[mod_python] Apache Fails to load mod_python.so with Permissiondenied error under SELinux

Graham Dumpleton graham.dumpleton at gmail.com
Thu Jan 31 19:51:20 EST 2008 

How big is your:

  /etc/httpd/modules/mod_python.so

file? If you run ldd on it, what does it output as far as dependencies
on shared libraries?

One of the problems with some Python installations is that they still
do not provide a shared library and so a static library gets embedded
in mod_python.so. This results in some messy adress relocations having
to be done when mod_python.so is loaded. I am wandering whether the
'reloc' mentioned in:

  cannot restore segment prot after reloc

is the module loading relocations and it is having a problem with that.

If there is no libpythonX.Y.so linked to mod_python.so, then reinstall
Python using --enable-shared to configure, possibly fix up missing
libpythonX.Y.so symlink in Python installed config directory and then
rebuild mod_python, see if that makes a difference.

Probably nothing to do with this, but if nothing else works. :-)

Graham

On 01/02/2008, Scott Bratcher <scott at 3floors.com> wrote:
> Thanks Eric and Tom,
>
> Unresolved however. I did some permissions tests based on your feedback.
>
>
> I'm chasing this issue as though it is a permissions issue and have
> identified SELinux as the hold-up. I've tried all of these permission
> sets on the modules actual folder and the modules symlinked folder.
> I did both directories just in case the permissions trickle down to
> the actual files being loaded by mod_python itself:
>
> # chcon -R -h -u system_u -r object_r -t httpd_sys_content_t /usr/lib/
> httpd/modules /etc/httpd/modules
> # chcon -R -h -u user_u -r object_r -t httpd_sys_content_t /usr/lib/
> httpd/modules /etc/httpd/modules
> # chcon -R -h -u user_u -r object_r -t httpd_modules_t /usr/lib/httpd/
> modules /etc/httpd/modules
> # chcon -R -h -u system_u -r object_r -t httpd_modules_t /usr/lib/
> httpd/modules /etc/httpd/modules ((( This one is the original
> permission of all apache modules)))
> # chcon -R -h -u system_u -r object_r -t lib_t /usr/lib/httpd/
> modules /etc/httpd/modules
> # chcon -R -h -u system_u -r object_r -t shlib_t /usr/lib/httpd/
> modules /etc/httpd/modules
> # chcon -R -h -u system_u -r object_r -t textrel_shlib_t /usr/lib/
> httpd/modules /etc/httpd/modules
>
> All gave this error:
> ----------
> # service httpd start
> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/python.conf:
> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/
> modules/mod_python.so: cannot restore segment prot after reloc:
> Permission denied
>                                                             [FAILED]
> ----------
>
> ---> This is the only one that gave me a different error.
> ----------
> # chcon -R -h -u system_u -t textrel_shlib_t /usr/lib/httpd/modules /
> etc/httpd/modules
> # service httpd start
> Starting httpd: httpd: Syntax error on line 148 of /etc/httpd/conf/
> httpd.conf: Cannot load /etc/httpd/modules/mod_auth_basic.so into
> server: /etc/httpd/modules/mod_auth_basic.so: cannot open shared
> object file: Permission denied
>                                                             [FAILED]
> ----------
>
>
> ****AGAIN I MUST NOTE: All is solved by turning off SELinux and/or
> All is solved by not loading mod_python. All other modules loaded
> just fine with their original permissions which matched mod_python
> exactly.
>
>
>
>
> Scott
>
>
>
> On Jan 31, 2008, at 1:42 PM, Tom Stambaugh wrote:
>
> > The incantation that I use (for solving different problems, though)
> > is:
> >
> > chcon -R -h -t httpd_sys_content_t <filename>
> >
> > I think the "-R" makes it recurse to all children, and I think the
> > "httpd_sys_content_t" is more permissive (though that could be
> > mistaken).
> > The -h causes it to apply to sym links.
> >
> > Afterwords, I get:
> >
> > #ls -lZ adminuser
> > -rw-rw-r--  zeetix   zeetix   user_u:object_r:httpd_sys_content_t
> > <filename>
> >
> > I use Fedora core3/core4 linux, so YMMV.
> >
> > Thx,
> > Tom
> >
> > ----- Original Message -----
> > From: "Scott Bratcher" <scott at 3floors.com>
> > To: "Eric Brunson" <brunson at brunson.com>
> > Cc: <mod_python at modpython.org>
> > Sent: Thursday, January 31, 2008 1:47 PM
> > Subject: Re: [mod_python] Apache Fails to load mod_python.so with
> > Permissiondenied error under SELinux
