我一直试图在全新安装的CentOS 6.0 Linux服务器上添加2个PHP扩展,但在/ var / log / httpd / error_log中获取错误消息:
[notice] SELinux policy enabled; httpd running as context unconfined_u:system_r:httpd_t:s0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/gdchart.so' - /usr/lib64/php/modules/gdchart.so: undefined symbol: php_gd_gdFontMediumBold in Unknown on line 0 PHP Warning: PHP Startup: Unable to load dynamic library '/usr/lib64/php/modules/oci8.so' - libnnz11.so: cannot enable executable stack as shared object requires: Permission denied in Unknown on line 0 [notice] Apache/2.2.15 (Unix) DAV/2 PHP/5.3.2 mod_ssl/2.2.15 OpenSSL/1.0.0-fips mod_wsgi/3.2 Python/2.6.5 mod_perl/2.0.4 Perl/v5.10.1 configured -- resuming normal operations 我跑了
# chcon system_u:object_r:lib_t:s0 /usr/lib64/php/modules/oci8.so # chcon system_u:object_r:lib_t:s0 /usr/lib64/php/modules/gdchart.so # ls -alZ /usr/lib64/php/modules/ -rwxr-xr-x. root root system_u:object_r:lib_t:s0 curl.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 dom.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 fileinfo.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 gdchart.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 gd.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 json.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 oci8.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 pdo_pgsql.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 pdo.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 pdo_sqlite.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 pgsql.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 phar.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 sqlite3.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 wddx.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 xmlreader.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 xmlwriter.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 xsl.so -rwxr-xr-x. root root system_u:object_r:lib_t:s0 zip.so
以下是我如何编译这两个模块:
1)对于oci8.so – setup /etc/tnsnames.ora然后:
# rpm -Uvh oracle-instantclient11.2-basic-11.2.0.2.0.x86_64.rpm # rpm -Uvh oracle-instantclient11.2-devel-11.2.0.2.0.x86_64.rpm # pecl install oci8 (entered: instantclient,/usr/lib/oracle/11.2/client64/lib there)
2)对于gdchart.so:
# yum install gd-devel php-devel gcc # wget http://pecl.php.net/get/gdchart-0.2.0.tgz # tar xvfz $! # cd $! # ./phpize # ./configure # make && make install
有没有人有一个想法,我错过了什么?
从命令行使用这两个库(Oracle即时修复和GDChart)工作正常。
更新:
当我通过将SELINUX = permissive放入/ etc / selinux / config并重新启动来closuresSELinux时,oci8.so加载,但是gdchart.so仍然存在一个错误 。
所以我想我的问题是:如何启用SELinux,仍然能够使用oci8.so? 请在这里分享您的经验 – 如果您已经与Oracle + PHP + CentOS / RHEL 6争斗。
更新2:
启动Apache时,我在/var/log/audit/audit.log中看到:
type=AVC msg=audit(1316698464.300:51213): avc: denied { execstack } for pid=2833 comm="httpd" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process type=SYSCALL msg=audit(1316698464.300:51213): arch=c000003e syscall=10 success=yes exit=0 a0=7fff95f4b000 a1=1000 a2=1000007 a3=7f5e22611000 items=0 ppid=1 pid=2833 auid=10116 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=34 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
以root用户身份运行以下命令并重试:
# setsebool -P allow_execstack 1
你也可以只为oci8.so启用可执行堆栈:
# execstack -c /usr/lib64/php/modules/oci8.so
也许这是旧消息,但是我通过使用SELinux启用了OCI8(Oracle即时客户端10.2.0.5)在RHEL6.3上运行的PHP / 5.3.3:
chcon system_u:object_r:lib_t:s0 /usr/lib64/php/modules/oci8.so execstack -c /usr/lib/oracle/<VERSION>/client64/lib/*.so chcon -t texrel_shlib_t /usr/lib/oracle/<VERSION>/client64/lib/*.so setsebool -P httpd_can_network_connect_db 1
我使用了audit2allow -w -a和本文提示的组合来得出这个成功的结论。
在CentosOS版本6.4(最终),类似的问题。 我们的解决scheme似乎是布尔型的“httpd_execmem”
应用没有任何成功的所有有用的build议,保持失败的Apache的oci8负载。 所以,我们得到了“audit2allow”来拯救!
$> echo“type = AVC msg = audit(1384944299.002:75458):avc:denied {execstack} for pid = 6356 comm =”httpd“scontext = unconfined_u:system_r:httpd_t:s0 tcontext = unconfined_u:system_r:httpd_t:s0 tclass =进程“| audit2allow
获得输出: "This avc can be allowed using the boolean 'httpd_execmem'"
终于到目前为止的解决scheme: $> setsebool httpd_execmem 1