Fix for: cannot restore segment prot after reloc: Permission denied

Just got this:


thebes# apachectl configtest
httpd: Syntax error on line 62 of /usr/local/apache2/conf/httpd.conf: Cannot load /usr/local/apache2/modules/libphp5.so into server: /usr/local/apache2/modules/libphp5.so: cannot restore segment prot after reloc: Permission denied

This is an SELinux issue. As you can see the security context “type” is set to usr_t:


thebes# ls -lZ /usr/local/apache2/modules/libphp5.so
-rwxr-xr-x root root user_u:object_r:usr_t /usr/local/apache2/modules/libphp5.so

Change it to textrel_shlib_t with:


chcon -u system_u -r object_r -t textrel_shlib_t /usr/local/apache2/modules/libphp5.so

And it works fine:


thebes# apachectl configtest
Syntax OK

Advertisements

AIDE constantly reporting prelink errors

We added a couple of new boxes running CentOS 6 here at Hagen Hosting. They generally work really nicely, but I’ve been having this on going fight with AIDE and prelink.

Prelink seems like a good idea because it reduces the chance of an exploit working, but the honest truth is that it is annoying, potentially troublesome in terms of legal issues and security. More over, from what I read, prelink doesn’t add much extra security.

I find it particularly annoying when prelink runs each week and I’m confronted with the output from AIDE saying a bunch of files have changed. It would take hours to compare them all to see if they had changed because of an intrusion so I have to assume that they have changed because of prelink because they are listed in the prelink logs and timestamps match. But, you know, it just doesn’t feel secure.

More over prelink has become very annoying because for some reason that I have yet to work out, each night it keeps prelinking the same set of files. A few are compiled-from-source programs (like Apache), but some are standard libs.

To get it to stop I had to run prelink on those files manually and keep re-running it until it stopped saying that some of the files needed prelinking.

However after a valient attempt I’ve realised that prelink is just causing too many headaches and so I took the ultimate step — to disable it.

To disable prelink edit

/etc/sysconfig/prelink.conf

/etc/sysconfig/prelink

and change

PRELINKING=yes

to

PRELINKING=no

Sometime in the next few days it will run prelink -ua to undo the pre-linking on all files then I’ll be done with it and the only changes to the system will be updates (or bad stuff :-)

Edit: 2014-05-22T13:25:56+00:00

I just had this error message coming up on a box after updating a library. prelinking is disabled but I would still get this same error message from AIDE.

Running

prelink -ua

did not stop the error messages because running this command checks the value of PRELINKING and so it doesn’t run – at least I think so. The error occurs because AIDE detects that the library has changed and so runs prelink directly on those files:

4574 [pid 12916] execve("/usr/sbin/prelink", ["/usr/sbin/prelink", "--verify", "/usr/local/apache2/modules/libph"...], [/* 44 vars */]) = 0

Since I have PRELINKING=no defined, but I was getting this error message, it would appear that if you specify a filename to prelink then it runs as it normally would, regardless of this global setting. It makes sense, I suppose.

The answer therefore was to use this knowledge that prelink still works on specific files, but not globally, and “un-prelink” the library in question. In otherwords run;

prelink -ua <file>

Doing this caused AIDE to no longer run prelink.

aide.conf syntax errors contain junk line information

The latest servers that we added to run our e-Classifieds (r) platform use CentOS 6. I definitely like the boxes but Prelink and AIDE have been a pain.

After trying to stop AIDE checking some folders I started getting this report:

271:syntax error: <junk>
271:Error while reading configuration: <junk>

It turns out that this really was a syntax error. It really was on line 271 because rather daftly I had been thinking in terms of RegExps and added the line as

!^/usr/local/....

The ^ generates the syntax error. But apparently AIDE has a free/malloc/pointer bug in this error message as it prints random junk after the error message. Initally made me think that the error that was being reported was that the aide.conf file contained those characters and I couldn’t see then and therefore oooh filesystem/disk corruption… I was relieved to find that it was a bug in AIDE’s error message.

Liking the First CentOS 6 Server at $work

Installed first box at $work with CentOS 6 the other day and so far I like it.

I will say that the installer is no where near as slick as Ubuntu’s installer. I’m not really sure quite why it doesn’t feel as easy, but clearly someone at Canonical worked hard to make their installer slick, but still, CentOS 6 installed smoothly.

Read more of this post

Virtualbox 2.0 is out

For those who have never used it, Virtualbox is Virtual Machine software from Sun Microsystems, who bought the previous owners, innoTek Gmbh. While my experience with VM software is not extensive, I’ve used a few programs on a Windows host and I’m pretty impressed with Virtualbox. VMWare was, by comparision much much slower, although this may have changed in more recent editions. I also hated how tightly into the OS VMWare wove itself. Uninstalling it has broken several computers of mine and resulted in days of trying to unbreak its grip on my network adapter. (Trying to remove the virtual adapters from the MAC bridge when VMWare was no longer installed). In comparision to VB, MS Virtual PC appears to be lacking features – or at least an interface, and plainly has no design to support anything but Windows with boot options of “Windows 95, 98, NT, 2000, XP, Vista and OTHER”. It isn’t surprising, given that they sell Windows, but I can’t help but wonder how effective it can really be for non-windows, which at the moment is my thing since I’m running Windows as the host OS.

