PDA

View Full Version : SE Linux stops slimserver running on Fedora 8



clive1000
2007-12-18, 09:54
Hi
I am attempting to run slimserver 6.5.4 (rpm) on Fedora 8 with SE Linux enforcing.

I issued the chcon instruction for FC5 given here: http://wiki.slimdevices.com/index.cgi?RPM
but without success.

I then disabled SE Linux and was able to get slimserver working OK.

When I then set SE Linux to enforcing again it stopped the slimserver start up from working. The SE Linux messages were (extract):

'The slimserver.pl application attempted to load /usr/local/slimserver/CPAN/arch/5.8/i386-linux-thread-multi/auto/DBD/mysql/mysql.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission."'
and:
'If you trust /usr/local/slimserver/CPAN/arch/5.8/i386-linux-thread-
multi/auto/DBD/mysql/mysql.so to run correctly, you can change the file
context to textrel_shlib_t. "chcon -t textrel_shlib_t
/usr/local/slimserver/CPAN/arch/5.8/i386-linux-thread-
multi/auto/DBD/mysql/mysql.so"'
and:
'You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t /usr/local/slimserver/CPAN/arch/5.8/i386-linux-thread-
multi/auto/DBD/mysql/mysql.so"'

These instructions worked in as much as these particular errors went away but it lead to the following message (after a re-boot):

'SELinux is preventing /usr/sbin/useradd (useradd_t) "setattr" to (usr_t). SELinux denied access requested by /usr/sbin/useradd. It is not expected that this access is required by /usr/sbin/useradd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.'

SE Linux suggested 'restorecon -v' but this did not work.

It looks as though a fix might not be too complex but I am new to Linux and even newer on SE Linux. This query may belong in beginners forum but this one seemed more appropriate since with SE Linux disabled slimserver seems to work fine.

Has anyone solved this or can they suggest a solution to try?

Many thanks in advance...

Clive

Mark Miksis
2007-12-18, 11:01
These instructions worked in as much as these particular errors went away but it lead to the following message (after a re-boot):

'SELinux is preventing /usr/sbin/useradd (useradd_t) "setattr" to (usr_t). SELinux denied access requested by /usr/sbin/useradd. It is not expected that this access is required by /usr/sbin/useradd and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.'

I'm surprised you would see this after a reboot. The RPM adds a user during postinstall, but certainly shouldn't be running useradd during normal operation. You might want to try installing the RPM with SELinux off, and then turn it back on (after also doing the textrel stuff).

When the SC 7 RPM is released, it will work with SELinux without any of these issues. If you want to test a Beta release, see http://forums.slimdevices.com/showthread.php?t=39789. If you're not interested in testing, you might want to just disable SELinux until the release next month.

clive1000
2007-12-18, 15:30
Hi Fletch
Many thanks for yr response

The following is the full msg I get from SE Linux in case it helps. In the mean time I will try your suggestion to use the beta version and let you know how I get on.

This is noew stuff for me so please do not discount me doing something supid!

Cheers
Clive

SELinux is preventing gdm-binary (xdm_t) "getattr" to /boot (boot_t).Detailed DescriptionSELinux denied access requested by gdm-binary. It is not expected that this access is required by gdm-binary and this access may signal an intrusion attempt. It is also possible that the specific version or configuration of the application is causing it to require additional access.Allowing AccessSometimes labeling problems can cause SELinux denials. You could try to restore the default system file context for /boot, restorecon -v /boot If this does not work, there is currently no automatic way to allow this access. Instead, you can generate a local policy module to allow this access - see FAQ Or you can disable SELinux protection altogether. Disabling SELinux protection is not recommended. Please file a bug report against this package.Additional InformationSource Context: system_u:system_r:xdm_t:s0-s0:c0.c1023Target Context: system_u:object_r:boot_t:s0Target Objects: /boot [ dir ]Affected RPM Packages: filesystem-2.4.11-1.fc8 [target]Policy RPM: selinux-policy-3.0.8-64.fc8Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.catchall_fileHost Name: svr01.autoco.orgPlatform: Linux svr01.autoco.org 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007 i686 i686Alert Count: 1First Seen: Tue 18 Dec 2007 10:15:56 PM GMTLast Seen: Tue 18 Dec 2007 10:15:56 PM GMTLocal ID: e194bb49-8f90-4721-bc51-b457e794ce73Line Numbers: Raw Audit Messages :avc: denied { getattr } for comm=gdm-binary dev=sda1 path=/boot pid=3019 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dir tcontext=system_u:object_r:boot_t:s0

