On 03/24/2010 10:57 PM, Aleksey Tsalolikhin wrote: > Hi. httpd used to work but now does not start up. > > Error message: > > Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf: > Cannot load /etc/httpd/modules/libphp5.so into server: > libxml2.so.2: failed to map segment from shared object: Permission > denied > > I can start httpd if I turn off SElinux, but I want to figure this out > and re-enable > SELinux. > > > SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t ) > and "restorecon -n libxml.so.2.6.26" does not return anything so the > labels match default. (libxml.so.2 is a symlink to 2.6.26) > > No recent AVC denied entries in /var/log/audit/audit.log or > /var/log/messages. (One did not get logged when I tried to start httpd > and failed.) > > I googled the above error message but all I could find were web pages in Chinese > advising to run restorecon on libxml2.so file or turn off SElinux. > > Any suggestions on how to investigate this? > > Thanks, > Aleksey > -- > selinux mailing list > selinux@xxxxxxxxxxxxxxxxxxxxxxx > https://admin.fedoraproject.org/mailman/listinfo/selinux > I would suspect you have an execmod problem. Look at http://people.redhat.com/~drepper/selinux-mem.html SELinux will allow a badly built library to be loaded by changing its context to textrel_shlib_t. You could try chcon -t texrel_shlib_t libxml.so.2.6.26 And see if SELinux allows the access. If you are getting no avc messages they could be dontaudited. Although I would be surprised. # semodule -DB Will turn off the dontauditrules. This will generate AVC messages for all blocked access. You can turn the rules back on by executing # semodule -B -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
