labelling issues
Daniel J Walsh
dwalsh at redhat.com
Wed Jan 12 14:03:14 UTC 2005
Joe Orton wrote:
>I notice there are two different types of errors being reported here, is
>that significant? The first is an open() failure:
>
>https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=140706
>Starting httpd: /usr/sbin/httpd: error while loading shared libraries:
>libpcre.so.0: cannot open shared object file: Permission denied
>
>the second is, I presume, an mmap() failure, which means the open() must
>have succeeded:
>
>http://bugs.php.net/bug.php?id=30952
>Cannot load /usr/lib/httpd/modules/libphp5.so into server: libpng.so.3:
>failed to map segment from shared object: Permission denied
>[FAILED]
>
>I've just got the second type of error happening on one of my FC3 test
>boxes:
>
>[root at pepsi ~]# service httpd start
>Starting httpd: /usr/sbin/httpd: error while loading shared libraries:
>librt.so.1: failed to map segment from shared object: Permission denied
> [FAILED]
>[root at pepsi ~]# dmesg | tail -1
>audit(1105522884.846:0): avc: denied { execute } for pid=10455
>path=/lib/tls/librt-2.3.4.so dev=hda2 ino=3480245
>scontext=root:system_r:httpd_t tcontext=system_u:object_r:lib_t
>tclass=file
>[root at pepsi ~]# ls -lZ /lib/tls/librt-2.3.4.so
>-rwxr-xr-x root root system_u:object_r:lib_t
>/lib/tls/librt-2.3.4.so
>
>which appears to be the correct labelling, no? The box has the current
>updates installed, there are no SELinux-related errors in prelink.log.
>
>
>
No they should be shlib_t.
You need to restorecon.
>joe
>
>--
>fedora-selinux-list mailing list
>fedora-selinux-list at redhat.com
>http://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
>
More information about the fedora-selinux-list
mailing list