[mod_python] Apache Fails to load mod_python.so with Permission denied error under SELinux

Scott Bratcher scott at 3floors.com
Fri Feb 1 02:40:39 EST 2008 

Graham,

Great, thanks, and since it's missing...

I reinstalled python with:
# ./configure --enable-shared
# make
# make install

and then rebuilt mod_python with:
# ./configure --with-apxs=/usr/sbin/apxs --with-python=/usr/local/bin/ 
python
# make
# make install

Apache started right up. Thank you for the help in getting over that  
hump.

Now I'm getting an [500] Internal Server Error in the browser with  
this output to my apache error_logs:

[Fri Feb 01 01:12:33 2008] [notice] SELinux policy enabled; httpd  
running as context user_u:system_r:httpd_t:s0
[Fri Feb 01 01:12:33 2008] [notice] suEXEC mechanism enabled  
(wrapper: /usr/sbin/suexec)
[Fri Feb 01 01:12:34 2008] [notice] Digest: generating secret for  
digest authentication ...
[Fri Feb 01 01:12:34 2008] [notice] Digest: done
[Fri Feb 01 01:12:34 2008] [notice] mod_python: Creating 8 session  
mutexes based on 256 max processes and 0 max threads.
[Fri Feb 01 01:12:34 2008] [notice] mod_python: using  
mutex_directory /tmp
[Fri Feb 01 01:12:34 2008] [notice] Apache/2.2.3 (Red Hat) configured  
-- resuming normal operations
[Fri Feb 01 01:12:50 2008] [error] make_obcallback: could not import  
mod_python.apache.\n
ImportError: No module named mod_python.apache
[Fri Feb 01 01:12:50 2008] [error] make_obcallback: Python path being  
used "['/usr/lib/python25.zip', '/usr/lib/python2.5', '/usr/lib/ 
python2.5/plat-linux2', '/usr/lib/python2.5/lib-tk', '/usr/lib/ 
python2.5/lib-dynload', '/usr/lib/python2.5/site-packages']".
[Fri Feb 01 01:12:50 2008] [error] get_interpreter: no interpreter  
callback found.
[Fri Feb 01 01:12:50 2008] [error] [client xx.xx.xx.xx.]  
python_handler: Can't get/create interpreter.

I've looked all over the list archives to find a solution, and this  
seems like a common error output that has, at times, varied causes.  
However, I wasn't able to locate a post that solved this error for  
me. Can you point me in the right direction?

Thanks again for your help,

Scott


Just in case I've checked my SELinux related permissions and didn't  
find anything out of line. I wouldn't know what file specifically to  
check though...

-rwxr-xr-x  root  root system_u:object_r:bin_t          /usr/bin/python
-rwxr-xr-x  root  root system_u:object_r:httpd_modules_t /usr/lib/ 
httpd/modules/mod_python.so
-rwxr-xr-x  root  root system_u:object_r:bin_t          /usr/local/ 
bin/python2.5
drwxr-xr-x  root  root system_u:object_r:lib_t          /usr/local/ 
lib/python2.5/site-packages/mod_python


USING:
--
RHEL5/SELinux
Apache 2.2
Python 2.5.1
mod_pythonn 3.3.1
httpd.conf (not .htaccess)



On Jan 31, 2008, at 10:10 PM, Graham Dumpleton wrote:

