Apache reports "Permission Denied" to load the libmod_sm22.so or libmod_sm24.so module on SELinux.

Document ID : KB000024633
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Platform:
SE Linux with Apache Web Server and compatible Single Sign On Agent

When trying to start apache (strace -f ./httpd -d /etc/httpd -f /etc/httpd/conf/httpd.conf) , the following error message appears:

stat64("/etc/httpd/conf/httpd.conf", {st_mode=S_IFREG|0664, st_size=36011, ...}) = 0
open("/etc/httpd/conf/httpd.conf", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0664, st_size=36011, ...}) = 0
read(3, "# Based upon the NCSA server con"..., 4096) = 4096
stat64("/etc/httpd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
read(3, "re\n# ThreadsPerChild: constant n"..., 4096) = 4096
futex(0x247060, FUTEX_WAKE, 2147483647) = 0
open("/root/netegrity/webagent/bin/libmod_sm22.so", O_RDONLY) = -1 EACCES (Permission denied)
write(2, "Syntax error on line 145 of /etc"..., 56) = 56
write(2, "Cannot load /root/netegrity/weba"..., 164) = 164
Running as root with the following settings
 
[root@linuxweb1 sbin]# env | grep PATH
LD_LIBRARY_PATH=/root/netegrity/webagent/bin:/usr/lib:/lib/:/root/netegrity/webagent/bin
NETE_WA_PATH=/root/netegrity/webagent/bin
PATH=/root/netegrity/webagent/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:
/home/smuser/bin:/usr/sbin [root@linuxweb1 sbin]# [root@linuxweb1 sbin]# [root@linuxweb1 sbin]# [root@linuxweb1 sbin]# env | grep LD OLDPWD=/var/log LD_LIBRARY_PATH=/root/netegrity/webagent/bin:/usr/lib:/lib/:/root/netegrity/webagent/bin

Solution:

SELinux is installed and preventing Apache from accessing files not already permitted by selinux.

To determine if the "Permission Denied" error reported from apache on startup is due to SELinux settings:
Check the syslog (/var/log/message) and look for lines with "avc: denied" - this is selinux enforcing a denial of access

One workaround, Disable SELinux for Apache (httpd):
Change the runtime settings, verify that this eliminates the issue:
># setsebool httpd_disable_trans 1
Restart Apache

Change the settings in the selinux configuration to survive rebooting the machine:
># vi /etc/selinux/targeted/booleans
Append or modify the httpd_disable_trans line as follows:
httpd_disable_trans=1

A more secure workaround would be to allow apache (httpd) to load the specific module, then allow all file access that the module needs (conf file, log files, etc.) This may not be a trivial selinux exercise, but selinux can be run in a permissive mode (as Access Control can) to audit the accesses without preventing them in order to create policy.