Selinux trouble

Support for security such as Firewalls and securing linux
Post Reply
Genrabbit
Posts: 27
Joined: 2009/06/08 00:11:14

Selinux trouble

Post by Genrabbit » 2012/05/31 23:49:21

Ive been trying to install a Counter-strike source server on a Centos 5.8 machine and ran into selinux trouble.
Seems like that the server ain't allowed to run use any *.so files, and i Therefore has to "whitelist" every file like this;

chcon -t texrel_shlib_t /usr/games/css1/css/bin/somename.so and this for every file..

Are there a way to make seLinux to not bother with any file from /usr/games/css1/ and downwards in the folder?
or are there places it can be installed where selinux doesn't watch?


Short of turning it of that is..

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux trouble

Post by TrevorH » 2012/06/01 08:11:33

Having to change the context to texrel_shlib_t means that the library has been compiled with the wrong options. There's no way to fix that short of fixing the compile or changing the context of the files. The disadvantage of using chcon to change the context is that if you ever have to relabel your filesystem, it will reset all those to the defaults and lose your changes. A better way to do it is to use semanage to put rules in place, e.g. something like

[code]
/usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/games/css1/css/bin/.*\.so'
[/code]

After setting that rule, do a `restorecon -R /usr/games/css1/css/bin` and see if it fixes the problem. I may not have the file pattern quite right but you can see other examples from teh built-in ruleset by running

[code]
semanage fcontext -l | grep textrel
[/code]

Genrabbit
Posts: 27
Joined: 2009/06/08 00:11:14

Re: Selinux trouble

Post by Genrabbit » 2012/06/01 12:14:48

Awesome, I'm gonna try that. Thanks.. :)

Genrabbit
Posts: 27
Joined: 2009/06/08 00:11:14

Re: Selinux trouble

Post by Genrabbit » 2012/09/18 20:47:25

After a reboot of the server I decided to try this;

/usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/games/css1/css/cstrike/bin/.*\.so'

Then run the server.. It crashed. any idea?

Game said this;

[code]
Console initialized.
failed to dlopen /usr/games/css1/css/cstrike/bin/server.so error=/usr/games/css1/css/cstrike/bin/server.so: cannot restore segment prot after reloc: Permission denied
./srcds_run: line 372: 11111 Segmentation fault (core dumped) $HL_CMD
cat: hlds.11099.pid: No such file or directory
email debug.log to linux@valvesoftware.com
Tue Sep 18 22:39:01 CEST 2012: Server restart in 10 seconds
Updating server using Steam.
Checking bootstrapper version ...
Failed to create directory /usr/games/Steam
Tue Sep 18 22:39:11 CEST 2012: Steam Update failed, ignoring.
Running a benchmark to measure system clock frequency...
[/code]

/usr/sbin/semanage fcontext -l | grep textrel gave me this;

[code]
/opt/cisco-vpnclient/lib/libvpnapi\.so regular file system_u:object_r:textrel_shlib_t:s0
/opt/novell/groupwise/client/lib/libgwapijni\.so\.1 regular file system_u:object_r:textrel_shlib_t:s0
/usr/games/css1/css/bin/.*\.so all files system_u:object_r:textrel_shlib_t:s0
/usr/games/css1/css/cstrike/bin/.*\.so all files system_u:object_r:textrel_shlib_t:s0
[/code]

User avatar
TrevorH
Site Admin
Posts: 33202
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: Selinux trouble

Post by TrevorH » 2012/09/19 00:51:19

semanage doesn't change the file context, it changes the rules that are used to assign file contexts.

To actually apply the changes you'd need to run `restorecon -r /usr/games/css1/css/cstrike/bin`

Post Reply