On Mon, 5 Aug 2002 19:43, Chris Vance wrote:
> On Mon, 5 Aug 2002, Russell Coker wrote:
> > Aug ?5 10:58:57 ns kernel: avc: ?denied ?null for ?pid=30897
> > exe=/usr/sbin/apache IPCID=0 scontext=system_u:system_r:httpd_t
> > tcontext=system_u:system_r:httpd_t tclass=shm
> > Aug ?5 10:58:57 ns kernel: avc: ?denied ?null for ?pid=30897
> > exe=/usr/sbin/apache IPCID=0 scontext=system_u:system_r:httpd_t
> > tcontext=system_u:system_r:httpd_t tclass=shm
> >
> > The above messages are appearing on a system running a version of SE
> > Linux that's not the latest (running the original 2002.07.03 release).
>
> The above message indicates that the requested permission is null. In
> this particular case, it looks like apache is calling shmget() with a
> requested permission that does not include read or write access. This can
> be a permission of '0000', '0111' or similar. In May of this year a
> change to the AVC causes this access request to be explicitly denied.
>
> The kernel code path accepts this, and subsequently the ipc_permission()
> hook is called. The SELinux implementation currently applies masks for
> read and write permissions, and not finding these checks for no (null)
> permission. We are looking at the logic here and will likely make a
> change, as this denial is not the expected behaviour.

So you are saying that this is a bug in Apache which causes an unexpected parameter to a system call, and that parameter is not handled correctly due to a bug in SE Linux?

Russell Coker

--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.