[mod_python] Apache Fails to load mod_python.so with Permission denied error under SELinux

Graham Dumpleton graham.dumpleton at gmail.com
Fri Feb 1 02:53:00 EST 2008 

Python components of mod_python not installed, or not readable by
Apache, or access being blocked by SELinux.

Try validation checks in:

  http://www.dscpl.com.au/wiki/ModPython/Articles/GettingModPythonWorking

Graham

On 01/02/2008, Scott Bratcher <scott at 3floors.com> wrote:
> Graham,
>
> Great, thanks, and since it's missing...
>
> I reinstalled python with:
> # ./configure --enable-shared
> # make
> # make install
>
> and then rebuilt mod_python with:
> # ./configure --with-apxs=/usr/sbin/apxs --with-python=/usr/local/bin/
> python
> # make
> # make install
>
> Apache started right up. Thank you for the help in getting over that
> hump.
>
> Now I'm getting an [500] Internal Server Error in the browser with
> this output to my apache error_logs:
>
> [Fri Feb 01 01:12:33 2008] [notice] SELinux policy enabled; httpd
> running as context user_u:system_r:httpd_t:s0
> [Fri Feb 01 01:12:33 2008] [notice] suEXEC mechanism enabled
> (wrapper: /usr/sbin/suexec)
> [Fri Feb 01 01:12:34 2008] [notice] Digest: generating secret for
> digest authentication ...
> [Fri Feb 01 01:12:34 2008] [notice] Digest: done
> [Fri Feb 01 01:12:34 2008] [notice] mod_python: Creating 8 session
> mutexes based on 256 max processes and 0 max threads.
> [Fri Feb 01 01:12:34 2008] [notice] mod_python: using
> mutex_directory /tmp
> [Fri Feb 01 01:12:34 2008] [notice] Apache/2.2.3 (Red Hat) configured
> -- resuming normal operations
> [Fri Feb 01 01:12:50 2008] [error] make_obcallback: could not import
> mod_python.apache.\n
> ImportError: No module named mod_python.apache
> [Fri Feb 01 01:12:50 2008] [error] make_obcallback: Python path being
> used "['/usr/lib/python25.zip', '/usr/lib/python2.5', '/usr/lib/
> python2.5/plat-linux2', '/usr/lib/python2.5/lib-tk', '/usr/lib/
> python2.5/lib-dynload', '/usr/lib/python2.5/site-packages']".
> [Fri Feb 01 01:12:50 2008] [error] get_interpreter: no interpreter
> callback found.
> [Fri Feb 01 01:12:50 2008] [error] [client xx.xx.xx.xx.]
> python_handler: Can't get/create interpreter.
>
> I've looked all over the list archives to find a solution, and this
> seems like a common error output that has, at times, varied causes.
> However, I wasn't able to locate a post that solved this error for
> me. Can you point me in the right direction?
>
> Thanks again for your help,
>
> Scott
>
>
> Just in case I've checked my SELinux related permissions and didn't
> find anything out of line. I wouldn't know what file specifically to
> check though...
>
> -rwxr-xr-x  root  root system_u:object_r:bin_t          /usr/bin/python
> -rwxr-xr-x  root  root system_u:object_r:httpd_modules_t /usr/lib/
> httpd/modules/mod_python.so
> -rwxr-xr-x  root  root system_u:object_r:bin_t          /usr/local/
> bin/python2.5
> drwxr-xr-x  root  root system_u:object_r:lib_t          /usr/local/
> lib/python2.5/site-packages/mod_python
>
>
> USING:
> --
> RHEL5/SELinux
> Apache 2.2
> Python 2.5.1
> mod_pythonn 3.3.1
> httpd.conf (not .htaccess)
>
>
>
> On Jan 31, 2008, at 10:10 PM, Graham Dumpleton wrote:
>
> > On 01/02/2008, Scott Bratcher <scott at 3floors.com> wrote:
> >> Thank you for looking in, Graham,
> >>
> >> DEPENDENCIES:
> >> # ldd /etc/httpd/modules/mod_python.so
> >>          linux-gate.so.1 =>  (0x00b16000)
> >>          libpthread.so.0 => /lib/libpthread.so.0 (0x00f2d000)
> >>          libdl.so.2 => /lib/libdl.so.2 (0x00aa7000)
