On Thu, Mar 25, 2010 at 12:49 AM, A. Kirillov nevis2us@infoline.su wrote:
CentOS 5.4 64-bit with SELinux, happily running for over a year, suddenly httpd fails to start up, getting an error message like:
Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf: Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2: failed to map segment from shared object: Permission denied
I turned off SELinux and was able to start httpd.
But what went wrong? And how to fix it and turn SELinux back on?
SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t ) and "restorecon -n libxml.so.2.6.26" does not return anything.
No recent AVC denied entries in /var/log/audit/audit.log or /var/log/messages.
OK, here's what happened:
We had added /opt/PostgreSQL/8.4/lib to LD_LIBRARY_PATH in /etc/profile as we wanted our in-house python daemon to use PostgreSQL 8.4 client as we were seeing memory leak using 8.1 but not 8.4.
Turned out there was a libxml2.so.2 in the PostgreSQL lib directory and the httpd was trying to pick it up instead of /usr/lib64/libxml2.so.2, and failing as it had a "usr_t" instead of "lib_t" label.
[root@hwd-ddc-app01-prod01 modules]# ldd /etc/httpd/modules/libphp5.so libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00002b9640e52000) libaspell.so.15 => /usr/lib64/libaspell.so.15 (0x00002b964108a000) libpspell.so.15 => /usr/lib64/libpspell.so.15 (0x00002b964135a000) libgmp.so.3 => /usr/lib64/libgmp.so.3 (0x00002b964155c000) libcurl.so.3 => /usr/lib64/libcurl.so.3 (0x00002b9641795000) libbz2.so.1 => /usr/lib64/libbz2.so.1 (0x00002b96419d2000) libz.so.1 => /usr/lib64/libz.so.1 (0x00002b9641be3000) libpcre.so.0 => /lib64/libpcre.so.0 (0x00002b9641df7000) libresolv.so.2 => /lib64/libresolv.so.2 (0x00002b9642013000) libm.so.6 => /lib64/libm.so.6 (0x00002b9642229000) libdl.so.2 => /lib64/libdl.so.2 (0x00002b96424ac000) libnsl.so.1 => /lib64/libnsl.so.1 (0x00002b96426b0000)
libxml2.so.2 => /opt/PostgreSQL/8.4/lib/libxml2.so.2 (0x00002b96428c9000) <----- our culprit
libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2 (0x00002b9642b08000) libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x00002b9642d36000) libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3 (0x00002b9642fcc000) libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00002b96431f1000) libssl.so.6 => /lib64/libssl.so.6 (0x00002b96433f3000) libcrypto.so.6 => /lib64/libcrypto.so.6 (0x00002b964363e000) libidn.so.11 => /usr/lib64/libidn.so.11 (0x00002b964398f000) libc.so.6 => /lib64/libc.so.6 (0x00002b9643bc0000) libstdc++.so.6 => /usr/lib64/libstdc++.so.6 (0x00002b9643f18000) libgcc_s.so.1 => /lib64/libgcc_s.so.1 (0x00002b9644218000) /lib64/ld-linux-x86-64.so.2 (0x0000003c3e000000) libkrb5support.so.0 => /usr/lib64/libkrb5support.so.0 (0x00002b9644427000) libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00002b964462f000) libselinux.so.1 => /lib64/libselinux.so.1 (0x00002b9644832000) libsepol.so.1 => /lib64/libsepol.so.1 (0x00002b9644a4a000) [root@hwd-ddc-app01-prod01 modules]# ls -l /opt/PostgreSQL/8.4/lib/libxml2.so.2 -rwxr-xr-x 1 root daemon 4115398 Dec 10 02:41 /opt/PostgreSQL/8.4/lib/libxml2.so.2 [root@hwd-ddc-app01-prod01 modules]# ls -lZ /opt/PostgreSQL/8.4/lib/libxml2.so.2 -rwxr-xr-x root daemon user_u:object_r:usr_t /opt/PostgreSQL/8.4/lib/libxml2.so.2 [root@hwd-ddc-app01-prod01 modules]#
I fixed this by adding "unset LD_LIBRARY_PATH" to /etc/init.d/httpd. Now we load /usr/lib64/libxml2.so.2 which has the correct label (lib_t)
I think I'll change this by moving the LD_LIBRARY_PATH setting from /etc/profile into the startup script for the python daemon, so I can have a vanilla /etc/init.d/httpd
Thank you very much for your help! Aleksey