Robin Bowes
2007-12-18, 15:45
Clive,

clive1000 wrote:
> SELinux is preventing gdm-binary (xdm_t) "getattr" to /boot
> (boot_t).Detailed DescriptionSELinux denied access requested by
> gdm-binary. It is not expected that this access is required by
> gdm-binary and this access may signal an intrusion attempt. It is also
> possible that the specific version or configuration of the application
> is causing it to require additional access.Allowing AccessSometimes
> labeling problems can cause SELinux denials. You could try to restore
> the default system file context for /boot, restorecon -v /boot If this
> does not work, there is currently no automatic way to allow this
> access. Instead, you can generate a local policy module to allow this
> access - see FAQ Or you can disable SELinux protection altogether.
> Disabling SELinux protection is not recommended. Please file a bug
> report against this package.Additional InformationSource Context:
> system_u:system_r:xdm_t:s0-s0:c0.c1023Target Context:
> system_u:object_r:boot_t:s0Target Objects: /boot [ dir ]Affected RPM
> Packages: filesystem-2.4.11-1.fc8 [target]Policy RPM:
> selinux-policy-3.0.8-64.fc8Selinux Enabled: TruePolicy Type:
> targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name:
> plugins.catchall_fileHost Name: svr01.autoco.orgPlatform: Linux
> svr01.autoco.org 2.6.23.8-63.fc8 #1 SMP Wed Nov 21 18:51:08 EST 2007
> i686 i686Alert Count: 1First Seen: Tue 18 Dec 2007 10:15:56 PM
> GMTLast Seen: Tue 18 Dec 2007 10:15:56 PM GMTLocal ID:
> e194bb49-8f90-4721-bc51-b457e794ce73Line Numbers: Raw Audit Messages
> :avc: denied { getattr } for comm=gdm-binary dev=sda1 path=/boot
> pid=3019 scontext=system_u:system_r:xdm_t:s0-s0:c0.c1023 tclass=dir
> tcontext=system_u:object_r:boot_t:s0


This is nothing to do with slimserver.

It sounds like your SELinux install is somewhat broken. Could you
possibly reinstall Fedora 8?

Also, I'd recommend using the SqueezeCenter 7.0 RPM - it works better!

R.

clive1000
2007-12-19, 08:29
Hi
Good call. I un-installed slimserver and the msg relating to stopping slimserver had of course gone away but there remaind the SE Linux msg in my last post.

I first of all tried to install slimserver wit SE Linux enforcing (having missed the wiki instructions) which failed and I believe this is when SE Linux became broken.

To get to the bottom of this I will re-install F8 as suggested, disable SE Linux (setting to non-enforcing only seems not to work), install the current version of slimserver (6.5.4) and report back. That is unless I am advised to definately try the beta or squeezecenter. Note I have the original squeezebox.

I may be gone some time ....

Clive

Robin Bowes
2007-12-19, 08:45
clive1000 wrote:
> Hi
> Good call. I un-installed slimserver and the msg relating to stopping
> slimserver had of course gone away but there remaind the SE Linux msg
> in my last post.
>
> I first of all tried to install slimserver wit SE Linux enforcing
> (having missed the wiki instructions) which failed and I believe this
> is when SE Linux became broken.
>
> To get to the bottom of this I will re-install F8 as suggested, disable
> SE Linux (setting to non-enforcing only seems not to work), install the
> current version of slimserver (6.5.4) and report back. That is unless I
> am advised to definately try the beta or squeezecenter. Note I have the
> original squeezebox.

I would definitely advise using the Squeezecenter RPM from the yum repo
that Fletch has setup. It's not far from release and, as it's an RPM,
upgrading will be as simple as "yum upgrade"

You don't need to disable SELinux - SqueezeCenter should work with
SELinux enabled.

R.

clive1000
2007-12-19, 19:29
As suggested, I installed squeezecenter onto a new install of Fedora 8 and so far everything seems fine. No complaints from SE Linux, which was left in its enforcing state, and the firmware on the player updated OK.

The new interface is great and has a polished feel to it.

The repository I used was
rpm -ivh http://repos.slimdevices.com/yum/squeezecenter-testing/squeezecenter-testing-release-1-1.noarch.rpm

followed by:
yum install squeezecenter

I assume these were correct. I am not sure whether I will need to update the repository name when squeezecenter is formally released or if that will be done automatically through yum.

I will continue to monitor the new software and report back to the development team if I spot anything that might need fixing.

Many thanks

Clive

Robin Bowes
2007-12-20, 02:47
clive1000 wrote:
> As suggested, I installed squeezecenter onto a new install of Fedora 8
> and so far everything seems fine. No complaints from SE Linux, which
> was left in its enforcing state, and the firmware on the player updated
> OK.
>
> The new interface is great and has a polished feel to it.
>
> The repository I used was
> rpm -ivh
> http://repos.slimdevices.com/yum/squeezecenter-testing/squeezecenter-testing-release-1-1.noarch.rpm
>
> followed by:
> yum install squeezecenter
>
> I assume these were correct. I am not sure whether I will need to
> update the repository name when squeezecenter is formally released or
> if that will be done automatically through yum.

I believe there will be a "release" repo, as well as a "testing" repo
when SC is formally released.

You may then choose to switch to "release" or continue with "testing".

Glad it's working out for you.

R.