On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
I've recently set up a Fedora Core 4 web server running Apache 2.2.0 with PHP 5.1.2. I've managed to get Apache loading the module, after setting libphp5.so to shlib_t, however Apache seems to still be unable to access the module during boot. I'm getting a Cannot load libphp5 cannot restore segment prot after reloc. Is this a known problem, and if so, how is it fixed?
cc'd fedora-selinux-list as well above, since you mentioned you were using FC4.
This usually indicates a text relocation, which is undesirable if it can be avoided. The stock FC4 php doesn't appear to have any text relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL). Possibly it has a patch to avoid the problem.
Ideally, it would be best if you could similarly patch or fix the build for PHP 5.1.2. If you truly need to allow it, then you can label the .so file with the texrel_shlib_t type (since you are using FC4, I used the old type name).
Some discussion of the SELinux memory protection tests can be found in: http://people.redhat.com/drepper/selinux-mem.html
On Thu, Feb 23, 2006 at 08:22:57AM -0500, Stephen Smalley wrote:
On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
I've recently set up a Fedora Core 4 web server running Apache 2.2.0 with PHP 5.1.2. I've managed to get Apache loading the module, after setting libphp5.so to shlib_t, however Apache seems to still be unable to access the module during boot. I'm getting a Cannot load libphp5 cannot restore segment prot after reloc. Is this a known problem, and if so, how is it fixed?
cc'd fedora-selinux-list as well above, since you mentioned you were using FC4.
This usually indicates a text relocation, which is undesirable if it can be avoided. The stock FC4 php doesn't appear to have any text relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL). Possibly it has a patch to avoid the problem.
You have to pass --with-pic to configure; upstream default builds non-PIC code into the DSO by default ("it's a feature!").
joe
Joe Orton wrote:
On Thu, Feb 23, 2006 at 08:22:57AM -0500, Stephen Smalley wrote:
On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
I've recently set up a Fedora Core 4 web server running Apache 2.2.0 with PHP 5.1.2. I've managed to get Apache loading the module, after setting libphp5.so to shlib_t, however Apache seems to still be unable to access the module during boot. I'm getting a Cannot load libphp5 cannot restore segment prot after reloc. Is this a known problem, and if so, how is it fixed?
cc'd fedora-selinux-list as well above, since you mentioned you were using FC4.
This usually indicates a text relocation, which is undesirable if it can be avoided. The stock FC4 php doesn't appear to have any text relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL). Possibly it has a patch to avoid the problem.
You have to pass --with-pic to configure; upstream default builds non-PIC code into the DSO by default ("it's a feature!").
joe
I'm having this same problem with a snapshot of php 5.2.2 and apache 2.2 under Fedora Core 5. I'm building PHP from the snapshot source at snaps.php.net. I'll check my PHP configure script (it's on a different machine) but I think it is passing --enable-pic to configure. Is this the same thing? Or does the option need to be --with-pic?
I'm getting a file label of:
system_u:object_r:textrel_shlib_t
in the compiled libphp5.so.
Thanks
Bob Cochran Greenbelt, Maryland, USA
On Mon, Jun 26, 2006 at 12:15:29AM -0400, Robert L Cochran wrote:
I'm having this same problem with a snapshot of php 5.2.2 and apache 2.2 under Fedora Core 5. I'm building PHP from the snapshot source at snaps.php.net. I'll check my PHP configure script (it's on a different machine) but I think it is passing --enable-pic to configure. Is this the same thing? Or does the option need to be --with-pic?
It has to be --with-pic, yes.
joe
selinux@lists.fedoraproject.org