When you install ioncube loader under CentOS 5.x, which has SELinux enabled by default, you will see following error message:
“cannot restore segment prot after reloc: Permission denied”
This is a common problem when you install ioncube with SELinux enabled.
You have a few options here.
You can disable SELinux, edit /etc/selinux/config, look for” SELINUX=”, put “disabled” to the right of “=”, it reads like this “SELINUX=disabled”, when you restart the machine, SELinux will be totally disabled. But when you want to enable SELinux lately, the system will relabel all the files at the boot time, it will take very long time to finish the relabeling process, so disable SELinux is not recommended.
Then you can put “permissive” in place of “disabled”, or run “setenforce 0” on command line(“setenforce 1” re-enable it), you will see warning messages but SELinux won’t do anything to stop unauthorized access. If you are serious about security, probably you won’t feel comfortable when SELinux is not enforcing it’s rules.
Now you’re ready for the real solution.
When you see the error messages when you restart your HTTP server, run following command(step 1):
audit2allow -l -a -r
You should see the required types and classes being displayed and the permissions you need to load into selinux module, you’re not going to see them all at once, you will have to try a few times(load the first set of rules if there are still problems, start from step 1 again ) to get all the required types, classes and permissions. Following I will show you how make it work, step by step:
You need to create an file “local.te”, which will hold all the required types, classes and permissions to be loaded in to SELinux module, in our case, you need to add following into local.te:
module local 1.0;
require {
class process {execstack execmem execheap};
class file { ioctl lock append create getattr setattr link relabelfrom unlink write read rename execmod };
type unconfined_t;
type httpd_t;
type httpd_sys_content_t;
};
allow unconfined_t httpd_sys_content_t:file execmod;
allow httpd_t self:process {execstack execmem execheap};
End of code.
When you have the local.te ready, run following command:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
Now you HTTP server will load ioncube loader without any trouble.
THANK YOU for posting this “how to”!!! After about six iterations, my SELinux alerts stopped. I feel like I finally understand a bit more about SELinux and especially how to resolve future “gotchas”.
Great to hear that my experience could be helpful! Actually there are other easier ways of resolving SELinux permission problems, I chose the more difficult way to do it because just like you said that we can learn quite a bit in the process.
Hi there,
I also agree its really nice to have someone knowlegable post a help on this subject, thank you.
I do have a bit of a problem understanding if you could please clarify as this is my first atempt at this:
1. Where does the file local.te go that we create and what calls it?
(I have no .te files on my system, so no direction. I did fine a example.te in the doc lib.)
2. Do I have to reboot the server for it to take effect or just restarting httpd do the job.
Thank you!
I found the answer to my own question.
The file local.te belongs in yor policy dorectory.
In my case a centos5 server, thie local.te file goes in:
/usr/share/doc/selinux-policy-2.4.6
(or whatever ver you have)
than running the cmds:
checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp
worked for me.
I still have errors after starting httpd and the ioncube test still shows not installed.
The apache error_log shows:
Failedloading /usr/lib/php/modules/ioncube_loader_lin_5.2.so:
/usr/lib/php/modules/ioncube_loader_lin_5.2.so:
cannot restore segment prot after reloc: Permission denied
So I will find this solution and post it also for anyone else who runs into this problem.
Thanks thanks and thanks, you save me! and my app!!