selinux broke httpd: libxml2.so.2: failed to map segment from shared object: Permission denied
Hi. httpd used to work but now does not start up.
Error message:
Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf: Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2: failed to map segment from shared object: Permission denied
I can start httpd if I turn off SElinux, but I want to figure this out and re-enable SELinux.
SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t ) and "restorecon -n libxml.so.2.6.26" does not return anything so the labels match default. (libxml.so.2 is a symlink to 2.6.26)
No recent AVC denied entries in /var/log/audit/audit.log or /var/log/messages. (One did not get logged when I tried to start httpd and failed.)
I googled the above error message but all I could find were web pages in Chinese advising to run restorecon on libxml2.so file or turn off SElinux.
Any suggestions on how to investigate this?
Thanks, Aleksey
On 25/03/10 02:57, Aleksey Tsalolikhin wrote:
Hi. httpd used to work but now does not start up.
Error message:
Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf: Cannot load /etc/httpd/modules/libphp5.so into server:libxml2.so.2: failed to map segment from shared object: Permission denied
I can start httpd if I turn off SElinux, but I want to figure this out and re-enable SELinux.
SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t ) and "restorecon -n libxml.so.2.6.26" does not return anything so the labels match default. (libxml.so.2 is a symlink to 2.6.26)
No recent AVC denied entries in /var/log/audit/audit.log or /var/log/messages. (One did not get logged when I tried to start httpd and failed.)
I googled the above error message but all I could find were web pages in Chinese advising to run restorecon on libxml2.so file or turn off SElinux.
Any suggestions on how to investigate this?
Has libxml2 on your system recently changed, and if so, where did it come from?
Paul.
On Thu, Mar 25, 2010 at 3:57 AM, Aleksey Tsalolikhin < atsaloli.tech@gmail.com> wrote:
Hi. httpd used to work but now does not start up.
I googled the above error message but all I could find were web pages in Chinese advising to run restorecon on libxml2.so file or turn off SElinux.
Any suggestions on how to investigate this?
Try # Turn on all AVC Messages for which SELinux currently is "dontaudit"ing. $ semodule -DB
and see if there are any AVC
Thanks, Aleksey -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 03/24/2010 10:57 PM, Aleksey Tsalolikhin wrote:
Hi. httpd used to work but now does not start up.
Error message:
Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf: Cannot load /etc/httpd/modules/libphp5.so into server:libxml2.so.2: failed to map segment from shared object: Permission denied
I can start httpd if I turn off SElinux, but I want to figure this out and re-enable SELinux.
SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t ) and "restorecon -n libxml.so.2.6.26" does not return anything so the labels match default. (libxml.so.2 is a symlink to 2.6.26)
No recent AVC denied entries in /var/log/audit/audit.log or /var/log/messages. (One did not get logged when I tried to start httpd and failed.)
I googled the above error message but all I could find were web pages in Chinese advising to run restorecon on libxml2.so file or turn off SElinux.
Any suggestions on how to investigate this?
Thanks, Aleksey -- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
I would suspect you have an execmod problem.
Look at
http://people.redhat.com/~drepper/selinux-mem.html
SELinux will allow a badly built library to be loaded by changing its context to textrel_shlib_t.
You could try chcon -t texrel_shlib_t libxml.so.2.6.26
And see if SELinux allows the access.
If you are getting no avc messages they could be dontaudited. Although I would be surprised.
# semodule -DB
Will turn off the dontauditrules. This will generate AVC messages for all blocked access.
You can turn the rules back on by executing
# semodule -B
On Thu, Mar 25, 2010 at 5:18 AM, Daniel J Walsh dwalsh@redhat.com wrote:
On 03/24/2010 10:57 PM, Aleksey Tsalolikhin wrote:
Hi. httpd used to work but now does not start up.
Error message:
Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf: Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2: failed to map segment from shared object: Permission denied
I can start httpd if I turn off SElinux, but I want to figure this out and re-enable SELinux.
SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t ) and "restorecon -n libxml.so.2.6.26" does not return anything so the labels match default. (libxml.so.2 is a symlink to 2.6.26)
No recent AVC denied entries in /var/log/audit/audit.log or /var/log/messages. (One did not get logged when I tried to start httpd and failed.)
I googled the above error message but all I could find were web pages in Chinese advising to run restorecon on libxml2.so file or turn off SElinux.
OK, here's what happened:
We had added /opt/PostgreSQL/8.4/lib to LD_LIBRARY_PATH in /etc/profile as we wanted our in-house python daemon to use PostgreSQL 8.4 client as we were seeing memory leak using 8.1 but not 8.4.
Turned out there was a libxml2.so.2 in the PostgreSQL lib directory and the httpd was trying to pick it up instead of /usr/lib64/libxml2.so.2, and failing as it had a "usr_t" instead of "lib_t" label.
[root@hwd-ddc-app01-prod01 modules]# ldd /etc/httpd/modules/libphp5.so libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b9640e52000) libaspell.so.15 => /usr/lib64/libaspell.so.15 (0x00002b964108a000) libpspell.so.15 => /usr/lib64/libpspell.so.15 (0x00002b964135a000) libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x00002b964155c000) libcurl.so.3 => /usr/lib64/libcurl.so.3 (0x00002b9641795000) libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00002b96419d2000) libz.so.1 => /usr/lib64/libz.so.1 (0x00002b9641be3000) libpcre.so.0 => /lib64/libpcre.so.0 (0x00002b9641df7000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b9642013000) libm.so.6 => /lib64/libm.so.6 (0x00002b9642229000) libdl.so.2 => /lib64/libdl.so.2 (0x00002b96424ac000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b96426b0000)
libxml2.so.2 => /opt/PostgreSQL/8.4/lib/libxml2.so.2 (0x00002b96428c9000) <----- our culprit
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002b9642b08000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b9642d36000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b9642fcc000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b96431f1000) libssl.so.6 => /lib64/libssl.so.6 (0x00002b96433f3000) libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b964363e000) libidn.so.11 => /usr/lib64/libidn.so.11 (0x00002b964398f000) libc.so.6 => /lib64/libc.so.6 (0x00002b9643bc0000) libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00002b9643f18000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00002b9644218000) /lib64/ld-linux-x86-64.so.2 (0x0000003c3e000000) libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002b9644427000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b964462f000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b9644832000) libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b9644a4a000) [root@hwd-ddc-app01-prod01 modules]# ls -l /opt/PostgreSQL/8.4/lib/libxml2.so.2 -rwxr-xr-x 1 root daemon 4115398 Dec 10 02:41 /opt/PostgreSQL/8.4/lib/libxml2.so.2 [root@hwd-ddc-app01-prod01 modules]# ls -lZ /opt/PostgreSQL/8.4/lib/libxml2.so.2 -rwxr-xr-x root daemon user_u:object_r:usr_t /opt/PostgreSQL/8.4/lib/libxml2.so.2 [root@hwd-ddc-app01-prod01 modules]#
I fixed this by adding "unset LD_LIBRARY_PATH" to /etc/init.d/httpd. Now we load /usr/lib64/libxml2.so.2 which has the correct label (lib_t)
I think I'll change this by moving the LD_LIBRARY_PATH setting from /etc/profile into the startup script for the python daemon, so I can have a vanilla /etc/init.d/httpd
Thank you very much for your help! Aleksey
selinux@lists.fedoraproject.org
-
Aleksey Tsalolikhin -
Daniel J Walsh -
Paul Howarth -
yersinia