Apache cannot restore segment prot after reloc


I got the following error message after trying to run apachectl start after installing PHP and the Apache httpd server:

Syntax error on line 232 of /usr/local/apache2/conf/httpd.conf:
Cannot load /usr/local/apache2/modules/libphp5.so into server:
/usr/local/apache2/modules/libphp5.so: cannot restore segment prot after reloc: Permission denied

Again, this was immediately after installing Apache and then PHP from source code distributions, and I had no problems while compiling and installing the code (i.e., running configure, make, and make install).


The short answer is that I had to run the following command to fix this problem:

chcon -t textrel_shlib_t '/usr/local/apache2/modules/libphp5.so'

The longer answer is that I found that solution waiting for me on my CentOS console. I was trying to install and start Apache via a remote SSH connection, and when I just happened to walk into the room where the server was located, I saw the following message on my CentOS Linux console.

The console message

(I found this error message waiting for me on the CentOS Linux console)


SELinux is preventing httpd from loading /usr/local/apache2/modules/libphp5.so
which requires text relocation.

Detailed Description:

The httpd application attempted to load /usr/local/apache2/modules/libphp5.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/local/apache2/modules/libphp5.so to use relocation as a workaround, until
the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/local/apache2/modules/libphp5.so to run correctly, you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/local/apache2/modules/libphp5.so'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t textrel_shlib_t

The following command will allow this access:

chcon -t textrel_shlib_t '/usr/local/apache2/modules/libphp5.so'

Additional Information:

Source Context                root:system_r:unconfined_t:SystemLow-SystemHigh
Target Context                root:object_r:usr_t
Target Objects                /usr/local/apache2/modules/libphp5.so [ file ]
Source                        httpd
Source Path                   /usr/local/apache2/bin/httpd
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.18-128.el5 #1 SMP
                              Wed Jan 21 10:44:23 EST 2009 i686 i686
Alert Count                   4
First Seen                    Sat 18 Jul 2009 12:07:26 PM EDT
Last Seen                     Sat 18 Jul 2009 12:14:37 PM EDT
Local ID                      f181d0f5-968f-4116-8c27-36b9cc21ec41
Line Numbers

Raw Audit Messages

host=localhost.localdomain type=AVC msg=audit(1247933677.642:205): avc:  denied  { execmod } for  pid=21653 comm="httpd" path="/usr/local/apache2/modules/libphp5.so" dev=dm-0 ino=31039616 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=root:object_r:usr_t:s0 tclass=file

host=localhost.localdomain type=SYSCALL msg=audit(1247933677.642:205): arch=40000003 syscall=125 success=no exit=-13 a0=ed4000 a1=41e000 a2=5 a3=bfaca2c0 items=0 ppid=21651 pid=21653 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=26 comm="httpd" exe="/usr/local/apache2/bin/httpd" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)

I tried to highlight the important lines in that text. Again, the solution involved running the chcon command I showed earlier.