CentOS - Mar 2010 - httpd stopped working under SELinux so I had to turn SELinux off. libxml2.so.2: failed to map segment from shared object: Permission denied

Hi.

CentOS 5.4 64-bit with SELinux, happily running for over a year, suddenly
httpd fails to start up, getting an error message like:

Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2:
failed to map segment from shared object: Permission denied

I turned off SELinux and was able to start httpd.

But what went wrong?  And how to fix it and turn SELinux back on?

SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t )
and "restorecon -n libxml.so.2.6.26" does not return anything.

No recent AVC denied entries in /var/log/audit/audit.log or /var/log/messages.

I googled the above error message but all I could find were web pages in Chinese
advising to run restorecon on libxml2.so file or turn off SElinux.

Any suggestions?

Thanks
Aleksey

On Wed, Mar 24, 2010 at 10:49 PM, Aleksey Tsalolikhin
<atsaloli.tech at gmail.com> wrote:
> Hi.
>
> CentOS 5.4 64-bit with SELinux, happily running for over a year, suddenly
> httpd fails to start up, getting an error message like:
>
> Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
> Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2:
> failed to map segment from shared object: Permission denied
>
> I turned off SELinux and was able to start httpd.
>
> But what went wrong? ?And how to fix it and turn SELinux back on?
>
> SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t )
> and "restorecon -n libxml.so.2.6.26" does not return anything.
>
> No recent AVC denied entries in /var/log/audit/audit.log or
/var/log/messages.
>
> I googled the above error message but all I could find were web pages in
Chinese
> advising to run restorecon on libxml2.so file or turn off SElinux.
>
There was a thread awhile back:
http://lists.centos.org/pipermail/centos/2010-January/088551.html

Sounds like similar issues..  No AVC denials but blocking...
> Thanks
> Aleksey
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

On 03/25/2010 01:49 PM, Aleksey Tsalolikhin wrote:
> CentOS 5.4 64-bit with SELinux, happily running for over a year, suddenly
> httpd fails to start up, getting an error message like:
> ...
> I turned off SELinux and was able to start httpd.
> 
> But what went wrong?  And how to fix it and turn SELinux back on?
What went wrong?  You might want to start by getting a bound on _when_
it went wrong.  When was the last time you successfully started httpd?
The problem happened sometime after that.  Look in your logs for any
suspicious events.  Check /var/log/yum.log.  Any new packages?  Did a
yum transaction fail (postinstall might be tinkering with SElinux)?
Try "yum-complete-transaction".  Any configuration changes since then?
> Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
> Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2:
> failed to map segment from shared object: Permission denied
Might want to try "restorecon -rv /etc/httpd" as well.

Kal
-- 
Kahlil (Kal) Hodgson                       GPG: C37B01F4
Head of Technology                         (m) +61 (0) 4 2573 0382
DealMax Pty Ltd                            (w) +61 (0) 3 9008 5281

Suite 1005
401 Docklands Drive
Docklands VIC 3008 Australia

"All parts should go together without forcing.  You must remember that
the parts you are reassembling were disassembled by you.  Therefore,
if you can't get them together again, there must be a reason.  By all
means, do not use a hammer."  -- IBM maintenance manual, 1925

> CentOS 5.4 64-bit with SELinux, happily running for over a year, suddenly
> httpd fails to start up, getting an error message like:
> 
> Starting httpd: Syntax error on line X of /etc/httpd/conf.d/php.conf:
> Cannot load /etc/httpd/modules/libphp5.so into server: libxml2.so.2:
> failed to map segment from shared object: Permission denied
> 
> I turned off SELinux and was able to start httpd.
> 
> But what went wrong?  And how to fix it and turn SELinux back on?
> 
> SElinux labels on libxml.so.2.6.26 are OK ( system_u:object_r:lib_t )
> and "restorecon -n libxml.so.2.6.26" does not return anything.
> 
> No recent AVC denied entries in /var/log/audit/audit.log or
/var/log/messages.
Try to turn off the dontaudit rules for domains
that are in the base policy:

semodule -b /usr/share/selinux/targeted/enableaudit.pp

Then you might see the denials in the logs and fix the problem
in your local policy.

HTH