> >>          libutil.so.1 => /lib/libutil.so.1 (0x00110000)
> >>          libm.so.6 => /lib/libm.so.6 (0x00114000)
> >>          libc.so.6 => /lib/libc.so.6 (0x00453000)
> >>          /lib/ld-linux.so.2 (0x0076d000)
> >>
> >> SIZE:
> >> # ls -fla /etc/httpd/modules/mod_python.so
> >> -rwxr-xr-x 1 root root 4.1M Jan 31 01:51 /etc/httpd/modules/
> >> mod_python.so*
> >>
> >> I'm game to reinstall python, how do I check to see if there is a
> >> libpythonX.Y.so file linked to mod_python.so?
> >
> > It should appear in that list above.
> >
> > Check out notes in:
> >
> >   http://code.google.com/p/modwsgi/wiki/InstallationIssues
> >
> > This is for mod_wsgi, but it has the same issue with the Python
> > library.
> >
> > Graham
> >
> >> On Jan 31, 2008, at 6:51 PM, Graham Dumpleton wrote:
> >>
> >>> How big is your:
> >>>
> >>>   /etc/httpd/modules/mod_python.so
> >>>
> >>> file? If you run ldd on it, what does it output as far as
> >>> dependencies
> >>> on shared libraries?
> >>>
> >>> One of the problems with some Python installations is that they
> >>> still
> >>> do not provide a shared library and so a static library gets
> >>> embedded
> >>> in mod_python.so. This results in some messy adress relocations
> >>> having
> >>> to be done when mod_python.so is loaded. I am wandering whether the
> >>> 'reloc' mentioned in:
> >>>
> >>>   cannot restore segment prot after reloc
> >>>
> >>> is the module loading relocations and it is having a problem with
> >>> that.
> >>>
> >>> If there is no libpythonX.Y.so linked to mod_python.so, then
> >>> reinstall
> >>> Python using --enable-shared to configure, possibly fix up missing
> >>> libpythonX.Y.so symlink in Python installed config directory and
> >>> then
> >>> rebuild mod_python, see if that makes a difference.
> >>>
> >>> Probably nothing to do with this, but if nothing else works. :-)
> >>>
> >>> Graham
> >>>
> >>> On 01/02/2008, Scott Bratcher <scott at 3floors.com> wrote:
> >>>> Thanks Eric and Tom,
> >>>>
> >>>> Unresolved however. I did some permissions tests based on your
> >>>> feedback.
> >>>>
> >>>>
> >>>> I'm chasing this issue as though it is a permissions issue and have
> >>>> identified SELinux as the hold-up. I've tried all of these
> >>>> permission
> >>>> sets on the modules actual folder and the modules symlinked folder.
> >>>> I did both directories just in case the permissions trickle down to
> >>>> the actual files being loaded by mod_python itself:
> >>>>
> >>>> # chcon -R -h -u system_u -r object_r -t httpd_sys_content_t /usr/
> >>>> lib/
> >>>> httpd/modules /etc/httpd/modules
> >>>> # chcon -R -h -u user_u -r object_r -t httpd_sys_content_t /usr/
> >>>> lib/
> >>>> httpd/modules /etc/httpd/modules
> >>>> # chcon -R -h -u user_u -r object_r -t httpd_modules_t /usr/lib/
> >>>> httpd/
> >>>> modules /etc/httpd/modules
> >>>> # chcon -R -h -u system_u -r object_r -t httpd_modules_t /usr/lib/
> >>>> httpd/modules /etc/httpd/modules ((( This one is the original
> >>>> permission of all apache modules)))
> >>>> # chcon -R -h -u system_u -r object_r -t lib_t /usr/lib/httpd/
> >>>> modules /etc/httpd/modules
> >>>> # chcon -R -h -u system_u -r object_r -t shlib_t /usr/lib/httpd/
> >>>> modules /etc/httpd/modules
> >>>> # chcon -R -h -u system_u -r object_r -t textrel_shlib_t /usr/lib/
> >>>> httpd/modules /etc/httpd/modules
> >>>>
> >>>> All gave this error:
> >>>> ----------
> >>>> # service httpd start
> >>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
> >>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/
> >>>> python.conf:
