Permission denied when starting Apache Web Policy Agent 4.x on Red Hat Enterprise Linux or CentOS system configured with SELinux
The purpose of this article is to provide assistance if you get a Syntax error ending with Permission denied when starting an Apache™ Web Policy Agent on a Red Hat® Enterprise Linux® (RHEL) or CentOS system configured with SELinux.
This article has been archived and is no longer maintained by ForgeRock.
When starting the Apache web policy agent, you get an error similar to the following:httpd: Syntax error on line 1012 of /etc/httpd/conf/httpd.conf: Cannot load /opt/web_agents/apache22_agent/lib/mod_openam.so into server: /opt/web_agents/apache22_agent/lib/mod_openam.so: failed to map segment from shared object: Permission denied
Installed web policy agent 4.x for Apache HTTP Server.
Made SELinux configuration changes on the RHEL or CentOS system where the policy agent is already running.
When SELinux is in Enforcing mode (which enforces all configured parameters and logs any violations to the /var/log/audit/audit.log file), it can prevent external .so files being loaded.
You can check what mode SELinux is in using the following command:getenforce
This issue can be resolved by giving access to the shared lib using the following commands:$ chcon -t lib_t /web_agents/apache2x_agent/lib/*.so $ semanage fcontext -a -t lib_t /web_agents/apache2x_agent/lib/*.so
See OpenAM Web Policy Agent Release Notes › Limitations for further information.
Alternatively, you can temporarily change the mode for SELinux to Permissive (which does not enforce the configured parameters but does log any violations to /var/log/audit/audit.log for troubleshooting purposes) using the following command:setenforce Permissive
The mode reverts to Enforcing when the system is rebooted; you can make this change permanent, if required, by editing the /etc/sysconfig/selinux file and changing SELINUX=enforcing to SELINUX=permissive.
How do I install OpenAM with Apache Web Policy Agent 4.x on Red Hat Enterprise Linux or CentOS configured with SELinux?
Security-Enhanced Linux User Guide
Related Issue Tracker IDs