LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Software (http://www.linuxquestions.org/questions/linux-software-2/)
-   -   SELinux problem with Zend Optimizer on Fedora release 7 (http://www.linuxquestions.org/questions/linux-software-2/selinux-problem-with-zend-optimizer-on-fedora-release-7-a-631281/)

gnetcon 03-28-2008 11:02 AM

SELinux problem with Zend Optimizer on Fedora release 7
 
I apologize for initially posting this in the wrong form. I'll start off by saying that I'm NOT a linux guru by any stretch of the imagination.

That said, I setup a dedicated server running Fedora release 7. I wanted to use it as web and mail server. I had setup Apache, MySQL, etc before using yum, and did the same here.

I also wanted to set it up as my own mail server. So, I followed the tutorial here:

http://www.howtoforge.com/virtual-us...-mysql-fedora8

Even though the tutorial if for version 8, it worked great for 7.

Anyway, I neglected to read the part about disabling SELinux before following it. I had done it before, but I forgot I didn't install SELinux when I installed the software. My web host did.

Here's my problem. Everything is working, but I cannot install the Zend Optimizer 3.3.0a on the server. It installs, but when I go to restart Apache, I get errors, and the page(s) won't load. Here was my initial error:

PHP Code:

Mar 28 10:20:24 serverxxx setroubleshoot:
SELinux is preventing /usr/sbin/httpd from loading /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so which requires text relocation.
For 
complete SELinux messagesrun sealert -l bc080e98-280b-45cd-9b53-aadcc039bbbe 

So I ran the command, and it says to do:

PHP Code:

chcon -t textrel_shlib_t /usr/local/Zend/lib/Optimizer-3.3.0/php-5.2.x/ZendOptimizer.so 

I did that and restarted, and I get another error. So I ran the sealert it mentions and I get the following:

PHP Code:

Allowing Access
    You can generate a local policy module to allow this access 
see
    http
://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385 Or you can disable
    
SELinux protection altogetherDisabling SELinux protection is not
    recommended
Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi
    
against this package

So now I don't know what to do. I've never (obviously) dealt with SELinux much, so I've never created a policy.

ANY guidance in this situation would be extremely helpful.

TIA!

unSpawn 03-28-2008 05:53 PM

The first part would be to learn from your mistake (like not reading docs) and actually go read docs referenced in messages before doing stuff. Yes it's tedious, yes it's annoying your head gets filled with everything you never wanted to ask about stuff you don't want to know but hey, that's the price you pay for not going for the Point-and-click-installer.exe OS (abbrev.: POS).

j.smith1981 03-28-2009 06:49 PM

A note about SELinux
 
SELinux is as it says a protection system for your server rather complex bit of software that exists for both RHEL (the subscription based version of fedora), Fedora's just a free version of RHEL, where as Fedora was originally red hat but then they deviated the 2 into 2 peices of kit, we just loose out on the support that exists for RH.

That being said, the best way to handle SELinux I think is to (if your willing to take a little time in an effort to keep your server as safe as possible, aswell as making sure your folders are as protected as possible from intruders and hackers), is to disable SELinux when installing software on your server than when you think your sorted, put it in either of the 2 other modes other than disabled, as this just allows hackers to get into your system and change things, depends on whats in your policies to your system, the best is just to read up on how SELinux works.

But what I do is set it to disabled when im installing things (its more trouble than its worth, always do this when im installing things), then to put it in permissive and look at the warnings your given about things then work out how to enforce the correct policies to what you think fits what you want to use it for etc etc.

But its sometimes like I get like that about ports I think somethings not working and all it is, because ive forgotten to open ports on the firewall for that particular service, ah well hope you got to or get it sorted out.

Just try removing it will sometimes help, disabling it, un install the concerning problem software, keep SELinux disabled (keeping any configuration files that you have) install the service again, whilst then selinus it turned off then making sure your (if you have a router) disable the port forwarding ports you have opened (sometimes called virtual servers), to make it more secure, make sure they work so any configurations work, then turn it back onto permissive mode.

jtshaw 03-29-2009 09:19 PM

Quote:

Originally Posted by j.smith1981 (Post 3491040)
SELinux is as it says a protection system for your server rather complex bit of software that exists for both RHEL (the subscription based version of fedora), Fedora's just a free version of RHEL, where as Fedora was originally red hat but then they deviated the 2 into 2 peices of kit, we just loose out on the support that exists for RH.

That being said, the best way to handle SELinux I think is to (if your willing to take a little time in an effort to keep your server as safe as possible, aswell as making sure your folders are as protected as possible from intruders and hackers), is to disable SELinux when installing software on your server than when you think your sorted, put it in either of the 2 other modes other than disabled, as this just allows hackers to get into your system and change things, depends on whats in your policies to your system, the best is just to read up on how SELinux works.

But what I do is set it to disabled when im installing things (its more trouble than its worth, always do this when im installing things), then to put it in permissive and look at the warnings your given about things then work out how to enforce the correct policies to what you think fits what you want to use it for etc etc.

But its sometimes like I get like that about ports I think somethings not working and all it is, because ive forgotten to open ports on the firewall for that particular service, ah well hope you got to or get it sorted out.

Just try removing it will sometimes help, disabling it, un install the concerning problem software, keep SELinux disabled (keeping any configuration files that you have) install the service again, whilst then selinus it turned off then making sure your (if you have a router) disable the port forwarding ports you have opened (sometimes called virtual servers), to make it more secure, make sure they work so any configurations work, then turn it back onto permissive mode.


WARNING: This is some tragically bad advice. SELinux is absolutely does not " just allows hackers to get into your system and change things" by default. In fact... one might argue the point is exactly the opposite of that statement.

Always take care of figure out what it is you are doing before manually changing your SELinux policies though...


All times are GMT -5. The time now is 06:20 AM.