selinux broke httpd: libxml2.so.2: failed to map segment from shared object: Permission denied
Daniel J Walsh
dwalsh at redhat.com
Thu Mar 25 12:18:26 UTC 2010
On 03/24/2010 10:57 PM, Aleksey Tsalolikhin wrote:
> Hi. httpd used to work but now does not start up.
>
> Error message:
>
> Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
> Cannot load /etc/httpd/modules/libphp5.so into server:
> libxml2.so.2: failed to map segment from shared object: Permission
> denied
>
> I can start httpd if I turn off SElinux, but I want to figure this out
> and re-enable
> SELinux.
>
>
> SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t )
> and "restorecon -n libxml.so.2.6.26" does not return anything so the
> labels match default. (libxml.so.2 is a symlink to 2.6.26)
>
> No recent AVC denied entries in /var/log/audit/audit.log or
> /var/log/messages. (One did not get logged when I tried to start httpd
> and failed.)
>
> I googled the above error message but all I could find were web pages in Chinese
> advising to run restorecon on libxml2.so file or turn off SElinux.
>
> Any suggestions on how to investigate this?
>
> Thanks,
> Aleksey
> --
> selinux mailing list
> selinux at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/selinux
>
I would suspect you have an execmod problem.
Look at
http://people.redhat.com/~drepper/selinux-mem.html
SELinux will allow a badly built library to be loaded by changing its
context to textrel_shlib_t.
You could try
chcon -t texrel_shlib_t libxml.so.2.6.26
And see if SELinux allows the access.
If you are getting no avc messages they could be dontaudited. Although
I would be surprised.
# semodule -DB
Will turn off the dontauditrules. This will generate AVC messages for
all blocked access.
You can turn the rules back on by executing
# semodule -B
More information about the selinux
mailing list