[mod_python] Apache Fails to load mod_python.so with Permissiondenied error under SELinux

Scott Bratcher scott at 3floors.com
Thu Jan 31 23:07:27 EST 2008


Thank you for looking in, Graham,

DEPENDENCIES:
# ldd /etc/httpd/modules/mod_python.so
         linux-gate.so.1 =>  (0x00b16000)
         libpthread.so.0 => /lib/libpthread.so.0 (0x00f2d000)
         libdl.so.2 => /lib/libdl.so.2 (0x00aa7000)
         libutil.so.1 => /lib/libutil.so.1 (0x00110000)
         libm.so.6 => /lib/libm.so.6 (0x00114000)
         libc.so.6 => /lib/libc.so.6 (0x00453000)
         /lib/ld-linux.so.2 (0x0076d000)

SIZE:
# ls -fla /etc/httpd/modules/mod_python.so
-rwxr-xr-x 1 root root 4.1M Jan 31 01:51 /etc/httpd/modules/ 
mod_python.so*

I'm game to reinstall python, how do I check to see if there is a  
libpythonX.Y.so file linked to mod_python.so?

Scott



On Jan 31, 2008, at 6:51 PM, Graham Dumpleton wrote:

> How big is your:
>
>   /etc/httpd/modules/mod_python.so
>
> file? If you run ldd on it, what does it output as far as dependencies
> on shared libraries?
>
> One of the problems with some Python installations is that they still
> do not provide a shared library and so a static library gets embedded
> in mod_python.so. This results in some messy adress relocations having
> to be done when mod_python.so is loaded. I am wandering whether the
> 'reloc' mentioned in:
>
>   cannot restore segment prot after reloc
>
> is the module loading relocations and it is having a problem with  
> that.
>
> If there is no libpythonX.Y.so linked to mod_python.so, then reinstall
> Python using --enable-shared to configure, possibly fix up missing
> libpythonX.Y.so symlink in Python installed config directory and then
> rebuild mod_python, see if that makes a difference.
>
> Probably nothing to do with this, but if nothing else works. :-)
>
> Graham
>
> On 01/02/2008, Scott Bratcher <scott at 3floors.com> wrote:
>> Thanks Eric and Tom,
>>
>> Unresolved however. I did some permissions tests based on your  
>> feedback.
>>
>>
>> I'm chasing this issue as though it is a permissions issue and have
>> identified SELinux as the hold-up. I've tried all of these permission
>> sets on the modules actual folder and the modules symlinked folder.
>> I did both directories just in case the permissions trickle down to
>> the actual files being loaded by mod_python itself:
>>
>> # chcon -R -h -u system_u -r object_r -t httpd_sys_content_t /usr/ 
>> lib/
>> httpd/modules /etc/httpd/modules
>> # chcon -R -h -u user_u -r object_r -t httpd_sys_content_t /usr/lib/
>> httpd/modules /etc/httpd/modules
>> # chcon -R -h -u user_u -r object_r -t httpd_modules_t /usr/lib/ 
>> httpd/
>> modules /etc/httpd/modules
>> # chcon -R -h -u system_u -r object_r -t httpd_modules_t /usr/lib/
>> httpd/modules /etc/httpd/modules ((( This one is the original
>> permission of all apache modules)))
>> # chcon -R -h -u system_u -r object_r -t lib_t /usr/lib/httpd/
>> modules /etc/httpd/modules
>> # chcon -R -h -u system_u -r object_r -t shlib_t /usr/lib/httpd/
>> modules /etc/httpd/modules
>> # chcon -R -h -u system_u -r object_r -t textrel_shlib_t /usr/lib/
>> httpd/modules /etc/httpd/modules
>>
>> All gave this error:
>> ----------
>> # service httpd start
>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/python.conf:
>> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/httpd/
>> modules/mod_python.so: cannot restore segment prot after reloc:
>> Permission denied
>>                                                             [FAILED]
>> ----------
>>
>> ---> This is the only one that gave me a different error.
>> ----------
>> # chcon -R -h -u system_u -t textrel_shlib_t /usr/lib/httpd/modules /
>> etc/httpd/modules
>> # service httpd start
>> Starting httpd: httpd: Syntax error on line 148 of /etc/httpd/conf/
>> httpd.conf: Cannot load /etc/httpd/modules/mod_auth_basic.so into
>> server: /etc/httpd/modules/mod_auth_basic.so: cannot open shared
>> object file: Permission denied
>>                                                             [FAILED]
>> ----------
>>
>>
>> ****AGAIN I MUST NOTE: All is solved by turning off SELinux and/or
>> All is solved by not loading mod_python. All other modules loaded
>> just fine with their original permissions which matched mod_python
>> exactly.
>>
>>
>>
>>
>> Scott
>>
>>
>>
>> On Jan 31, 2008, at 1:42 PM, Tom Stambaugh wrote:
>>
>>> The incantation that I use (for solving different problems, though)
>>> is:
>>>
>>> chcon -R -h -t httpd_sys_content_t <filename>
>>>
>>> I think the "-R" makes it recurse to all children, and I think the
>>> "httpd_sys_content_t" is more permissive (though that could be
>>> mistaken).
>>> The -h causes it to apply to sym links.
>>>
>>> Afterwords, I get:
>>>
>>> #ls -lZ adminuser
>>> -rw-rw-r--  zeetix   zeetix   user_u:object_r:httpd_sys_content_t
>>> <filename>
