Re: [lopsa-tech] any suggestions how to investigate SELinux issue? Can no longer start httpd, get " libxml2.so.2: failed to map segment from shared object: Permission denied"

Sat, 27 Mar 2010 23:20:38 -0700 

On Wed, Mar 24, 2010 at 7:59 PM, Aleksey Tsalolikhin
<[email protected]> wrote:
> Hi.  httpd used to work but now does not start up.
>
> Error message:
>
>    Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
>    Cannot load /etc/httpd/modules/libphp5.so into server:
> libxml2.so.2: failed to map segment from shared object: Permission
> denied
>
> I can start httpd if I turn off SElinux, but I want to figure this out
> and re-enable
> SELinux.
>
>
> SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t )
> and "restorecon -n libxml.so.2.6.26" does not return anything so the
> labels match default.  (libxml.so.2 is a symlink to 2.6.26)
>
> No recent AVC denied entries in /var/log/audit/audit.log or
> /var/log/messages. (One did not get logged when I tried to start httpd
> and failed.)
>
> I googled the above error message but all I could find were web pages in 
> Chinese
> advising to run restorecon on libxml2.so file or turn off SElinux.



OK, here's what happened:

We had added  /opt/PostgreSQL/8.4/lib to LD_LIBRARY_PATH in
/etc/profile as we wanted our in-house python daemon to use PostgreSQL 8.4
client as we were seeing memory leak using 8.1 but not 8.4.

Turned out there was a libxml2.so.2 in the PostgreSQL lib directory
and the httpd was trying
to pick it up instead of /usr/lib64/libxml2.so.2, and failing as it
had a "usr_t" instead of "lib_t" label.

# ldd /etc/httpd/modules/libphp5.so
...
        libxml2.so.2 => /opt/PostgreSQL/8.4/lib/libxml2.so.2
(0x00002b96428c9000)
...
# ls -lZ /opt/PostgreSQL/8.4/lib/libxml2.so.2
-rwxr-xr-x  root daemon user_u:object_r:usr_t
/opt/PostgreSQL/8.4/lib/libxml2.so.2
#

I fixed this by adding "unset LD_LIBRARY_PATH" to /etc/init.d/httpd. Now we load
/usr/lib64/libxml2.so.2 which has the correct label (lib_t)

I think I'll change this by moving the LD_LIBRARY_PATH setting from /etc/profile
into the startup script for the python daemon, so I can have a vanilla
/etc/init.d/httpd

Thank you for your help!
Aleksey

_______________________________________________
Tech mailing list
[email protected]
http://lopsa.org/cgi-bin/mailman/listinfo/tech
This list provided by the League of Professional System Administrators
 http://lopsa.org/

Reply via email to