> On 01/02/2008, Scott Bratcher <scott at 3floors.com> wrote:
>> Thank you for looking in, Graham,
>>
>> DEPENDENCIES:
>> # ldd /etc/httpd/modules/mod_python.so
>>          linux-gate.so.1 =>  (0x00b16000)
>>          libpthread.so.0 => /lib/libpthread.so.0 (0x00f2d000)
>>          libdl.so.2 => /lib/libdl.so.2 (0x00aa7000)
>>          libutil.so.1 => /lib/libutil.so.1 (0x00110000)
>>          libm.so.6 => /lib/libm.so.6 (0x00114000)
>>          libc.so.6 => /lib/libc.so.6 (0x00453000)
>>          /lib/ld-linux.so.2 (0x0076d000)
>>
>> SIZE:
>> # ls -fla /etc/httpd/modules/mod_python.so
>> -rwxr-xr-x 1 root root 4.1M Jan 31 01:51 /etc/httpd/modules/
>> mod_python.so*
>>
>> I'm game to reinstall python, how do I check to see if there is a
>> libpythonX.Y.so file linked to mod_python.so?
>
> It should appear in that list above.
>
> Check out notes in:
>
>   http://code.google.com/p/modwsgi/wiki/InstallationIssues
>
> This is for mod_wsgi, but it has the same issue with the Python  
> library.
>
> Graham
>
>> On Jan 31, 2008, at 6:51 PM, Graham Dumpleton wrote:
>>
>>> How big is your:
>>>
>>>   /etc/httpd/modules/mod_python.so
>>>
>>> file? If you run ldd on it, what does it output as far as  
>>> dependencies
>>> on shared libraries?
>>>
>>> One of the problems with some Python installations is that they  
>>> still
>>> do not provide a shared library and so a static library gets  
>>> embedded
>>> in mod_python.so. This results in some messy adress relocations  
>>> having
>>> to be done when mod_python.so is loaded. I am wandering whether the
>>> 'reloc' mentioned in:
>>>
>>>   cannot restore segment prot after reloc
>>>
>>> is the module loading relocations and it is having a problem with
>>> that.
>>>
>>> If there is no libpythonX.Y.so linked to mod_python.so, then  
>>> reinstall
>>> Python using --enable-shared to configure, possibly fix up missing
>>> libpythonX.Y.so symlink in Python installed config directory and  
>>> then
>>> rebuild mod_python, see if that makes a difference.
>>>
>>> Probably nothing to do with this, but if nothing else works. :-)
>>>
>>> Graham
>>>
>>> On 01/02/2008, Scott Bratcher <scott at 3floors.com> wrote:
>>>> Thanks Eric and Tom,
>>>>
>>>> Unresolved however. I did some permissions tests based on your
>>>> feedback.
>>>>
>>>>
>>>> I'm chasing this issue as though it is a permissions issue and have
>>>> identified SELinux as the hold-up. I've tried all of these  
>>>> permission
>>>> sets on the modules actual folder and the modules symlinked folder.
>>>> I did both directories just in case the permissions trickle down to
>>>> the actual files being loaded by mod_python itself:
>>>>
>>>> # chcon -R -h -u system_u -r object_r -t httpd_sys_content_t /usr/
>>>> lib/
>>>> httpd/modules /etc/httpd/modules
>>>> # chcon -R -h -u user_u -r object_r -t httpd_sys_content_t /usr/ 
>>>> lib/
>>>> httpd/modules /etc/httpd/modules
>>>> # chcon -R -h -u user_u -r object_r -t httpd_modules_t /usr/lib/
>>>> httpd/
>>>> modules /etc/httpd/modules
>>>> # chcon -R -h -u system_u -r object_r -t httpd_modules_t /usr/lib/
>>>> httpd/modules /etc/httpd/modules ((( This one is the original
>>>> permission of all apache modules)))
>>>> # chcon -R -h -u system_u -r object_r -t lib_t /usr/lib/httpd/
>>>> modules /etc/httpd/modules
>>>> # chcon -R -h -u system_u -r object_r -t shlib_t /usr/lib/httpd/
>>>> modules /etc/httpd/modules
>>>> # chcon -R -h -u system_u -r object_r -t textrel_shlib_t /usr/lib/
