LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 09-04-2009, 01:21 PM   #1
Sir Prised
Member
 
Registered: Sep 2009
Posts: 42

Rep: Reputation: 0
SELinux preventing game from running


Centos 5.3 2.6.18-128.7.1

I'm trying to run a game called BrainTrain.

It will not run with SELinux in "Enforcing" mode, but is OK if set to "Permissive"

#sh run.com either runs the game or returns....

./BrainTrain: error while loading shared libraries: ./objects/libfmodex.so.4.06.16: cannot restore segment prot after reloc: Permission denied

I *think* the relevant line in the Audit log is...

type-AVC msg=audit(1252076531.090.248): avc: denied { execmod } for pid=17542 comm="BrainTrain" path="/usr/src/The_Amazing_Brain_Train/objects/libfmodex.so.4.06.16" dev=dm-0 ino=6706405 scontext=user_u : system_r : unconfined_t : s0 tcontext=user_u : object_r : src_t : s0 tclass=file

Though I have only the vaguest idea what it means or how to get things sorted, I did try chcon -v --type=unconfined_t to make the types match but that just produced a slightly different error message.

The icon which I suspect is meant to appear on the toolbar, when SELinux throws a wobbly, doesn't show.

If anyone can suggest a way of sorting this out logically, so I don't have to disable SELinux every time I want to run the game, it would be much appreciated.

Cheers

Last edited by Sir Prised; 09-04-2009 at 01:26 PM.
 
Old 09-04-2009, 02:59 PM   #2
rayfordj
Member
 
Registered: Feb 2008
Location: Texas
Distribution: Fedora, RHEL, CentOS
Posts: 488

Rep: Reputation: 78
Code:
audit2why < /var/log/audit/audit.log > /tmp/audit2why.out
review /tmp/audit2why.out for clues

Code:
audit2allow -m braintrain < /var/log/audit/audit.log > /tmp/braintrain.te
review /tmp/braintrain.te to see what it would require for SELinux to allow. if everything is acceptable to you, you may continue policy creation with...
Code:
checkmodule -M -m -o braintrain.mod braintrain.te
semodule_package -o braintrain.pp -m braintrain.mod
semodule -i braintrain.pp
if the policy attempts to step on the default policy it should not be allowed to be installed with semanage and you should reassess the approach and attempt to resolution.

also, may only want to collect the avc denied for only the application (in case there are other avc denials that should actually continue to be denied)


 
Old 09-04-2009, 08:06 PM   #3
Elv13
Member
 
Registered: Apr 2006
Location: Montreal,Quebec
Distribution: Gentoo
Posts: 825

Rep: Reputation: 129Reputation: 129
Add your user to the 'games' group (or is it 'game'?).
 
Old 09-05-2009, 02:57 AM   #4
Sir Prised
Member
 
Registered: Sep 2009
Posts: 42

Original Poster
Rep: Reputation: 0
Thanks for the suggestions

audit2why.out produced....

type=AVC msg=audit(1252081400.470:58): avc: denied { execmod } for pid=3300 comm="BrainTrain" path="/usr/src/The_Amazing_Brain_Train/objects/libfmodex.so.4.06.16" dev=dm-0 ino=2617206 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_ubject_r:src_t:s0 tclass=file
Was caused by:
Missing or disabled TE allow rule.
Allow rules may exist but be disabled by boolean settings; check boolean settings.
You can see the necessary allow rules by running audit2allow with this audit message as input.


braintrain.te produced....


module braintrain 1.0;

require {
type unconfined_t;
type cupsd_t;
type src_t;
type hplip_t;
class unix_stream_socket { read write };
class file { relabelfrom relabelto execute execmod };
}

#============= hplip_t ==============
allow hplip_t cupsd_t:unix_stream_socket { read write };

#============= unconfined_t ==============
allow unconfined_t self:file { relabelfrom relabelto execute };
allow unconfined_t src_t:file execmod;


To be honest, I don't know if this is acceptable or not !!... Do you think it's OK just to add the module?


On the subject of Groups there are only two group, one per user, 500 & 501. The game however has been installed with Grp and User set to 1000. Changing these makes no difference at the moment, because I can't even run the game as root.

Cheers
 
Old 09-05-2009, 10:00 AM   #5
Sir Prised
Member
 
Registered: Sep 2009
Posts: 42

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Sir Prised View Post
To be honest, I don't know if this is acceptable or not !!... Do you think it's OK just to add the module?

Ok. I went ahead anyway and added the module and it's working a treat.

Thanks rayfordj, very helpful. :-))
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
not able to start bind:SELinux is preventing the named daemon from writing to the zon abhijit_mohanta Fedora 5 09-01-2009 05:03 PM
fedora bind start problem: SELinux is preventing the named daemon from writing to the abhijit_mohanta Linux - Networking 1 08-31-2009 08:03 AM
SELinux preventing httpd run ps -ef for zabbix processes nikhilbe Linux - Enterprise 4 04-08-2009 03:52 AM
Could SELinux be preventing me from installing flash plugin in FF? wet Linux - Newbie 5 11-12-2007 07:15 PM
SELinux preventing cvs login bullet45 Linux - Software 1 01-24-2007 05:00 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 04:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration