Server Monitor node [OK]
[ 17.10.2010 22:13:04 SYSTEM] watchdog for monitor is running.
[ 17.10.2010 22:13:04 SYSTEM] monitor is running.
Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using 127.0.0.1 for ServerName
[ OK ]
Starting Session Clustering daemon [OK]
[ 17.10.2010 22:13:06 SYSTEM] watchdog for scd is running.
[ 17.10.2010 22:13:06 SYSTEM] scd is running.
Starting JobQueue [OK]
[ 17.10.2010 22:13:06 SYSTEM] watchdog for jqd is running.
[ 17.10.2010 22:13:06 SYSTEM] jqd is running.
spawn-fcgi: child spawned successfully: PID: 10239
Starting Zend Server GUI [Lighttpd] [OK]
[ 17.10.2010 22:13:08 SYSTEM] watchdog for lighttpd is running.
[ 17.10.2010 22:13:08 SYSTEM] lighttpd is running.

Zend Server started...
[root@sajad sajad]#



here a troubleshoot with zendserver:

Summary:

SELinux is preventing /usr/sbin/httpd "execstack" access on <Unknown>.

Detailed Description:

[httpd has a permissive type (httpd_t). This access was not denied.]

SELinux denied access requested by httpd. The current boolean settings do not
allow this access. If you have not setup httpd to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

Confined processes can be configured to run requiring different access, SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
httpd_execmem is set incorrectly.
Boolean Description:
Allow httpd scripts and modules execmem/execstack


Fix Command:

# setsebool -P httpd_execmem 1

Additional Information:

Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:system_r:httpd_t:s0
Target Objects None [ process ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host sajad
Source RPM Packages httpd-2.2.15-1.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-57.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall_boolean
Host Name sajad
Platform Linux sajad 2.6.34.7-56.fc13.x86_64 #1 SMP Wed Sep
15 03:36:55 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Mon 04 Oct 2010 11:42:06 PM IRST
Last Seen Mon 04 Oct 2010 11:42:09 PM IRST
Local ID 8837a4e1-bddf-4844-a8c0-c1a9419faefd
Line Numbers

Raw Audit Messages

node=sajad type=AVC msg=audit(1286223129.496:234): avc: denied { execstack } for pid=28386 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process

node=sajad type=SYSCALL msg=audit(1286223129.496:234): arch=c000003e syscall=10 success=yes exit=68719476864 a0=7fffb4817000 a1=1000 a2=1000007 a3=7f7a48256106 items=0 ppid=28385 pid=28386 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=13 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)




Summary:

SELinux is preventing /usr/sbin/httpd "execstack" access on <Unknown>.

Detailed Description:

[httpd has a permissive type (httpd_t). This access was not denied.]

SELinux denied access requested by httpd. The current boolean settings do not
allow this access. If you have not setup httpd to require this access this may
signal an intrusion attempt. If you do intend this access you need to change the
booleans on this system to allow the access.

Allowing Access:

Confined processes can be configured to run requiring different access, SELinux
provides booleans to allow you to turn on/off access as needed. The boolean
httpd_execmem is set incorrectly.
Boolean Description:
Allow httpd scripts and modules execmem/execstack


Fix Command:

# setsebool -P httpd_execmem 1

Additional Information:

Source Context unconfined_u:system_r:httpd_t:s0
Target Context unconfined_u:system_r:httpd_t:s0
Target Objects None [ process ]
Source httpd
Source Path /usr/sbin/httpd
Port <Unknown>
Host sajad
Source RPM Packages httpd-2.2.15-1.fc13
Target RPM Packages
Policy RPM selinux-policy-3.7.19-57.fc13
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Plugin Name catchall_boolean
Host Name sajad
Platform Linux sajad 2.6.34.7-56.fc13.x86_64 #1 SMP Wed Sep
15 03:36:55 UTC 2010 x86_64 x86_64
Alert Count 2
First Seen Mon 04 Oct 2010 11:42:06 PM IRST
Last Seen Mon 04 Oct 2010 11:42:09 PM IRST
Local ID 8837a4e1-bddf-4844-a8c0-c1a9419faefd
Line Numbers

Raw Audit Messages

node=sajad type=AVC msg=audit(1286223129.496:234): avc: denied { execstack } for pid=28386 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process

node=sajad type=SYSCALL msg=audit(1286223129.496:234): arch=c000003e syscall=10 success=yes exit=68719476864 a0=7fffb4817000 a1=1000 a2=1000007 a3=7f7a48256106 items=0 ppid=28385 pid=28386 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=13 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)

[mpichot]

Hi there,

I've just installed PHP 5.3 and Zend Debugger on Fedora 16 today. SELinux drive me mad since I find the solution : the SELinux context, in Fedora 16, SELinux 2.1.6-5, has to be « lib_t » instead of « textrel_shlib_t ».

