Install Ioncube Loader while SELinux Enabled

When you install free ioncube loader under CentOS 5.x, which has SELinux enabled by default, you will see following error message:
“cannot restore segment prot after reloc: Permission denied”
You have a few options here.
You can disable SELinux, edit /etc/selinux/config, look for” SELINUX=”, put “disabled” to the right of “=”, it reads like this “SELINUX=disabled”, when you restart the machine, SELinux will be totally disabled. But when you want to enable SELinux lately, the system will relabel all the files at the boot time, it will take very long time to finish the relabeling process, so disable SELinux is not recommended.
Then you can put “permissive” in place of “disabled”, or run “setenforce 0” on command line(“setenforce 1” re-enable it),  you will see warning messages but SELinux won’t do anything to stop unauthorized access. If you are serious about security, probably you won’t feel comfortable when SELinux is not enforcing it’s rules.
Now you’re ready for the real solution.
When you see the error messages when you restart your HTTP server, run following command(step 1):
audit2allow -l -a -r
You should see the required types and classes being displayed and the permissions you need to load into selinux module, you’re not going to see them all at once, you will have to try a few times(load the  first set of rules if there are still problems, start from step 1 again ) to get all the required types, classes and permissions. Following I will show you how make it work, step by step:
You need to create an file “local.te”, which will hold all the required types, classes and permissions to be loaded in to SELinux module, in our case, you need to add following into local.te:
module local 1.0;
require {
class process {execstack execmem execheap};

class file { ioctl lock append create getattr setattr link relabelfrom unlink write read rename execmod };
type unconfined_t;
type httpd_t;
type httpd_sys_content_t;
};
allow unconfined_t httpd_sys_content_t:file execmod;
allow httpd_t self:process {execstack execmem execheap};
End of code.
When you have the local.te ready, run following command:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
Now you HTTP server will load ioncube loader without any trouble

Comments

  1. AnonymousJune 3, 2011 at 11:26 AM

    hello, thank you for this post. It is a bit more clear than the last place I visited.

    I need a bit more clarification please if possible.

    1. Where do we put the file local.te?
    (I have no *.te files on my sys except an example.ti in the Doc library.)

    2. I placed it in the /etc/selinux/ dir and tried checkmodule -M -m -o local.mod local.te

    Response was 'unable to open local.te' .

    I did try changing the permissions all the way up the ladder to 777 with the same response so I'm guessing its not in the right location.
    I am running as root

    3. so I tried the next cmd line:
    'semodule_package -o local.pp -m local.mod'

    response was:
    'Could not open file No such file or directory: local.mod'

    4. tested the last cmd line:
    'semodule -i local.pp'

    response was:
    ' Could not read file 'local.pp': No such file or directory'

    I'm guesing something isn't installed?

    Thanks for any help or direction

    George

    ReplyDelete
  2. AnonymousJune 3, 2011 at 11:58 AM

    I will answer most of my own questions since I found them out on my own.

    It wasn't that I didn't have some module not installed, the file 'local.te' that we created belongs in your policy directory.

    In my case, centos 5 server, its to go in:

    /usr/share/doc/selinux-policy-2.4.6
    (or whatever version you have)

    Once in the correct location, running the folling cmds worked fine:

    checkmodule -M -m -o local.mod local.te
    semodule_package -o local.pp -m local.mod
    semodule -i local.pp

    -rainner

    ReplyDelete

Post a Comment

Popular posts from this blog

Wrong Command : May Loss all

Alas! Today I loss almost all the data in /var/. I wanted to move a folder from /var/www/cron-script  to /var/ Unintentionally I gave the command rm instead of mv . Then I lost all of my webserver content in a second.   Fortunately I had a backup of 10 days ago. That save me to loss all. So friends be careful! Now I need to reinstall the OS(I use Ubuntu) again. Just 3 days before Ubuntu relese a new version 10.10 on the Binary day 10.10.10. So now I am downloading that version. Thanks Abser
Read more

File compression tools for Linux

File compression tools for Linux Share Print Comments Among the confusion new Linux users often face is the variability among archived and compressed formats used by downloaded applications. "Should I use the tar.gz file, the zip file, or the tar.bz2 file?" they may wonder. Here's what you need to know about compression formats in order to easily install any application. First, consider the distinction between archiving and compression. Archiving means combining a number of files together into one file. The idea is to achieve easier storage and transportation. It's like having a briefcase in which to keep all your files. The archive must contain some information about the original files, such as their names and lengths, for proper reconstruction. This ensures that your paperwork will remain as-is when you open your briefcase. Some popular archive file formats are tar and zip. Compression, on the other hand, is the process of using encoding schemes to store inf...
Read more