>>>> httpd/modules /etc/httpd/modules
>>>>
>>>> All gave this error:
>>>> ----------
>>>> # service httpd start
>>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
>>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/ 
>>>> python.conf:
>>>> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/ 
>>>> httpd/
>>>> modules/mod_python.so: cannot restore segment prot after reloc:
>>>> Permission denied
>>>>                                                              
>>>> [FAILED]
>>>> ----------
>>>>
>>>> ---> This is the only one that gave me a different error.
>>>> ----------
>>>> # chcon -R -h -u system_u -t textrel_shlib_t /usr/lib/httpd/ 
>>>> modules /
>>>> etc/httpd/modules
>>>> # service httpd start
>>>> Starting httpd: httpd: Syntax error on line 148 of /etc/httpd/conf/
>>>> httpd.conf: Cannot load /etc/httpd/modules/mod_auth_basic.so into
>>>> server: /etc/httpd/modules/mod_auth_basic.so: cannot open shared
>>>> object file: Permission denied
>>>>                                                              
>>>> [FAILED]
>>>> ----------
>>>>
>>>>
>>>> ****AGAIN I MUST NOTE: All is solved by turning off SELinux and/or
>>>> All is solved by not loading mod_python. All other modules loaded
>>>> just fine with their original permissions which matched mod_python
>>>> exactly.
>>>>
>>>>
>>>>
>>>>
>>>> Scott
>>>>
>>>>
>>>>
>>>> On Jan 31, 2008, at 1:42 PM, Tom Stambaugh wrote:
>>>>
>>>>> The incantation that I use (for solving different problems,  
>>>>> though)
>>>>> is:
>>>>>
>>>>> chcon -R -h -t httpd_sys_content_t <filename>
>>>>>
>>>>> I think the "-R" makes it recurse to all children, and I think the
>>>>> "httpd_sys_content_t" is more permissive (though that could be
>>>>> mistaken).
>>>>> The -h causes it to apply to sym links.
>>>>>
>>>>> Afterwords, I get:
>>>>>
>>>>> #ls -lZ adminuser
>>>>> -rw-rw-r--  zeetix   zeetix   user_u:object_r:httpd_sys_content_t
>>>>> <filename>
>>>>>
>>>>> I use Fedora core3/core4 linux, so YMMV.
>>>>>
>>>>> Thx,
>>>>> Tom
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Scott Bratcher" <scott at 3floors.com>
>>>>> To: "Eric Brunson" <brunson at brunson.com>
>>>>> Cc: <mod_python at modpython.org>
>>>>> Sent: Thursday, January 31, 2008 1:47 PM
>>>>> Subject: Re: [mod_python] Apache Fails to load mod_python.so with
>>>>> Permissiondenied error under SELinux
>>>>>
>>>>>
>>>>>> Thanks Eric,
>>>>>>
>>>>>> "setenforce 0" THIS WORKED. Apache started right up
>>>>>>
>>>>>> Below are the results of my attempts as you suggested. I think
>>>>>> we are
>>>>>> onto the problem because with SELinux enforced it loads right up.
>>>>>> However, the chcon command failed to clear up the problem. I'm
>>>>>> new to
>>>>>> SELinux. Is there another possible SELinux related permission
>>>>>> that  may be
>>>>>> the solution? It's just mod_python that is giving this problem
>>>>>> even
>>>>>> though all of the others share the same t permission  
>>>>>> httpd_module.
>>>>>>
>>>>>> # ls -Zd modules
>>>>>> drwxr-xr-x  root root system_u:object_r:httpd_modules_t modules/
>>>>>>
>>>>>> So I changed the permissions:
>>>>>>
>>>>>> # chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
>>>>>> # service httpd start
>>>>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/ 
>>>>>> conf/
>>>>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/
>>>>>> python.conf:
>>>>>> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/
>>>>>> httpd/