> >
> >
> >> Thanks Eric,
> >>
> >> "setenforce 0" THIS WORKED. Apache started right up
> >>
> >> Below are the results of my attempts as you suggested. I think we are
> >> onto the problem because with SELinux enforced it loads right up.
> >> However, the chcon command failed to clear up the problem. I'm new to
> >> SELinux. Is there another possible SELinux related permission
> >> that  may be
> >> the solution? It's just mod_python that is giving this problem  even
> >> though all of the others share the same t permission httpd_module.
> >>
> >> # ls -Zd modules
> >> drwxr-xr-x  root root system_u:object_r:httpd_modules_t modules/
> >>
> >> So I changed the permissions:
> >>
> >> # chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
> >> # service httpd start
> >> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
> >> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/python.conf:
> >> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/
> >> modules/mod_python.so: cannot restore segment prot after reloc:
> >> Permission denied
> >>                                                            [FAILED]
> >> # ls -Z /etc/httpd/modules/mod_python.so
> >> -rwxr-xr-x  root root system_u:object_r:textrel_shlib_t /etc/httpd/
> >> modules/mod_python.so*
> >>
> >>
> >>
> >> I also tried changing the permissions of the 2.5 site-packages to the
> >> same permissions as the previously working 2.4 site-packages,
> >> plus  the
> >> other listed below, and the still Apache Failure occurs.
> >>
> >> # ls -Zd /usr/local/lib/python2.5/site-packages/ /usr/lib/python2.4/
> >> site-packages/
> >> drwxr-xr-x  root root system_u:object_r:lib_t           /usr/lib/
> >> python2.4/site-packages/
> >> drwxr-xr-x  root root user_u:object_r:lib_t             /usr/local/
> >> lib/python2.5/site-packages/
> >>
> >> system_u:object_r:lib_t
> >> system_u:object_r:textrel_shlib_t
> >> user_u:object_r:textrel_shlib_t
> >>
> >>
> >> If you have other tips I'd appreciate any help you can offer.
> >>
> >> Scott
> >>
> >>
> >>
> >> On Jan 31, 2008, at 10:13 AM, Eric Brunson wrote:
> >>
> >>> Scott Bratcher wrote:
> >>>> Hello all,
> >>>>
> >>>>
> >>>> THE PROBLEM:
> >>>>
> >>>> Starting Apache results in this error:
> >>>>
> >>>> # service httpd start
> >>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
> >>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/
> >>>> python.conf:
> >>>> Cannot load /etc/httpd/modules/mod_python.so into  server:
> >>>> /etc/httpd/modules/mod_python.so: cannot restore segment  prot
> >>>> after
> >>>> reloc: Permission denied
> >>>>                                                            [FAILED]
> >>>>
> >>>
> >>> This error message is often related to selinux permissions.
> >>>
> >>> A quick check to see if that is the problem is to disable
> >>> selinux  with
> >>> the command (as root) "setenforce 0".  If the module then  loads
> >>> correctly, it can be fixed permanently with the command:
> >>>
> >>> chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
> >>>
> >>> Then, re-enable selinux with "setenforce 1".
> >>>
> >>> If disabling selinux does not fix the problem, then more
> >>> investigation
> >>> is required.
> >>>
> >>> Hope that helps,
> >>> e.
> >>>
> >>>> USING:
> >>>>
> >>>> RHEL5 / SELinux
> >>>> Apache 2.2
> >>>> Python 2.5.1
> >>>> mod_pythonn 3.3.1
> >>>> httpd.conf (not .htaccess)
> >>>>
> >>>>
> >>>> TESTED THUS FAR:
> >>>>
> >>>> .so file exists with same permissions as other modules
> >>>> # ls -Z /etc/httpd/modules/mod_python.so
> >>>> -rwxr-xr-x  root root system_u:object_r:httpd_modules_t /etc/httpd/
> >>>> modules/mod_python.so*
> >>>>
> >>>> If I comment out:
> >>>> "#LoadModule python_module modules/mod_python.so"
> >>>> and other related python lines Apache starts just fine without
> >>>> mod_python.
> >>>> # service httpd start
> >>>> Starting httpd:                                            [  OK  ]
> >>>>
> >>>>
> >>>>
> >>>
> >>
> >> _______________________________________________
> >> Mod_python mailing list
> >> Mod_python at modpython.org
> >> http://mailman.modpython.org/mailman/listinfo/mod_python
> >>
> >
> >
> >
>
> _______________________________________________
> Mod_python mailing list
> Mod_python at modpython.org
> http://mailman.modpython.org/mailman/listinfo/mod_python
>

More information about the Mod_python mailing list