Virtualbox gives a nice range of features and appears pretty fast. 2.0 is no exception, appearing to most fix a few gotchas which never bit me. My only complaint about it is that aperiodically I’ve found that the clipboard will break. This is from Windows as a HostOS to CentOS and Fedora 8 as guest OS’s. You’ll be typing along and suddenly the clipboard won’t work, for Windows or in the guestOS and you end up needing to restart the Vbox to clear it.

I’ve yet to see any information explaining what is happening, but what I suspect is happening is that an event is being lost on the client end and this ties up the entire clipboard because Windows doesn’t get the acknowledgement that the event was processed. I did once see an error message from the Xserver about it dropping events so this seems to be a reasonable guess.

My solution to this has been to work around it and instead of using X directly on the console of the Vbox to connect to it via Nomachine’s NX client. This no only gives me the equivalent of “screen” under X, with the ability to disconnect and reconnect later, but I’ve never had the clipboard cross-over screw up. Which is really handy.

So if you haven’t already tried it but you’d like to, or you’d like to try VM’s and don’t know where to start, or you’re looking to try Linux, but are too addicted to your Windows apps to be logged out of your computer, Virtualbox will be great for you.

As for choice in Linuxes, well I’ve going with Fedora 8 and CentOS 5.2. Personally I’ve been concerned about the direction of Fedora, especially with its “pump a new version out every few months” attitude, (as opposed to putting out something decent). I did try Fedora 9 from the live CD and it sucked, especially when compaired to F8. F8 has, so far, been a pinnacle in the Fedora for me. By comparison CentOS 5.2 appears to have a very strong stable base, and ever bit as usable for a desktop OS as a server OS. As a quick comparison when running under Virtualbox in order to be able to have a graphical resolution which matches my windows box (which is only 1280px by 1024px, so nothing to write home about) Fedora 8 requires you allocate 32Mb of memory for graphics, but CentOS 5.2 requires only 16Mb. I think it says something about F8.

Colin.

Nomachine NX Client Times out “Negotiating Link Parameters”

I use NX Client from Nomachine to connect to one of my boxes, or more accurately, to a copy of CentOS 5.2 I’m running in a VirtualBox virtualbox that I run on my Windows box. Its kinda wierd, but cool in some respects as half of my computer is now running CentOS; pretty much literally since half the RAM can be used by it and since I connect via NX client it sits in a window which lives on a second monitor.

This is a cool setup. Its a way to wean myself from Windows, to run a test environment with yet another web browser (ok, so its Firefox, but still), while at the same time playing with VM’s (and X11 as I used to do). It also gives me a great excuse to use NX which is, it must be said, far better than the other free Xserver for Windows, Xming. I think its the compression or something, or maybe that its a dedicated protocol server and client, and Xming is implementing X11 directly. Whatever, Xming is often slow and sometimes iffy (to the point where I never felt comfortable purchasing the latest version). It is particularly bad at handling network issues I’ve found, where it will infrequently just hang the connection, causing you to lose all of your window placements.

Not so with NX which appears to be the equivalent of screen for X. Disconnect? Okay, I’ll just sit here and suspend your session and wait for you to come back. This feature alone is amazingly useful, but combined wtih the built-in compression it works very well. Part of the high quality compression is that they compress the data in the connection protocol, X11, VNC, or Radmin, instead of compressing the stream of data, as happens with say SSH compression. Although I haven’t tried it, you can apparently still use X sessions over a dialup line. I know its considerably easier to bring up my X session at home over a cable modem link with NX that it is with Xming, which crawls on anything but having a text window open.

One issue I do have with NX is that its is really complicated to setup. I spent a good couple of hours installing things and repeated logging into my box, with numerous updates to the local SELinux config to allow NX under SSH to launch various things, including being able to write a log to /var/log. That’s exactly the kinda of crap people won’t deal with in general. If you’re having this problem then I fully recommend running this command:

audit2allow -l -r < /var/log/audit/audit.log

After each failed login. This gets audit2allow to list only the allow rules which are needed for the failures since the last reload of the SELinux policy (-l) and (-r) output them with the corresponding require { } structure.

Beyond that, which I got on my FC8 system, even using FC8 RPM’s (but not on my CentOS 5.2, with both the CentOS and NX RPM’s) the only issue I’ve found with NX is that occassionally it seems to get confused. When you open your client connection it will go through the normal setup, the window will open and it will resume the session, but the final Windows dialog box will sit there saying

“Negotiating Link Parameters”

It will do this for about 30s to a minute, mean while the session is up and running and usable. At the end of what seems to be a timeout period, it seems to give up. At that point it closes both the dialog box and the entire NX client window. Once this happens you can try as many times as you like and it will just repeat.

I’ve found that the only answer to this is to open up task manager with alt-ctrl-delete, and to kill all “NX” processes. Once you do that it works again.

Col.