Solutions
Archived

Permission denied when starting Apache Web Policy Agent 4.x on Red Hat Enterprise Linux or CentOS system configured with SELinux

Last updated Jan 5, 2021

The purpose of this article is to provide assistance if you get a Syntax error ending with Permission denied when starting an Apache™ Web Policy Agent on a Red Hat® Enterprise Linux® (RHEL) or CentOS system configured with SELinux.

Archived

This article has been archived and is no longer maintained by ForgeRock.

Symptoms

When starting the Apache web policy agent, you get an error similar to the following:

httpd: Syntax error on line 1012 of /etc/httpd/conf/httpd.conf: Cannot load /opt/web_agents/apache22_agent/lib/mod_openam.so into server: /opt/web_agents/apache22_agent/lib/mod_openam.so: failed to map segment from shared object: Permission denied

Recent Changes

Installed web policy agent 4.x for Apache HTTP Server.

Made SELinux configuration changes on the RHEL or CentOS system where the policy agent is already running.

Causes

When SELinux is in Enforcing mode (which enforces all configured parameters and logs any violations to the /var/log/audit/audit.log file), it can prevent external .so files being loaded.

You can check what mode SELinux is in using the following command:

getenforce

Solution

This issue can be resolved by giving access to the shared lib using the following commands:

$ chcon -t lib_t /web_agents/apache2x_agent/lib/*.so $ semanage fcontext -a -t lib_t /web_agents/apache2x_agent/lib/*.so

See OpenAM Web Policy Agent Release Notes › Limitations for further information.

Alternatively, you can temporarily change the mode for SELinux to Permissive (which does not enforce the configured parameters but does log any violations to /var/log/audit/audit.log for troubleshooting purposes) using the following command:

setenforce Permissive
Note

The mode reverts to Enforcing when the system is rebooted; you can make this change permanent, if required, by editing the /etc/sysconfig/selinux file and changing SELINUX=enforcing to SELINUX=permissive.

See Also

How do I install OpenAM with Apache Web Policy Agent 4.x on Red Hat Enterprise Linux or CentOS configured with SELinux?

Security-Enhanced Linux User Guide

SELinux

Related Training

N/A

Related Issue Tracker IDs

N/A
Copyright and Trademarks Copyright © 2021 ForgeRock, all rights reserved.