FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-25-2010, 08:22 AM
Paul Howarth
 
Default selinux broke httpd: libxml2.so.2: failed to map segment from shared object: Permission denied

On 25/03/10 02:57, Aleksey Tsalolikhin wrote:
> Hi. httpd used to work but now does not start up.
>
> Error message:
>
> Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
> Cannot load /etc/httpd/modules/libphp5.so into server:
> libxml2.so.2: failed to map segment from shared object: Permission
> denied
>
> I can start httpd if I turn off SElinux, but I want to figure this out
> and re-enable
> SELinux.
>
>
> SElinux labels on libxml.so.2.6.26 are OK ( system_ubject_r:lib_t )
> and "restorecon -n libxml.so.2.6.26" does not return anything so the
> labels match default. (libxml.so.2 is a symlink to 2.6.26)
>
> No recent AVC denied entries in /var/log/audit/audit.log or
> /var/log/messages. (One did not get logged when I tried to start httpd
> and failed.)
>
> I googled the above error message but all I could find were web pages in Chinese
> advising to run restorecon on libxml2.so file or turn off SElinux.
>
> Any suggestions on how to investigate this?

Has libxml2 on your system recently changed, and if so, where did it
come from?

Paul.
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-25-2010, 11:18 AM
Daniel J Walsh
 
Default selinux broke httpd: libxml2.so.2: failed to map segment from shared object: Permission denied

On 03/24/2010 10:57 PM, Aleksey Tsalolikhin wrote:
> Hi. httpd used to work but now does not start up.
>
> Error message:
>
> Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
> Cannot load /etc/httpd/modules/libphp5.so into server:
> libxml2.so.2: failed to map segment from shared object: Permission
> denied
>
> I can start httpd if I turn off SElinux, but I want to figure this out
> and re-enable
> SELinux.
>
>
> SElinux labels on libxml.so.2.6.26 are OK ( system_ubject_r:lib_t )
> and "restorecon -n libxml.so.2.6.26" does not return anything so the
> labels match default. (libxml.so.2 is a symlink to 2.6.26)
>
> No recent AVC denied entries in /var/log/audit/audit.log or
> /var/log/messages. (One did not get logged when I tried to start httpd
> and failed.)
>
> I googled the above error message but all I could find were web pages in Chinese
> advising to run restorecon on libxml2.so file or turn off SElinux.
>
> Any suggestions on how to investigate this?
>
> Thanks,
> Aleksey
> --
> selinux mailing list
> selinux@lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I would suspect you have an execmod problem.

Look at

http://people.redhat.com/~drepper/selinux-mem.html

SELinux will allow a badly built library to be loaded by changing its
context to textrel_shlib_t.

You could try
chcon -t texrel_shlib_t libxml.so.2.6.26

And see if SELinux allows the access.

If you are getting no avc messages they could be dontaudited. Although
I would be surprised.

# semodule -DB

Will turn off the dontauditrules. This will generate AVC messages for
all blocked access.

You can turn the rules back on by executing

# semodule -B



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 03:07 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org