解決cannot enable executable stack as shared object requires: Permission denied問題

啓動錯誤問題排查

一、啓動apache服務錯誤提示。

Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: Cannot 
load /etc/httpd/modules/libphp5.so into server: libcrypto.so.6: cannot enable executable stack as shared object requires: Permission denied


Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: Cannot 
load /etc/httpd/modules/libphp5.so into server: libcrypto.so.6: cannot enable executable stack as shared object requires: Permission denied

經過以上錯誤判斷應爲selinux問題。

二、嘗試關閉selinux，啓動apache。

/usr/sbin/setenforce 0
/etc/init.d/httpd start
Starting httpd: [Wed Apr 24 12:37:39 2019]     [  OK  ]

啓動成功了。肯定是selinux問題。爲系統安全，不想關閉selinux改如何解決呢？

解決selinux問題：

一、查看audit.log日誌。

/usr/sbin/setenforce 1
less /var/logs/audit/audit.log

type=AVC msg=audit(1556086804.050:571845): avc:  denied  { execstack } for  pid=17397 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontex
t=root:system_r:httpd_t:s0 tclass=processtype=SYSCALL msg=audit(1556086804.050:571845): arch=c000003e syscall=10 success=no exit=-13 a0=7fff31feb000 a1=1000 a2=1000007 a3=4 items=0 
ppid=17394 pid=17397 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=187 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)

二、執行execstack處理。

最簡單的解決辦法就是執行execstack:
execstack --clear-execstack /lib/libcrypto.so.6
execstack --clear-execstack /lib/libcrypto.so.6

execstack 部分參數以下：
-s --set-execstack
              Mark binary or shared library as requiring executable stack.
-c --clear-execstack
              Mark binary or shared library as not requiring executable stack.
-q --query
              Query executable stack marking of binaries and shared libraries.  For each file it prints either - when executable stack
              is  not  required,  X  when executable stack is required or ?  when it is unknown whether the object requires or doesn’t
              require executable stack (the marking is missing).

經過-q參數查看指定文件是否須要executable stack，若是輸出的開頭是"-"，表示executable stack is  not  required，若是是「X」，表示executable stack is required，若是是「？」，表示未知。
:/root> execstack -q /lib/libcrypto.so.6
? /lib/libcrypto.so.6
:/root> execstack -c /lib/libcrypto.so.6
:/root> execstack -q /lib/libcrypto.so.6
- /lib/libcrypto.so.6
:/root>

三、根據日誌生成PP文件。

grep httpd /var/log/audit/audit.log | audit2allow -M httpdfixlocal

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i httpdfixlocal.pp

四、執行PP文件。

/usr/sbin/semodule -i httpdfixlocal.pp

五、啓動httpd，可正常啓動。

 

注意：setsebool，semodule等命令需安裝以下工具包。

yum install policycoreutils