Archive for the "linux" Category

Install Ioncube Loader while SELinux Enabled

When you install ioncube loader under CentOS 5.x, which has SELinux enabled by default, you will see following error message:

“cannot restore segment prot after reloc: Permission denied”

This is a common problem when you install ioncube with SELinux enabled.

You have a few options here.

You can disable SELinux, edit /etc/selinux/config, look for” SELINUX=”, put “disabled” to the right of “=”, it reads like this “SELINUX=disabled”, when you restart the machine, SELinux will be totally disabled. But when you want to enable SELinux lately, the system will relabel all the files at the boot time, it will take very long time to finish the relabeling process, so disable SELinux is not recommended.

Then you can put “permissive” in place of “disabled”, or run “setenforce 0” on command line(“setenforce 1” re-enable it),  you will see warning messages but SELinux won’t do anything to stop unauthorized access. If you are serious about security, probably you won’t feel comfortable when SELinux is not enforcing it’s rules.

Now you’re ready for the real solution.

When you see the error messages when you restart your HTTP server, run following command(step 1):

audit2allow -l -a -r

You should see the required types and classes being displayed and the permissions you need to load into selinux module, you’re not going to see them all at once, you will have to try a few times(load the  first set of rules if there are still problems, start from step 1 again ) to get all the required types, classes and permissions. Following I will show you how make it work, step by step:

You need to create an file “local.te”, which will hold all the required types, classes and permissions to be loaded in to SELinux module, in our case, you need to add following into local.te:

module local 1.0;

require {

class process {execstack execmem execheap};

class file { ioctl lock append create getattr setattr link relabelfrom unlink write read rename execmod };

type unconfined_t;

type httpd_t;

type httpd_sys_content_t;

};

allow unconfined_t httpd_sys_content_t:file execmod;

allow httpd_t self:process {execstack execmem execheap};

End of code.

When you have the local.te ready, run following command:

checkmodule -M -m -o local.mod local.te
semodule_package -o local.pp -m local.mod
semodule -i local.pp

Now you HTTP server will load ioncube loader without any trouble.

Technorati Tags: ,

Upgrade Kubuntu from 8.10 to 10.04

Starting from a few weeks ago or so, I don’t receive updates on my Kubuntu 8.10 as  usual, I believe 8.10 is being phased out, and I figure that upgrade is long overdue, maybe this is the time to try the latest version, 10.04, which is a Long Term Support version.

Now you can’t just upgrade from 8.10 to 10.04, in fact you have to upgrade from 8.10 to 9.04, then to 9.10, then 10.04, so if you choose to upgrade you will have to do it three times! OK, I said to myself, let’s do it!

From 8.10 to 9.04 went smoothly(though I need to clean up root partition to make room for downloading and unpacking), when the machine(Dell Latitude  E6500) rebooted, I got 9.04 up and running, and in not time I started the upgrade from 9.04 to 9.10, this time it wasn’t going as expected. Almost at the end of the upgrading, there was no room left on the root partition, the upgrade didn’t complain about this, that was the weird thing, and I expected there would be problems. And there it was! When the system rebooted, X server just bailed because no nvidia(my laptop has a nvidia graphics card) kernel module was loaded, it turned out the kernel wasn’t installed correctly due to disk space exhaustion, I was lucky that I only had to remove the broken kernel image package then reinstalled it, reboot, everything was fine. From 9.10 to 10.04 took about 1 hour and 40 minutes(about 40 minutes downloading and 1 hour upgrading), I had 10.04 on my laptop and it’s running great!

In the upgrading process I was doing what I usually do, almost no interruption(except 5 minutes to fix 9.04 to 9.10 problem), I have to say I am amazed but not surprised, Linux has come of age, not only on server, but also on desktop, mobile devices and much more, I have been a Linux user for more than 11 years, I still find something new almost every day. I can’t imagine what the computing will be if there is no Linux.

Technorati Tags: , ,