|
Scott Bratcher
scott at 3floors.com
Thu Jan 31 19:28:58 EST 2008
Thanks Eric and Tom,
Unresolved however. I did some permissions tests based on your feedback.
I'm chasing this issue as though it is a permissions issue and have
identified SELinux as the hold-up. I've tried all of these permission
sets on the modules actual folder and the modules symlinked folder.
I did both directories just in case the permissions trickle down to
the actual files being loaded by mod_python itself:
# chcon -R -h -u system_u -r object_r -t httpd_sys_content_t /usr/lib/
httpd/modules /etc/httpd/modules
# chcon -R -h -u user_u -r object_r -t httpd_sys_content_t /usr/lib/
httpd/modules /etc/httpd/modules
# chcon -R -h -u user_u -r object_r -t httpd_modules_t /usr/lib/httpd/
modules /etc/httpd/modules
# chcon -R -h -u system_u -r object_r -t httpd_modules_t /usr/lib/
httpd/modules /etc/httpd/modules ((( This one is the original
permission of all apache modules)))
# chcon -R -h -u system_u -r object_r -t lib_t /usr/lib/httpd/
modules /etc/httpd/modules
# chcon -R -h -u system_u -r object_r -t shlib_t /usr/lib/httpd/
modules /etc/httpd/modules
# chcon -R -h -u system_u -r object_r -t textrel_shlib_t /usr/lib/
httpd/modules /etc/httpd/modules
All gave this error:
----------
# service httpd start
Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/python.conf:
Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/
modules/mod_python.so: cannot restore segment prot after reloc:
Permission denied
[FAILED]
----------
---> This is the only one that gave me a different error.
----------
# chcon -R -h -u system_u -t textrel_shlib_t /usr/lib/httpd/modules /
etc/httpd/modules
# service httpd start
Starting httpd: httpd: Syntax error on line 148 of /etc/httpd/conf/
httpd.conf: Cannot load /etc/httpd/modules/mod_auth_basic.so into
server: /etc/httpd/modules/mod_auth_basic.so: cannot open shared
object file: Permission denied
[FAILED]
----------
****AGAIN I MUST NOTE: All is solved by turning off SELinux and/or
All is solved by not loading mod_python. All other modules loaded
just fine with their original permissions which matched mod_python
exactly.
Scott
On Jan 31, 2008, at 1:42 PM, Tom Stambaugh wrote:
> The incantation that I use (for solving different problems, though)
> is:
>
> chcon -R -h -t httpd_sys_content_t <filename>
>
> I think the "-R" makes it recurse to all children, and I think the
> "httpd_sys_content_t" is more permissive (though that could be
> mistaken).
> The -h causes it to apply to sym links.
>
> Afterwords, I get:
>
> #ls -lZ adminuser
> -rw-rw-r-- zeetix zeetix user_u:object_r:httpd_sys_content_t
> <filename>
>
> I use Fedora core3/core4 linux, so YMMV.
>
> Thx,
> Tom
>
> ----- Original Message -----
> From: "Scott Bratcher" <scott at 3floors.com>
> To: "Eric Brunson" <brunson at brunson.com>
> Cc: <mod_python at modpython.org>
> Sent: Thursday, January 31, 2008 1:47 PM
> Subject: Re: [mod_python] Apache Fails to load mod_python.so with
> Permissiondenied error under SELinux
>
>
>> Thanks Eric,
>>
>> "setenforce 0" THIS WORKED. Apache started right up
>>
>> Below are the results of my attempts as you suggested. I think we are
>> onto the problem because with SELinux enforced it loads right up.
>> However, the chcon command failed to clear up the problem. I'm new to
>> SELinux. Is there another possible SELinux related permission
>> that may be
>> the solution? It's just mod_python that is giving this problem even
>> though all of the others share the same t permission httpd_module.
>>
>> # ls -Zd modules
>> drwxr-xr-x root root system_u:object_r:httpd_modules_t modules/
>>
>> So I changed the permissions:
>>
>> # chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
>> # service httpd start
>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/python.conf:
>> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/
>> modules/mod_python.so: cannot restore segment prot after reloc:
>> Permission denied
>> [FAILED]
>> # ls -Z /etc/httpd/modules/mod_python.so
>> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /etc/httpd/
>> modules/mod_python.so*
>>
>>
>>
>> I also tried changing the permissions of the 2.5 site-packages to the
>> same permissions as the previously working 2.4 site-packages,
>> plus the
>> other listed below, and the still Apache Failure occurs.
>>
>> # ls -Zd /usr/local/lib/python2.5/site-packages/ /usr/lib/python2.4/
>> site-packages/
>> drwxr-xr-x root root system_u:object_r:lib_t /usr/lib/
>> python2.4/site-packages/
>> drwxr-xr-x root root user_u:object_r:lib_t /usr/local/
>> lib/python2.5/site-packages/
>>
>> system_u:object_r:lib_t
>> system_u:object_r:textrel_shlib_t
>> user_u:object_r:textrel_shlib_t
>>
>>
>> If you have other tips I'd appreciate any help you can offer.
>>
>> Scott
>>
>>
>>
>> On Jan 31, 2008, at 10:13 AM, Eric Brunson wrote:
>>
>>> Scott Bratcher wrote:
>>>> Hello all,
>>>>
>>>>
>>>> THE PROBLEM:
>>>>
>>>> Starting Apache results in this error:
>>>>
>>>> # service httpd start
>>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
>>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/
>>>> python.conf:
>>>> Cannot load /etc/httpd/modules/mod_python.so into server:
>>>> /etc/httpd/modules/mod_python.so: cannot restore segment prot
>>>> after
>>>> reloc: Permission denied
>>>> [FAILED]
>>>>
>>>
>>> This error message is often related to selinux permissions.
>>>
>>> A quick check to see if that is the problem is to disable
>>> selinux with
>>> the command (as root) "setenforce 0". If the module then loads
>>> correctly, it can be fixed permanently with the command:
>>>
>>> chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
>>>
>>> Then, re-enable selinux with "setenforce 1".
>>>
>>> If disabling selinux does not fix the problem, then more
>>> investigation
>>> is required.
>>>
>>> Hope that helps,
>>> e.
>>>
>>>> USING:
>>>>
>>>> RHEL5 / SELinux
>>>> Apache 2.2
>>>> Python 2.5.1
>>>> mod_pythonn 3.3.1
>>>> httpd.conf (not .htaccess)
>>>>
>>>>
>>>> TESTED THUS FAR:
>>>>
>>>> .so file exists with same permissions as other modules
>>>> # ls -Z /etc/httpd/modules/mod_python.so
>>>> -rwxr-xr-x root root system_u:object_r:httpd_modules_t /etc/httpd/
>>>> modules/mod_python.so*
>>>>
>>>> If I comment out:
>>>> "#LoadModule python_module modules/mod_python.so"
>>>> and other related python lines Apache starts just fine without
>>>> mod_python.
>>>> # service httpd start
>>>> Starting httpd: [ OK ]
>>>>
>>>>
>>>>
>>>
>>
>> _______________________________________________
>> Mod_python mailing list
>> Mod_python at modpython.org
>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>
>
>
>
|