>>>>>> modules/mod_python.so: cannot restore segment prot after reloc:
>>>>>> Permission denied
>>>>>>                                                             
>>>>>> [FAILED]
>>>>>> # ls -Z /etc/httpd/modules/mod_python.so
>>>>>> -rwxr-xr-x  root root system_u:object_r:textrel_shlib_t /etc/ 
>>>>>> httpd/
>>>>>> modules/mod_python.so*
>>>>>>
>>>>>>
>>>>>>
>>>>>> I also tried changing the permissions of the 2.5 site-packages
>>>>>> to the
>>>>>> same permissions as the previously working 2.4 site-packages,
>>>>>> plus  the
>>>>>> other listed below, and the still Apache Failure occurs.
>>>>>>
>>>>>> # ls -Zd /usr/local/lib/python2.5/site-packages/ /usr/lib/
>>>>>> python2.4/
>>>>>> site-packages/
>>>>>> drwxr-xr-x  root root system_u:object_r:lib_t           /usr/lib/
>>>>>> python2.4/site-packages/
>>>>>> drwxr-xr-x  root root user_u:object_r:lib_t             /usr/ 
>>>>>> local/
>>>>>> lib/python2.5/site-packages/
>>>>>>
>>>>>> system_u:object_r:lib_t
>>>>>> system_u:object_r:textrel_shlib_t
>>>>>> user_u:object_r:textrel_shlib_t
>>>>>>
>>>>>>
>>>>>> If you have other tips I'd appreciate any help you can offer.
>>>>>>
>>>>>> Scott
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Jan 31, 2008, at 10:13 AM, Eric Brunson wrote:
>>>>>>
>>>>>>> Scott Bratcher wrote:
>>>>>>>> Hello all,
>>>>>>>>
>>>>>>>>
>>>>>>>> THE PROBLEM:
>>>>>>>>
>>>>>>>> Starting Apache results in this error:
>>>>>>>>
>>>>>>>> # service httpd start
>>>>>>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/
>>>>>>>> conf/
>>>>>>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/
>>>>>>>> python.conf:
>>>>>>>> Cannot load /etc/httpd/modules/mod_python.so into  server:
>>>>>>>> /etc/httpd/modules/mod_python.so: cannot restore segment  prot
>>>>>>>> after
>>>>>>>> reloc: Permission denied
>>>>>>>>
>>>>>>>> [FAILED]
>>>>>>>>
>>>>>>>
>>>>>>> This error message is often related to selinux permissions.
>>>>>>>
>>>>>>> A quick check to see if that is the problem is to disable
>>>>>>> selinux  with
>>>>>>> the command (as root) "setenforce 0".  If the module then  loads
>>>>>>> correctly, it can be fixed permanently with the command:
>>>>>>>
>>>>>>> chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
>>>>>>>
>>>>>>> Then, re-enable selinux with "setenforce 1".
>>>>>>>
>>>>>>> If disabling selinux does not fix the problem, then more
>>>>>>> investigation
>>>>>>> is required.
>>>>>>>
>>>>>>> Hope that helps,
>>>>>>> e.
>>>>>>>
>>>>>>>> USING:
>>>>>>>>
>>>>>>>> RHEL5 / SELinux
>>>>>>>> Apache 2.2
>>>>>>>> Python 2.5.1
>>>>>>>> mod_pythonn 3.3.1
>>>>>>>> httpd.conf (not .htaccess)
>>>>>>>>
>>>>>>>>
>>>>>>>> TESTED THUS FAR:
>>>>>>>>
>>>>>>>> .so file exists with same permissions as other modules
>>>>>>>> # ls -Z /etc/httpd/modules/mod_python.so
>>>>>>>> -rwxr-xr-x  root root system_u:object_r:httpd_modules_t /etc/
>>>>>>>> httpd/
>>>>>>>> modules/mod_python.so*
>>>>>>>>
>>>>>>>> If I comment out:
>>>>>>>> "#LoadModule python_module modules/mod_python.so"
>>>>>>>> and other related python lines Apache starts just fine without
>>>>>>>> mod_python.
>>>>>>>> # service httpd start
>>>>>>>> Starting httpd:
>>>>>>>> [  OK  ]
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Mod_python mailing list
>>>>>> Mod_python at modpython.org
>>>>>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Mod_python mailing list
>>>> Mod_python at modpython.org
>>>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>>>
>>
>>

More information about the Mod_python mailing list