Apache reports "Permission Denied" to load the libmod_sm22.so or libmod_sm24.so module on SELinux.
search cancel

Apache reports "Permission Denied" to load the libmod_sm22.so or libmod_sm24.so module on SELinux.

book

Article ID: 24633

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On SITEMINDER CA Single Sign On Agents (SiteMinder) CA Single Sign On Agents (SiteMinder)

Issue/Introduction

Description:

Platform:
SE Linux with Apache Web Server and compatible Single Sign On Agent

When trying to start apache (strace -f ./httpd -d /etc/httpd -f /etc/httpd/conf/httpd.conf) , the following error message appears:

stat64("/etc/httpd/conf/httpd.conf", {st_mode=S_IFREG|0664, st_size=36011, ...}) = 0
open("/etc/httpd/conf/httpd.conf", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0664, st_size=36011, ...}) = 0
read(3, "# Based upon the server con"..., 4096) = 4096
stat64("/etc/httpd", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
read(3, "re\n# ThreadsPerChild: constant n"..., 4096) = 4096
futex(0x247060, FUTEX_WAKE, 2147483647) = 0
open("/opt/CA/webagent/bin/libmod_sm22.so", O_RDONLY) = -1 EACCES (Permission denied)
write(2, "Syntax error on line 145 of /etc"..., 56) = 56
write(2, "Cannot load /opt/CA/weba"..., 164) = 164
Running as root with the following settings
 
[root@host sbin]# env | grep PATH
LD_LIBRARY_PATH=/opt/CA/webagent/bin:/usr/lib:/lib/:/opt/CA/webagent/bin
NETE_WA_PATH=/opt/CA/webagent/bin
PATH=/opt/CA/webagent/bin:/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:
/home/<name>/bin:/usr/sbin
[root@host sbin]#
[root@host sbin]#
[root@host sbin]#
[root@host sbin]# env | grep LD
OLDPWD=/var/log
LD_LIBRARY_PATH=/opt/CA/webagent/bin:/usr/lib:/lib/:/opt/CA/webagent/bin

 

Resolution

Solution:

SELinux is installed and preventing Apache from accessing files not already permitted by selinux.

To determine if the "Permission Denied" error reported from apache on startup is due to SELinux settings:
Check the syslog (/var/log/message) and look for lines with "avc: denied" - this is selinux enforcing a denial of access

One workaround, Disable SELinux for Apache (httpd):
Change the runtime settings, verify that this eliminates the issue:
># setsebool httpd_disable_trans 1
Restart Apache

Change the settings in the selinux configuration to survive rebooting the machine:
># vi /etc/selinux/targeted/booleans
Append or modify the httpd_disable_trans line as follows:
httpd_disable_trans=1

A more secure workaround would be to allow apache (httpd) to load the specific module, then allow all file access that the module needs (conf file, log files, etc.) This may not be a trivial selinux exercise, but selinux can be run in a permissive mode (as Access Control can) to audit the accesses without preventing them in order to create policy.

Powered by Wolken Software