On Thu, Mar 25, 2010 at 5:18 AM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote:
> On 03/24/2010 10:57 PM, Aleksey Tsalolikhin wrote:
>>
>> Hi. httpd used to work but now does not start up.
>>
>> Error message:
>>
>> Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
>> Cannot load /etc/httpd/modules/libphp5.so into server:
>> libxml2.so.2: failed to map segment from shared object: Permission
>> denied
>>
>> I can start httpd if I turn off SElinux, but I want to figure this out
>> and re-enable
>> SELinux.
>>
>>
>> SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t )
>> and "restorecon -n libxml.so.2.6.26" does not return anything so the
>> labels match default. (libxml.so.2 is a symlink to 2.6.26)
>>
>> No recent AVC denied entries in /var/log/audit/audit.log or
>> /var/log/messages. (One did not get logged when I tried to start httpd
>> and failed.)
>>
>> I googled the above error message but all I could find were web pages in
>> Chinese
>> advising to run restorecon on libxml2.so file or turn off SElinux.
OK, here's what happened:
We had added /opt/PostgreSQL/8.4/lib to LD_LIBRARY_PATH in
/etc/profile as we wanted our in-house python daemon to use PostgreSQL 8.4
client as we were seeing memory leak using 8.1 but not 8.4.
Turned out there was a libxml2.so.2 in the PostgreSQL lib directory
and the httpd was trying
to pick it up instead of /usr/lib64/libxml2.so.2, and failing as it
had a "usr_t" instead of "lib_t" label.
[root@hwd-ddc-app01-prod01 modules]# ldd /etc/httpd/modules/libphp5.so
libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b9640e52000)
libaspell.so.15 => /usr/lib64/libaspell.so.15 (0x00002b964108a000)
libpspell.so.15 => /usr/lib64/libpspell.so.15 (0x00002b964135a000)
libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x00002b964155c000)
libcurl.so.3 => /usr/lib64/libcurl.so.3 (0x00002b9641795000)
libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00002b96419d2000)
libz.so.1 => /usr/lib64/libz.so.1 (0x00002b9641be3000)
libpcre.so.0 => /lib64/libpcre.so.0 (0x00002b9641df7000)
libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b9642013000)
libm.so.6 => /lib64/libm.so.6 (0x00002b9642229000)
libdl.so.2 => /lib64/libdl.so.2 (0x00002b96424ac000)
libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b96426b0000)
libxml2.so.2 => /opt/PostgreSQL/8.4/lib/libxml2.so.2
(0x00002b96428c9000) <----- our culprit
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
(0x00002b9642b08000)
libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b9642d36000)
libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b9642fcc000)
libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b96431f1000)
libssl.so.6 => /lib64/libssl.so.6 (0x00002b96433f3000)
libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b964363e000)
libidn.so.11 => /usr/lib64/libidn.so.11 (0x00002b964398f000)
libc.so.6 => /lib64/libc.so.6 (0x00002b9643bc0000)
libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00002b9643f18000)
libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00002b9644218000)
/lib64/ld-linux-x86-64.so.2 (0x0000003c3e000000)
libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0
(0x00002b9644427000)
libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b964462f000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b9644832000)
libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b9644a4a000)
[root@hwd-ddc-app01-prod01 modules]# ls -l /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x 1 root daemon 4115398 Dec 10 02:41
/opt/PostgreSQL/8.4/lib/libxml2.so.2
[root@hwd-ddc-app01-prod01 modules]# ls -lZ /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x root daemon user_u:object_r:usr_t
/opt/PostgreSQL/8.4/lib/libxml2.so.2
[root@hwd-ddc-app01-prod01 modules]#
I fixed this by adding "unset LD_LIBRARY_PATH" to /etc/init.d/httpd. Now we load
/usr/lib64/libxml2.so.2 which has the correct label (lib_t)
I think I'll change this by moving the LD_LIBRARY_PATH setting from /etc/profile
into the startup script for the python daemon, so I can have a vanilla
/etc/init.d/httpd
Thank you very much for your help!
Aleksey
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
