SELinux preventing game from running
 

Centos 5.3 2.6.18-128.7.1

I'm trying to run a game called BrainTrain.

It will not run with SELinux in "Enforcing" mode, but is OK if set to "Permissive"

#sh run.com either runs the game or returns....

./BrainTrain: error while loading shared libraries: ./objects/libfmodex.so.4.06.16: cannot restore segment prot after reloc: Permission denied

I *think* the relevant line in the Audit log is...

type-AVC msg=audit(1252076531.090.248): avc: denied { execmod } for pid=17542 comm="BrainTrain" path="/usr/src/The_Amazing_Brain_Train/objects/libfmodex.so.4.06.16" dev=dm-0 ino=6706405 scontext=user_u : system_r : unconfined_t : s0 tcontext=user_u : object_r : src_t : s0 tclass=file

Though I have only the vaguest idea what it means or how to get things sorted, I did try chcon -v --type=unconfined_t to make the types match but that just produced a slightly different error message.

The icon which I suspect is meant to appear on the toolbar, when SELinux throws a wobbly, doesn't show.

If anyone can suggest a way of sorting this out logically, so I don't have to disable SELinux every time I want to run the game, it would be much appreciated.

Cheers

review /tmp/audit2why.out for clues

review /tmp/braintrain.te to see what it would require for SELinux to allow. if everything is acceptable to you, you may continue policy creation with...
if the policy attempts to step on the default policy it should not be allowed to be installed with semanage and you should reassess the approach and attempt to resolution.

also, may only want to collect the avc denied for only the application (in case there are other avc denials that should actually continue to be denied)


:study:

Add your user to the 'games' group (or is it 'game'?).

Thanks for the suggestions

audit2why.out produced....

type=AVC msg=audit(1252081400.470:58): avc: denied { execmod } for pid=3300 comm="BrainTrain" path="/usr/src/The_Amazing_Brain_Train/objects/libfmodex.so.4.06.16" dev=dm-0 ino=2617206 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:src_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.


braintrain.te produced....


module braintrain 1.0;

require {
type unconfined_t;
type cupsd_t;
type src_t;
type hplip_t;
class unix_stream_socket { read write };
class file { relabelfrom relabelto execute execmod };
}

#============= hplip_t ==============
allow hplip_t cupsd_t:unix_stream_socket { read write };

#============= unconfined_t ==============
allow unconfined_t self:file { relabelfrom relabelto execute };
allow unconfined_t src_t:file execmod;


To be honest, I don't know if this is acceptable or not !!... Do you think it's OK just to add the module?


On the subject of Groups there are only two group, one per user, 500 & 501. The game however has been installed with Grp and User set to 1000. Changing these makes no difference at the moment, because I can't even run the game as root.

Cheers

Ok. I went ahead anyway and added the module and it's working a treat.

Thanks rayfordj, very helpful. :-))