Weird Problem related to a Channel Security Exit

March 1, 2019 Roger Lacroix

I posted the following weird channel security exit problem on the MQSeries ListServer.

I received a lot of emails (both public and private) offering help to the problem. Thanks. It was not an SELinux issue nor was it a corrupt shared library issue. It was an issue related to permissions for a mount point.

Here is the description to the problem followed by the solution:

I’ve got a really weird problem, that the internet seems to say that it is a permission issue with “/tmp” but I’m at a loss.

– Brand new: Red Hat Enterprise Linux Server release 7.6 (Maipo)
– Fresh install of MQ v9.1.0.1 64-bit

Installed MQAUSX into /var/mqm/exits64/ and yes it is a working version that works perfectly on other Linux distributions.

Here is the MQ error message:

08/02/19 12:46:45 - Process(51014.254) User(roger) Program(amqrmppa)
                    Host(someserver) Installation(Installation1)
                    VRMF(9.1.0.1) QMgr(MQA1)
                    Time(2019-02-08T11:46:45.514Z)
                    ArithInsert1(536895861)
                    CommentInsert1(/var/mqm/exits64/mqausx)
                    CommentInsert2(/var/mqm/exits64/mqausx: failed to map segment from shared object: Operation not permitted)
                    CommentInsert3(64)

AMQ6175E: The system could not dynamically load the shared library
'/var/mqm/exits64/mqausx'. The system returned error message
'/var/mqm/exits64/mqausx: failed to map segment from shared object: Operation
not permitted'.

EXPLANATION:
This message applies to UNIX systems. The shared library '/var/mqm/exits64/mqausx' 
failed to load correctly due to a problem with the library.

ACTION:
Check the file access permissions and that the file has not been corrupted.

“mqausx” is a standard Unix/Linux shared library (It is running on tons of Linux servers without issue). Even the “ldd” command gives a weird result:

$ ldd /var/mqm/exits64/mqausx
ldd: warning: you do not have execution permission for `/var/mqm/exits64/mqausx'
        not a dynamic executable

The permissions are set as follows:

chown mqm:mqm mqausx
chmod 750 mqausx

I even tried 777 for permissions. i.e.

-rwxrwxrwx  1 mqm  mqm  247087 Feb  7 15:11 mqausx

It still failed. Its a shared library, what is or how is a shared library “dynamic executable”?

Here is the solution that Josh suggested that worked:

First, issue the following command against your shared library:

$ df /var/mqm/exits64
Filesystem           1K-blocks      Used Available Use% Mounted on
/dev/aaa/bbb           5107712   3967288   1140424  78% /var/mqm

Use whatever is under “Mounted on” (i.e. /var/mqm – you may have something else like /var ) in the following command:

$ mount | grep /var/mqm

In my customer’s particular case, their mount point was on /var and the results of the command was:

/dev/aaa/bbb on /var type xfs (rw,nosuid,nodev,noexec,relatime,attr2,inode64,logbsize=256k,sunit=512,swidth=512,noquota)

The source of the issue was that the mount point had “noexec”permission. Hence, once that option was removed then everything went back to normal.

I hope this helps someone else in the future.

Regards,
Roger Lacroix
Capitalware Inc.

This entry was posted in IBM MQ, Linux, MQ Auditor, MQ Authenticate User Security Exit, MQ Channel Connection Inspector, MQ Channel Encryption, MQ Channel Throttler, MQ Enterprise Security Suite, MQ Message Encryption, MQ Message Replication, MQ Standard Security Exit, Unix.

Comments are closed.