FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora SELinux Support

 
 
LinkBack Thread Tools
 
Old 03-25-2010, 11:06 AM
yersinia
 
Default selinux broke httpd: libxml2.so.2: failed to map segment from shared object: Permission denied

On Thu, Mar 25, 2010 at 3:57 AM, Aleksey Tsalolikhin <atsaloli.tech@gmail.com> wrote:

Hi. *httpd used to work but now does not start up.




I googled the above error message but all I could find were web pages in Chinese

advising to run restorecon on libxml2.so file or turn off SElinux.



Any suggestions on how to investigate this?
Try
# Turn on all AVC Messages for which SELinux currently is "dontaudit"ing.
$ semodule -DB

and see if there are any AVC




Thanks,

Aleksey

--

selinux mailing list

selinux@lists.fedoraproject.org

https://admin.fedoraproject.org/mailman/listinfo/selinux



--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 
Old 03-28-2010, 06:17 AM
Aleksey Tsalolikhin
 
Default selinux broke httpd: libxml2.so.2: failed to map segment from shared object: Permission denied

On Thu, Mar 25, 2010 at 5:18 AM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 03/24/2010 10:57 PM, Aleksey Tsalolikhin wrote:
>>
>> Hi. *httpd used to work but now does not start up.
>>
>> Error message:
>>
>> * * Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
>> * * Cannot load /etc/httpd/modules/libphp5.so into server:
>> libxml2.so.2: failed to map segment from shared object: Permission
>> denied
>>
>> I can start httpd if I turn off SElinux, but I want to figure this out
>> and re-enable
>> SELinux.
>>
>>
>> SElinux labels on libxml.so.2.6.26 are OK ( system_ubject_r:lib_t )
>> and "restorecon -n libxml.so.2.6.26" does not return anything so the
>> labels match default. *(libxml.so.2 is a symlink to 2.6.26)
>>
>> No recent AVC denied entries in /var/log/audit/audit.log or
>> /var/log/messages. (One did not get logged when I tried to start httpd
>> and failed.)
>>
>> I googled the above error message but all I could find were web pages in
>> Chinese
>> advising to run restorecon on libxml2.so file or turn off SElinux.

OK, here's what happened:

We had added /opt/PostgreSQL/8.4/lib to LD_LIBRARY_PATH in
/etc/profile as we wanted our in-house python daemon to use PostgreSQL 8.4
client as we were seeing memory leak using 8.1 but not 8.4.

Turned out there was a libxml2.so.2 in the PostgreSQL lib directory
and the httpd was trying
to pick it up instead of /usr/lib64/libxml2.so.2, and failing as it
had a "usr_t" instead of "lib_t" label.

[root@hwd-ddc-app01-prod01 modules]# ldd /etc/httpd/modules/libphp5.so
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b9640e52000)
libaspell.so.15 => /usr/lib64/libaspell.so.15 (0x00002b964108a000)
libpspell.so.15 => /usr/lib64/libpspell.so.15 (0x00002b964135a000)
libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x00002b964155c000)
libcurl.so.3 => /usr/lib64/libcurl.so.3 (0x00002b9641795000)
libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00002b96419d2000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00002b9641be3000)
libpcre.so.0 => /lib64/libpcre.so.0 (0x00002b9641df7000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b9642013000)
libm.so.6 => /lib64/libm.so.6 (0x00002b9642229000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002b96424ac000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b96426b0000)

libxml2.so.2 => /opt/PostgreSQL/8.4/lib/libxml2.so.2
(0x00002b96428c9000) <----- our culprit

libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002b9642b08000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b9642d36000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b9642fcc000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b96431f1000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002b96433f3000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b964363e000)
libidn.so.11 => /usr/lib64/libidn.so.11 (0x00002b964398f000)
libc.so.6 => /lib64/libc.so.6 (0x00002b9643bc0000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00002b9643f18000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00002b9644218000)
/lib64/ld-linux-x86-64.so.2 (0x0000003c3e000000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002b9644427000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b964462f000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b9644832000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b9644a4a000)
[root@hwd-ddc-app01-prod01 modules]# ls -l /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x 1 root daemon 4115398 Dec 10 02:41
/opt/PostgreSQL/8.4/lib/libxml2.so.2
[root@hwd-ddc-app01-prod01 modules]# ls -lZ /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x root daemon user_ubject_r:usr_t
/opt/PostgreSQL/8.4/lib/libxml2.so.2
[root@hwd-ddc-app01-prod01 modules]#

I fixed this by adding "unset LD_LIBRARY_PATH" to /etc/init.d/httpd. Now we load
/usr/lib64/libxml2.so.2 which has the correct label (lib_t)

I think I'll change this by moving the LD_LIBRARY_PATH setting from /etc/profile
into the startup script for the python daemon, so I can have a vanilla
/etc/init.d/httpd

Thank you very much for your help!
Aleksey
--
selinux mailing list
selinux@lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
 

Thread Tools




All times are GMT. The time now is 01:08 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org