Thursday, December 3, 2009

SELinux, Apache and PHP 5.

Recently at work we hired a contractor to come in and do some work.  The department that hired him requested a machine for him. Instead of giving the guy admin access on a CentOS machine, I decided he could run everything in user space.  Thats fine...and I figured I'd duplicate the environment he'd use just so I could make sure it would work.  I don't like to provision machines and give anyone but myself or my system administrators admin access.

The guy wanted PHP5, Apache 2 (I used 2.2), Moodle (Some Courseware php program), and PostgreSQL.

Everything compiled without a hitch (mostly, since I had to look up what all php modules he needed compiled in...also added Suhosin for good measure since who knows what this guy will be doing.)

After fighting a bit with PHP modules I then discovered that SELinux was denying access to libphp5.so in the apache httpd/modules directory.

This was an error : "cannot restore segment prot after reloc: Permission denied" - Of course, disabling SELinux fixed this...but I dont always want to disable SELinux...

Someone suggested running execstack against libphp5.so to enable a flag on the file so SELinux would let Apache load the module...That didn't work.

I'll update this post later with some answers...I hope. For now, I'm leaving the office.

No comments:

Post a Comment