Wednesday, March 4, 2009

Apache library Permission denied in Linux when configuring oracle UCM and SELinux

I encountered the following issue while trying to configure Apache web server in Linux (Fedora) to run the oracle UCM content management system.

<IfModule !IdcApacheAuth>
LoadModule IdcApacheAuth "/oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so"
</IfModule>

IdcUserDB "idc" "/oracle/ucm/server/data/users/userdb.txt" Alias "/idc" "/oracle/ucm/server/weblayout/"

<Location "/idc">
IdcSecurity "idc"
Allow from allDirectoryIndex portal.htm
</Location>


Following Permission denied exception thrown when i restarted the server after adding the above configuration.

httpd: Syntax error on line 1001 of /etc/httpd/conf/httpd.conf: Cannot load /oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so into server: /oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so: cannot open shared object file: Permission denied


This is really not an issue. Actually an advanced security feature in linux called SELinux is blocking the library file from loading. SELinux (Security Enhanced Linux) is a proxy controlling the request to all aspects of the system including filesystem, processes, users, network connections, etc.

Method 1 - Disable SELinux

One way of fixing this issue is turning the mode of SELinux to off or warning only.
In command shell type
shell system-config-selinux
to bring the graphical administraion window of SELinux and set the following parameters

System default enforcing mode - Disabled or Permisive
current enforcing mode - Permisive

Also you can manualy configure it by editing configuration file
/etc/selinux/config
set the variable SELINUX=disabled and reboot the system.

Alternatively can use the following commands to temparoryly disable SELinux until next reboot.
setenforce 1
echo 0 > /selinux/enforce

Specify in /etc/grub.conf on the "kernel" command line: enforcing=0 which will also
work on reboot and permenent.


Method 2 - Configure the SELinux security paramters

Login as root and copy the file IdcApache22Auth.so to /usr/lib which has permissions for running the file. Should use the copy command instead of move command to set the directory permissions in file.

cp /oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so /usr/lib

Then change the httpd.conf file parameter from
/oracle/ucm/server/shared/os/linux/lib/IdcApache22Auth.so
to
/usr/lib/IdcApache22Auth.so

Check current security setting using following commands
ls -Z /oracle will show the current settings
ps -eZ to see security contexts of processes

Make the /oracle directory accessible by invoking the following command

chcon -R -h -t httpd_sys_content_t /oracle

-R: Recursive. Files and directories in current directory and all subdirectories.
-h: Affect symbolic links.
-t: Specify type of security context.

Make the httpd connect to ucm by setting the following httpd option. Execute the following command

setsebool -P httpd_can_network_connect=1

retart httpd by issueing follwing command as root

service httpd restart

Now the above issue should be fixed.

=============================

No comments:

Post a Comment

Subscribe