> >>>> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/
> >>>> httpd/
> >>>> modules/mod_python.so: cannot restore segment prot after reloc:
> >>>> Permission denied
> >>>>
> >>>> [FAILED]
> >>>> ----------
> >>>>
> >>>> ---> This is the only one that gave me a different error.
> >>>> ----------
> >>>> # chcon -R -h -u system_u -t textrel_shlib_t /usr/lib/httpd/
> >>>> modules /
> >>>> etc/httpd/modules
> >>>> # service httpd start
> >>>> Starting httpd: httpd: Syntax error on line 148 of /etc/httpd/conf/
> >>>> httpd.conf: Cannot load /etc/httpd/modules/mod_auth_basic.so into
> >>>> server: /etc/httpd/modules/mod_auth_basic.so: cannot open shared
> >>>> object file: Permission denied
> >>>>
> >>>> [FAILED]
> >>>> ----------
> >>>>
> >>>>
> >>>> ****AGAIN I MUST NOTE: All is solved by turning off SELinux and/or
> >>>> All is solved by not loading mod_python. All other modules loaded
> >>>> just fine with their original permissions which matched mod_python
> >>>> exactly.
> >>>>
> >>>>
> >>>>
> >>>>
> >>>> Scott
> >>>>
> >>>>
> >>>>
> >>>> On Jan 31, 2008, at 1:42 PM, Tom Stambaugh wrote:
> >>>>
> >>>>> The incantation that I use (for solving different problems,
> >>>>> though)
> >>>>> is:
> >>>>>
> >>>>> chcon -R -h -t httpd_sys_content_t <filename>
> >>>>>
> >>>>> I think the "-R" makes it recurse to all children, and I think the
> >>>>> "httpd_sys_content_t" is more permissive (though that could be
> >>>>> mistaken).
> >>>>> The -h causes it to apply to sym links.
> >>>>>
> >>>>> Afterwords, I get:
> >>>>>
> >>>>> #ls -lZ adminuser
> >>>>> -rw-rw-r--  zeetix   zeetix   user_u:object_r:httpd_sys_content_t
> >>>>> <filename>
> >>>>>
> >>>>> I use Fedora core3/core4 linux, so YMMV.
> >>>>>
> >>>>> Thx,
> >>>>> Tom
> >>>>>
> >>>>> ----- Original Message -----
> >>>>> From: "Scott Bratcher" <scott at 3floors.com>
> >>>>> To: "Eric Brunson" <brunson at brunson.com>
> >>>>> Cc: <mod_python at modpython.org>
> >>>>> Sent: Thursday, January 31, 2008 1:47 PM
> >>>>> Subject: Re: [mod_python] Apache Fails to load mod_python.so with
> >>>>> Permissiondenied error under SELinux
> >>>>>
> >>>>>
> >>>>>> Thanks Eric,
> >>>>>>
> >>>>>> "setenforce 0" THIS WORKED. Apache started right up
> >>>>>>
> >>>>>> Below are the results of my attempts as you suggested. I think
> >>>>>> we are
> >>>>>> onto the problem because with SELinux enforced it loads right up.
> >>>>>> However, the chcon command failed to clear up the problem. I'm
> >>>>>> new to
> >>>>>> SELinux. Is there another possible SELinux related permission
> >>>>>> that  may be
> >>>>>> the solution? It's just mod_python that is giving this problem
> >>>>>> even
> >>>>>> though all of the others share the same t permission
> >>>>>> httpd_module.
> >>>>>>
> >>>>>> # ls -Zd modules
> >>>>>> drwxr-xr-x  root root system_u:object_r:httpd_modules_t modules/
> >>>>>>
> >>>>>> So I changed the permissions:
> >>>>>>
> >>>>>> # chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
> >>>>>> # service httpd start
> >>>>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/
> >>>>>> conf/
> >>>>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/
> >>>>>> python.conf:
> >>>>>> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/
> >>>>>> httpd/
> >>>>>> modules/mod_python.so: cannot restore segment prot after reloc:
> >>>>>> Permission denied
> >>>>>>
> >>>>>> [FAILED]
> >>>>>> # ls -Z /etc/httpd/modules/mod_python.so
> >>>>>> -rwxr-xr-x  root root system_u:object_r:textrel_shlib_t /etc/
> >>>>>> httpd/
> >>>>>> modules/mod_python.so*
