Re: [SlimDevices: Unix] SELinux tips 'n tricks

Sat, 23 Jan 2010 13:00:11 -0800 

SELinux won't let you run SBS from svn checked-out code unless you
relabel some of the compiled modules.

Example:

Say I'm running SC 7.3.4 from a check-out in
/usr/share/squeezecenter_trunk/server.  SELinux won't allow perl to run
slimserver.pl because it doesn't like the fact that several compiled .so
modules get loaded.  From /var/log/audit/audit.log:

Code:
--------------------
    
  type=AVC msg=audit(1264236676.788:124): avc:  denied  { execmod } for  
pid=3798 comm="slimserver.pl" 
path="/usr/share/squeezecenter_trunk/server/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so"
 dev=dm-0 ino=273523 scontext=unconfined_u:system_r:initrc_t:s0 
tcontext=system_u:object_r:lib_t:s0 tclass=file
  type=AVC msg=audit(1264236738.749:129): avc:  denied  { execmod } for  
pid=3845 comm="slimserver.pl" 
path="/usr/share/squeezecenter_trunk/server/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so"
 dev=dm-0 ino=273778 scontext=unconfined_u:system_r:initrc_t:s0 
tcontext=system_u:object_r:lib_t:s0 tclass=file
  type=AVC msg=audit(1264236790.125:134): avc:  denied  { execmod } for  
pid=3889 comm="slimserver.pl" 
path="/usr/share/squeezecenter_trunk/server/CPAN/arch/5.10/i386-linux-thread-multi/auto/GD/GD.so"
 dev=dm-0 ino=273604 scontext=unconfined_u:system_r:initrc_t:s0 
tcontext=system_u:object_r:lib_t:s0 tclass=file
  
--------------------

We can fix this with two simple commands.  In a terminal, as root,
relabel the *.so files, and then apply the new security context:

Code:
--------------------
    
  # /usr/sbin/semanage fcontext -a -t textrel_shlib_t 
"/usr/share/squeezecenter_trunk/server/CPAN/arch(/.+\.so)??"
  # /sbin/restorecon -R -v /usr/share/squeezecenter_trunk/server/CPAN/arch
  
--------------------

That's it.  SELinux now allows perl to run slimserver.pl.


-- 
gharris999
------------------------------------------------------------------------
gharris999's Profile: http://forums.slimdevices.com/member.php?userid=115
View this thread: http://forums.slimdevices.com/showthread.php?t=74410

_______________________________________________
unix mailing list
[email protected]
http://lists.slimdevices.com/mailman/listinfo/unix

Reply via email to