Solve the problem of cannot enable executable stack as shared object requirements: permission denied

Posted by Adastra on Sat, 23 Nov 2019 16:42:03 +0100

Start troubleshooting

1. Error prompt for starting apache service.

Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: Cannot 
load /etc/httpd/modules/libphp5.so into server: libcrypto.so.6: cannot enable executable stack as shared object requires: Permission denied


Starting httpd: httpd: Syntax error on line 211 of /etc/httpd/conf/httpd.conf: Syntax error on line 6 of /etc/httpd/conf.d/php.conf: Cannot 
load /etc/httpd/modules/libphp5.so into server: libcrypto.so.6: cannot enable executable stack as shared object requires: Permission denied

Through the above error judgment, it should be selinux problem.

2. Try to close selinux and start apache.

/usr/sbin/setenforce 0
/etc/init.d/httpd start
Starting httpd: [Wed Apr 24 12:37:39 2019]     [  OK  ]

The startup was successful. It's definitely a selinux problem. For the sake of system security, how to solve it if you don't want to shut down selinux?

To solve the selinux problem:

1. View the audit.log log log.

/usr/sbin/setenforce 1
less /var/logs/audit/audit.log

type=AVC msg=audit(1556086804.050:571845): avc:  denied  { execstack } for  pid=17397 comm="httpd" scontext=root:system_r:httpd_t:s0 tcontex
t=root:system_r:httpd_t:s0 tclass=processtype=SYSCALL msg=audit(1556086804.050:571845): arch=c000003e syscall=10 success=no exit=-13 a0=7fff31feb000 a1=1000 a2=1000007 a3=4 items=0 
ppid=17394 pid=17397 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=187 comm="httpd" exe="/usr/sbin/httpd" subj=root:system_r:httpd_t:s0 key=(null)

2. Execute execstack.

The simplest solution is to execute execstack:
execstack --clear-execstack /lib/libcrypto.so.6
execstack --clear-execstack /lib/libcrypto.so.6

execstack Some parameters are as follows:
-s --set-execstack
              Mark binary or shared library as requiring executable stack.
-c --clear-execstack
              Mark binary or shared library as not requiring executable stack.
-q --query
              Query executable stack marking of binaries and shared libraries.  For each file it prints either - when executable stack
              is  not  required,  X  when executable stack is required or ?  when it is unknown whether the object requires or doesn't
              require executable stack (the marking is missing).

//Use the - q parameter to check whether the specified file needs an executable stack. If the output starts with "-", it means the executable stack is not required. If it is "X", it means the executable stack is required. If it is "?" , indicating unknown.
:/root> execstack -q /lib/libcrypto.so.6
? /lib/libcrypto.so.6
:/root> execstack -c /lib/libcrypto.so.6
:/root> execstack -q /lib/libcrypto.so.6
- /lib/libcrypto.so.6
:/root> 

3. Generate PP file according to the log.

grep httpd /var/log/audit/audit.log | audit2allow -M httpdfixlocal

******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i httpdfixlocal.pp

4. Execute PP documents.

/usr/sbin/semodule -i httpdfixlocal.pp

5. Start httpd to start normally.

 

Note: setsebool, semodule and other commands need to install the following toolkit.

yum install policycoreutils

Topics: Programming SELinux Apache PHP Permission denied