I did not install Zend Server, only Zend Framework a (from repository « remi ») and Zend Debugger (/usr/lib64/php/modules/ZendDebugger.so). Pay attention on « libssl.so.0.9.8 ». You steel have to « symlink » :

# ln -s /usr/lib64/libssl.so.1.0.0g /usr/lib64/libssl.so.0.9.8

Don't mind the « libsslcrypto » ...

I've tried to run « execstack » on « /usr/lib64/php/modules/ZendDebugger.so » but I recived :

> [root@fedora modules]# execstack ZendDebugger.so
> X ZendDebugger.so

Don't mind !

I've change the SELinux context for Zend Debugger :
> # semanage fcontext -a -t lib_t '/usr/lib64/php/modules/ZendDebugger.so'
> # restorecon -R -v /usr/lib64/php/modules/

You have to enable « execstack » for Apache :
> # setsebool -P httpd_execmem on

Restart your computer !

I hope this help ...

Malo

[clarkmills]

Hi guys.

Firstly I am no SELinux expert, but we did not want our server running with SELinux disabled (setenforce 0).
These notes are for a 64 bit Scientific Linux 6.0 box running Zend Server 5.3.
These notes may have absolutely no relevance to what you are doing and are only mentioned in case you are desperate. :)

Aside from the things in the above articles I did the following:

/usr/local/zend/bin/zendctl.sh stop
chcon --reference /tmp -R /usr/local/zend/tmp/
chcon --reference /var/log/ /usr/local/zend/var/log/
chcon -t httpd_tmp_t /usr/local/zend/var/log/*.log

# For Zend Java Bridge
semanage port -a -t http_port_t -p tcp 10001

setenforce 1
/usr/local/zend/bin/zendctl.sh start

Odds are you will need to re-apply these settings after a relabel / upgrade.
This may be Scientific Linux specific, we usually run CentOS or RHEL but this box was built when CentOS didn't have a 6 release out.

Cheers... Clark

[xquarkf]

After testing he whole recommendations in this thread without any luck (sum may work, but none is permanent, I am on Centos 5.8), I came across this solution, by reading: wiki . centos . org/HowTos/SELinux

Code: Select all

Stopping httpd:                                            [FAILED]
Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/zendserver_php.conf: Cannot load /usr/local/zend/lib/apache2/libphp5. so into server: /usr/local/zend/lib/apache2/libphp5. so: cannot enable executable stack as shared object requires: Permission denied
                                                           [FAILED]

do not change selinux enforcing, with enforcing enabled, first find out what rules should be set:

Code: Select all

grep httpd_t /var/log/audit/audit.log | audit2allow

if this seems OK to you, make a module for selinux:

Code: Select all

grep httpd_t /var/log/audit/audit.log | audit2allow -M myhttpdrule

then enable it:

Code: Select all

semodule -i myhttpdrule.pp

restart httpd:

Code: Select all

service httpd restart

and if any errors, or not run the above commands again to make sure no other rules should be in place...
for me the command produces these rules:

Code: Select all

   #============= httpd_t ==============
   allow httpd_t amanda_port_t:tcp_socket name_bind;
   allow httpd_t file_t:dir { search getattr setattr };
   allow httpd_t file_t:file getattr;
   allow httpd_t self:capability ipc_owner;
   allow httpd_t self:process { execstack execmem };
   allow httpd_t usr_t:file { write append };


I am not sure if these rules are correct, if they are too open, and may reduce the server security or not, so if any one could tell me about them, that would be great.
Thanks everyone for your post.

[klassicd]

Thanks Jess that works great for CentOS 5.8.