7:22 a.m.
On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
I've recently set up a Fedora Core 4 web server running Apache
2.2.0
with PHP 5.1.2. I've managed to get Apache loading the module, after
setting libphp5.so to shlib_t, however Apache seems to still be unable
to access the module during boot. I'm getting a Cannot load libphp5
cannot restore segment prot after reloc. Is this a known problem, and
if so, how is it fixed?
cc'd fedora-selinux-list as well above, since you mentioned you were
using FC4.
This usually indicates a text relocation, which is undesirable if it can
be avoided. The stock FC4 php doesn't appear to have any text
relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL).
Possibly it has a patch to avoid the problem.
Ideally, it would be best if you could similarly patch or fix the build
for PHP 5.1.2. If you truly need to allow it, then you can label
the .so file with the texrel_shlib_t type (since you are using FC4, I
used the old type name).
Some discussion of the SELinux memory protection tests can be found in:
http://people.redhat.com/drepper/selinux-mem.html
--
Stephen Smalley
National Security Agency
8:42 a.m.
New subject: Apache/PHP module boot restriction?
On Thu, Feb 23, 2006 at 08:22:57AM -0500, Stephen Smalley wrote:
On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
> I've recently set up a Fedora Core 4 web server running Apache 2.2.0
> with PHP 5.1.2. I've managed to get Apache loading the module, after
> setting libphp5.so to shlib_t, however Apache seems to still be unable
> to access the module during boot. I'm getting a Cannot load libphp5
> cannot restore segment prot after reloc. Is this a known problem, and
> if so, how is it fixed?
cc'd fedora-selinux-list as well above, since you mentioned you were
using FC4.
This usually indicates a text relocation, which is undesirable if it can
be avoided. The stock FC4 php doesn't appear to have any text
relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL).
Possibly it has a patch to avoid the problem.
You have to pass --with-pic to configure; upstream default builds
non-PIC code into the DSO by default ("it's a feature!").
joe
11:15 p.m.
New subject: Apache/PHP module boot restriction?
Joe Orton wrote:
On Thu, Feb 23, 2006 at 08:22:57AM -0500, Stephen Smalley wrote:
>On Wed, 2006-02-22 at 16:41 -0800, Andrew JH Ring wrote:
>
>
>>I've recently set up a Fedora Core 4 web server running Apache 2.2.0
>>with PHP 5.1.2. I've managed to get Apache loading the module, after
>>setting libphp5.so to shlib_t, however Apache seems to still be unable
>>to access the module during boot. I'm getting a Cannot load libphp5
>>cannot restore segment prot after reloc. Is this a known problem, and
>>if so, how is it fixed?
>>
>>
>cc'd fedora-selinux-list as well above, since you mentioned you were
>using FC4.
>
>This usually indicates a text relocation, which is undesirable if it can
>be avoided. The stock FC4 php doesn't appear to have any text
>relocations in its libphp (readelf -d libphp5.so.1 | grep TEXTREL).
>Possibly it has a patch to avoid the problem.
>
>
You have to pass --with-pic to configure; upstream default builds
non-PIC code into the DSO by default ("it's a feature!").
joe
I'm having this same problem with a snapshot of php 5.2.2 and apache 2.2
under Fedora Core 5. I'm building PHP from the snapshot source at
snaps.php.net. I'll check my PHP configure script (it's on a different
machine) but I think it is passing --enable-pic to configure. Is this
the same thing? Or does the option need to be --with-pic?
I'm getting a file label of:
system_u:object_r:textrel_shlib_t
in the compiled libphp5.so.
Thanks
Bob Cochran
Greenbelt, Maryland, USA
6:11 a.m.
New subject: Apache/PHP module boot restriction?
On Mon, Jun 26, 2006 at 12:15:29AM -0400, Robert L Cochran wrote:
I'm having this same problem with a snapshot of php 5.2.2 and
apache 2.2
under Fedora Core 5. I'm building PHP from the snapshot source at
snaps.php.net. I'll check my PHP configure script (it's on a different
machine) but I think it is passing --enable-pic to configure. Is this
the same thing? Or does the option need to be --with-pic?
It has to be --with-pic, yes.
joe
6507
days inactive
6630
days old
selinux@lists.fedoraproject.org
3 comments
3 participants
participants (3)
-
Joe Orton -
Robert L Cochran -
Stephen Smalley