Problem
I got the following error message after trying to run apachectl start after installing PHP and the Apache httpd server:
Syntax error on line 232 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/libphp5.so into server: /usr/local/apache2/modules/libphp5.so: cannot restore segment prot after reloc: Permission denied
Again, this was immediately after installing Apache and then PHP from source code distributions, and I had no problems while compiling and installing the code (i.e., running configure, make, and make install).
Solution
The short answer is that I had to run the following command to fix this problem:
chcon -t textrel_shlib_t '/usr/local/apache2/modules/libphp5.so'
The longer answer is that I found that solution waiting for me on my CentOS console. I was trying to install and start Apache via a remote SSH connection, and when I just happened to walk into the room where the server was located, I saw the following message on my CentOS Linux console.
The console message
(I found this error message waiting for me on the CentOS Linux console)
Summary:
SELinux is preventing httpd from loading /usr/local/apache2/modules/libphp5.so
which requires text relocation.
Detailed Description:
The httpd application attempted to load /usr/local/apache2/modules/libphp5.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/local/apache2/modules/libphp5.so to use relocation as a workaround, until
the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust /usr/local/apache2/modules/libphp5.so to run correctly, you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/local/apache2/modules/libphp5.so'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t textrel_shlib_t
'/usr/local/apache2/modules/libphp5.so'"
The following command will allow this access:
chcon -t textrel_shlib_t '/usr/local/apache2/modules/libphp5.so'
Additional Information:
Source Context root:system_r:unconfined_t:SystemLow-SystemHigh
Target Context root:object_r:usr_t
Target Objects /usr/local/apache2/modules/libphp5.so [ file ]
Source httpd
Source Path /usr/local/apache2/bin/httpd
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-2.4.6-203.el5
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmod
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
Wed Jan 21 10:44:23 EST 2009 i686 i686
Alert Count 4
First Seen Sat 18 Jul 2009 12:07:26 PM EDT
Last Seen Sat 18 Jul 2009 12:14:37 PM EDT
Local ID f181d0f5-968f-4116-8c27-36b9cc21ec41
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1247933677.642:205): avc: denied { execmod } for pid=21653 comm="httpd" path="/usr/local/apache2/modules/libphp5.so" dev=dm-0 ino=31039616 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:usr_t:s0 tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1247933677.642:205): arch=40000003 syscall=125 success=no exit=-13 a0=ed4000 a1=41e000 a2=5 a3=bfaca2c0 items=0 ppid=21651 pid=21653 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=26 comm="httpd" exe="/usr/local/apache2/bin/httpd" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
I tried to highlight the important lines in that text. Again, the solution involved running the chcon command I showed earlier.
books by alvin
 |
 |
 |
 |