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> I also tried changing the permissions of the 2.5 site-packages
> >>>>>> to the
> >>>>>> same permissions as the previously working 2.4 site-packages,
> >>>>>> plus  the
> >>>>>> other listed below, and the still Apache Failure occurs.
> >>>>>>
> >>>>>> # ls -Zd /usr/local/lib/python2.5/site-packages/ /usr/lib/
> >>>>>> python2.4/
> >>>>>> site-packages/
> >>>>>> drwxr-xr-x  root root system_u:object_r:lib_t           /usr/lib/
> >>>>>> python2.4/site-packages/
> >>>>>> drwxr-xr-x  root root user_u:object_r:lib_t             /usr/
> >>>>>> local/
> >>>>>> lib/python2.5/site-packages/
> >>>>>>
> >>>>>> system_u:object_r:lib_t
> >>>>>> system_u:object_r:textrel_shlib_t
> >>>>>> user_u:object_r:textrel_shlib_t
> >>>>>>
> >>>>>>
> >>>>>> If you have other tips I'd appreciate any help you can offer.
> >>>>>>
> >>>>>> Scott
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>> On Jan 31, 2008, at 10:13 AM, Eric Brunson wrote:
> >>>>>>
> >>>>>>> Scott Bratcher wrote:
> >>>>>>>> Hello all,
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> THE PROBLEM:
> >>>>>>>>
> >>>>>>>> Starting Apache results in this error:
> >>>>>>>>
> >>>>>>>> # service httpd start
> >>>>>>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/
> >>>>>>>> conf/
> >>>>>>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/
> >>>>>>>> python.conf:
> >>>>>>>> Cannot load /etc/httpd/modules/mod_python.so into  server:
> >>>>>>>> /etc/httpd/modules/mod_python.so: cannot restore segment  prot
> >>>>>>>> after
> >>>>>>>> reloc: Permission denied
> >>>>>>>>
> >>>>>>>> [FAILED]
> >>>>>>>>
> >>>>>>>
> >>>>>>> This error message is often related to selinux permissions.
> >>>>>>>
> >>>>>>> A quick check to see if that is the problem is to disable
> >>>>>>> selinux  with
> >>>>>>> the command (as root) "setenforce 0".  If the module then  loads
> >>>>>>> correctly, it can be fixed permanently with the command:
> >>>>>>>
> >>>>>>> chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
> >>>>>>>
> >>>>>>> Then, re-enable selinux with "setenforce 1".
> >>>>>>>
> >>>>>>> If disabling selinux does not fix the problem, then more
> >>>>>>> investigation
> >>>>>>> is required.
> >>>>>>>
> >>>>>>> Hope that helps,
> >>>>>>> e.
> >>>>>>>
> >>>>>>>> USING:
> >>>>>>>>
> >>>>>>>> RHEL5 / SELinux
> >>>>>>>> Apache 2.2
> >>>>>>>> Python 2.5.1
> >>>>>>>> mod_pythonn 3.3.1
> >>>>>>>> httpd.conf (not .htaccess)
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> TESTED THUS FAR:
> >>>>>>>>
> >>>>>>>> .so file exists with same permissions as other modules
> >>>>>>>> # ls -Z /etc/httpd/modules/mod_python.so
> >>>>>>>> -rwxr-xr-x  root root system_u:object_r:httpd_modules_t /etc/
> >>>>>>>> httpd/
> >>>>>>>> modules/mod_python.so*
> >>>>>>>>
> >>>>>>>> If I comment out:
> >>>>>>>> "#LoadModule python_module modules/mod_python.so"
> >>>>>>>> and other related python lines Apache starts just fine without
> >>>>>>>> mod_python.
> >>>>>>>> # service httpd start
> >>>>>>>> Starting httpd:
> >>>>>>>> [  OK  ]
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>> _______________________________________________
> >>>>>> Mod_python mailing list
> >>>>>> Mod_python at modpython.org
> >>>>>> http://mailman.modpython.org/mailman/listinfo/mod_python
> >>>>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>
> >>>> _______________________________________________
> >>>> Mod_python mailing list
> >>>> Mod_python at modpython.org
> >>>> http://mailman.modpython.org/mailman/listinfo/mod_python
> >>>>
> >>
> >>
>
>

More information about the Mod_python mailing list