The apache policy does not give httpd_t 'execmod' permissions to its modules. PHP, and possibly other modules, have text relocations and require 'execmod' permissions. The problem appears to result from libphp5.so being labelled differently from most other shared libraries, by nature of being in the apache modules path. 'execmod' is granted to files labelled with shlib_t and textrel_shlib_t, but not httpd_modules_t. The current policy includes the following template for granting access to the modules: interface(`apache_exec_modules',` gen_require(` type httpd_modules_t; ') allow $1 httpd_modules_t:dir r_dir_perms; allow $1 httpd_modules_t:lnk_file r_file_perms; can_exec($1,httpd_modules_t) ') Note, however, that "can_exec" does not supply execmod permission. Adding: allow $1 httpd_modules_t:file execmod; to this template should correct the problem, though there may be a more appropriate solution. Reproducible: Always Steps to Reproduce:
This means that php has text relocations, please try remerging it with USE=pic.
can you confirm if recompiling php with USE=pic fixed this?
(In reply to comment #2) > can you confirm if recompiling php with USE=pic fixed this? I'm not running PHP on our secured servers anymore, but it was removed for reasons unrelated to SELinux. As far as I can tell the "pic" flag made it function properly, but I can't confirm that it works as of right now. I can reinstall it if you would like me to try, but it's not a problem for me anymore so you can also just close the bug :)
good enough for me
(In reply to comment #4) > good enough for me For future reference, I can confirm that this works. I installed the lastest apache2+php5 on a SELinux-secured server. Without USE="pic" I get the same AVC audit message; with USE="pic" the error does go away.