>>>
>>> I use Fedora core3/core4 linux, so YMMV.
>>>
>>> Thx,
>>> Tom
>>>
>>> ----- Original Message -----
>>> From: "Scott Bratcher" <scott at 3floors.com>
>>> To: "Eric Brunson" <brunson at brunson.com>
>>> Cc: <mod_python at modpython.org>
>>> Sent: Thursday, January 31, 2008 1:47 PM
>>> Subject: Re: [mod_python] Apache Fails to load mod_python.so with
>>> Permissiondenied error under SELinux
>>>
>>>
>>>> Thanks Eric,
>>>>
>>>> "setenforce 0" THIS WORKED. Apache started right up
>>>>
>>>> Below are the results of my attempts as you suggested. I think  
>>>> we are
>>>> onto the problem because with SELinux enforced it loads right up.
>>>> However, the chcon command failed to clear up the problem. I'm  
>>>> new to
>>>> SELinux. Is there another possible SELinux related permission
>>>> that  may be
>>>> the solution? It's just mod_python that is giving this problem   
>>>> even
>>>> though all of the others share the same t permission httpd_module.
>>>>
>>>> # ls -Zd modules
>>>> drwxr-xr-x  root root system_u:object_r:httpd_modules_t modules/
>>>>
>>>> So I changed the permissions:
>>>>
>>>> # chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
>>>> # service httpd start
>>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/conf/
>>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/ 
>>>> python.conf:
>>>> Cannot load /etc/httpd/modules/mod_python.so into server: /etc/ 
>>>> httpd/
>>>> modules/mod_python.so: cannot restore segment prot after reloc:
>>>> Permission denied
>>>>                                                            [FAILED]
>>>> # ls -Z /etc/httpd/modules/mod_python.so
>>>> -rwxr-xr-x  root root system_u:object_r:textrel_shlib_t /etc/httpd/
>>>> modules/mod_python.so*
>>>>
>>>>
>>>>
>>>> I also tried changing the permissions of the 2.5 site-packages  
>>>> to the
>>>> same permissions as the previously working 2.4 site-packages,
>>>> plus  the
>>>> other listed below, and the still Apache Failure occurs.
>>>>
>>>> # ls -Zd /usr/local/lib/python2.5/site-packages/ /usr/lib/ 
>>>> python2.4/
>>>> site-packages/
>>>> drwxr-xr-x  root root system_u:object_r:lib_t           /usr/lib/
>>>> python2.4/site-packages/
>>>> drwxr-xr-x  root root user_u:object_r:lib_t             /usr/local/
>>>> lib/python2.5/site-packages/
>>>>
>>>> system_u:object_r:lib_t
>>>> system_u:object_r:textrel_shlib_t
>>>> user_u:object_r:textrel_shlib_t
>>>>
>>>>
>>>> If you have other tips I'd appreciate any help you can offer.
>>>>
>>>> Scott
>>>>
>>>>
>>>>
>>>> On Jan 31, 2008, at 10:13 AM, Eric Brunson wrote:
>>>>
>>>>> Scott Bratcher wrote:
>>>>>> Hello all,
>>>>>>
>>>>>>
>>>>>> THE PROBLEM:
>>>>>>
>>>>>> Starting Apache results in this error:
>>>>>>
>>>>>> # service httpd start
>>>>>> Starting httpd: httpd: Syntax error on line 210 of /etc/httpd/ 
>>>>>> conf/
>>>>>> httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/
>>>>>> python.conf:
>>>>>> Cannot load /etc/httpd/modules/mod_python.so into  server:
>>>>>> /etc/httpd/modules/mod_python.so: cannot restore segment  prot
>>>>>> after
>>>>>> reloc: Permission denied
>>>>>>                                                             
>>>>>> [FAILED]
>>>>>>
>>>>>
>>>>> This error message is often related to selinux permissions.
>>>>>
>>>>> A quick check to see if that is the problem is to disable
>>>>> selinux  with
>>>>> the command (as root) "setenforce 0".  If the module then  loads
>>>>> correctly, it can be fixed permanently with the command:
>>>>>
>>>>> chcon -t texrel_shlib_t /etc/httpd/modules/mod_python.so
>>>>>
>>>>> Then, re-enable selinux with "setenforce 1".
>>>>>
>>>>> If disabling selinux does not fix the problem, then more
>>>>> investigation
>>>>> is required.
>>>>>
>>>>> Hope that helps,
>>>>> e.
>>>>>
>>>>>> USING:
>>>>>>
>>>>>> RHEL5 / SELinux
>>>>>> Apache 2.2
>>>>>> Python 2.5.1
>>>>>> mod_pythonn 3.3.1
>>>>>> httpd.conf (not .htaccess)
>>>>>>
>>>>>>
>>>>>> TESTED THUS FAR:
>>>>>>
>>>>>> .so file exists with same permissions as other modules
>>>>>> # ls -Z /etc/httpd/modules/mod_python.so
>>>>>> -rwxr-xr-x  root root system_u:object_r:httpd_modules_t /etc/ 
>>>>>> httpd/
>>>>>> modules/mod_python.so*
>>>>>>
>>>>>> If I comment out:
>>>>>> "#LoadModule python_module modules/mod_python.so"
>>>>>> and other related python lines Apache starts just fine without
>>>>>> mod_python.
>>>>>> # service httpd start
>>>>>> Starting httpd:                                             
>>>>>> [  OK  ]
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> Mod_python mailing list
>>>> Mod_python at modpython.org
>>>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>>>
>>>
>>>
>>>
>>
>> _______________________________________________
>> Mod_python mailing list
>> Mod_python at modpython.org
>> http://mailman.modpython.org/mailman/listinfo/mod_python
>>



More information about the Mod_python mailing list