Categories

Archives
« 买车啦~  
  终于用上4G内存了~ »

Make ZendOptimizer work with SELinux

以前必须吧SELinux关了才能用ZendOptimizer,昨天研究了一下,终于让ZendOptimizer和SELinux能一起工作了~~

Zend Optimizer 配置如下:
[Zend]
zend_extension_manager.optimizer=/usr/local/Zend/lib/Optimizer-3.3.3
zend_extension_manager.optimizer_ts=/usr/local/Zend/lib/Optimizer_TS-3.3.3
zend_optimizer.version=3.3.3
zend_optimizer.optimization_level=1023
zend_optimizer.enable_loader = 0
zend_optimizer.disable_licensing=1
zend_optimizer.obfuscation_level_support=0
zend_extension=/usr/local/Zend/lib/ZendExtensionManager.so

With default install of ZendOptimizer-3.3, SELinux enabled, ZendOptimizer can’t be load.

php -v:

Failed loading /usr/local/Zend/lib/Optimizer-3.3.3/php-5.2.x/ZendOptimizer.so:  /usr/local/Zend/lib/Optimizer-3.3.3/php-5.2.x/ZendOptimizer.so: cannot restore segment prot after reloc: Permission denied
PHP 5.2.6 (cli) (built: May  5 2008 10:32:59)
Copyright (c) 1997-2008 The PHP Group
Zend Engine v2.2.0, Copyright (c) 1998-2008 Zend Technologies
    with Zend Extension Manager v1.2.2, Copyright (c) 2003-2007, by Zend Technologies

cat /var/log/httpd/error_log
Failed loading /usr/local/Zend/lib/ZendExtensionManager.so:  /usr/local/Zend/lib/ZendExtensionManager.so: failed to map segment from shared object: Access Denied

How to enable ZendOptimizer work with SELinux:

  1. 1. Change context of ZendOptimizer.so and ZendExtensionManager.so

  2. if your php compiled with threadsafe, change the xxx_TS.so instead.

chcon -t textrel_shlib_t ‘/usr/local/Zend/lib/Optimizer-3.3.3/php-5.2.x/ZendOptimizer.so’
semanage fcontext -a -t textrel_shlib_t ‘/usr/local/Zend/lib/Optimizer-3.3.3/php-5.2.x/ZendOptimizer.so’

chcon -t textrel_shlib_t ‘/usr/local/Zend/lib/ZendExtensionManager.so’
semanage fcontext -a -t textrel_shlib_t ‘/usr/local/Zend/lib/ZendExtensionManager.so’

  1. 2. vim zend_optimizer.te, copy the following content

module zend_optimizer 1.0;

require {
    type httpd_t;
    class process { execstack execmem execheap };
}
#============= httpd_t ==============
allow httpd_t self:process { execstack execmem execheap };

  1. 3. compile :

    checkmodule -M -m -o zend_optimizer.mod zend_optimizer.te

  2. 4. create policy package:

semodule_package -o zend_optimizer.pp -m zend_optimizer.mod

  1. 5. install module:

    semodule -i zend_optimizer.pp

service httpd restart

reference

http://docs.fedoraproject.org/selinux-faq-fc5/#id2961385

February 1st, 2009 | Tags: , | Category: Uncategorized

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>