IBM Support

Getting CS Linux to work with SELinux (Security Enhanced Linux) on RHEL5, RHEL6

Troubleshooting


Problem

RedHat Enterprise Linux 5 (RHEL5) and RHEL6 comes with a feature called Security Enhanced Linux (SELinux). Using the default RHEL5 installation choices and the default SELinux configuration, CS Linux will not starting properly. The default RHEL6 SELinux settings do not prohibit CS Linux from installing properly.

Cause

The SELinux feature checks for permission for software to do certain things. The permissions are detailed in the SELinux 'policy'. The default SELinux mode and policy for RHEL5 will not allow CS Linux to install and run properly. For RHEL6, it is possible that the SELinux will prohibit CS Linux from starting properly.

If SELinux is set for 'enforcing' with the default policy, then various parts of the LiS and CS Linux installation will generate error messages as shown below.

    - The LiS 'make install' will generate the following:
      -- /usr/sbin/strmakenodes: error while loading shared libraries: /usr/lib/libLiS.so: cannot restore segment prot after reloc:
      Permission denied
      -- make: *** [install] Error 127
    and the following will be logged in /var/log/messages:
      -- setroubleshoot: SELinux is preventing /usr/sbin/strmakenodes from loading /usr/lib/libLiS.so which requires text relocation.
      For complete SELinux messages run
      sealert -l 9c8d1003-103e-4708-aa0e-d05cf98a132d

    - The CS Linux /etc/init.d/snastart script will generate the following:
      -- /usr/sbin/strmakenodes: error while loading shared libraries: /usr/lib/libLiS.so: cannot restore segment prot after reloc:
      Permission denied
    and this will be in /var/log/messages:
      -- setroubleshoot: SELinux is preventing /usr/sbin/strmakenodes from loading /usr/lib/libLiS.so which requires text relocation.
      For complete SELinux messages run
      sealert -l 9c8d1003-103e-4708-aa0e-d05cf98a132d

    - The ./installibmcs script that installs and starts the Communications Server may show this message:
    .../snatrydrivers permission denied

    Resolving The Problem

    The default SELinux mode and policy for RHEL5 does not allow LiS and CS Linux to install and run properly. For RHEL6, the default settings to not effect CS Linux start, but it can be configured to interfere with CS Linux. In order to have CS Linux run properly, you may need change one of the following:


        • The SELinux mode
        • The SELinux policy
    There are several ways to fix this problem. You can perform one or more of the following:


    1. Check the Communications Server for Linux support pages for the latest PTF updates. RHEL 5 and SLES 11 XEN kernels will need the v6.4.0.1 LiS patch file to address some make issues with the new kernel changes. RHEL6 will need v6.4.0.2 LiS patch file to allow CS Linux to run. The latest PTF maintenance available for CS Linux can be found at:


    http://www.ibm.com/support/docview.wss?uid=swg21411972

    2. Disable the SELinux feature at boot time. This is done by putting the flag 'selinux=0' on the kernel line in the /boot/grub/grub.conf file (for i686 and x86_64) and then rebooting. For s390x you would modify the /etc/zipl.conf file and for ppc64 you would modify the /etc/yaboot.conf file.


    3. Set SELinux to permissive or disabled mode instead of 'enforcing'. This is done by changing the SELINUX= value in the /etc/sysconfig/selinux file and then rebooting.
      vi /etc/selinux/config
      #SELINUX=disabled
      SELINUX=permissive


    4. Add the specific permissions that LiS and CS Linux want to use to the policy being used by SELinux. This is done by following these steps:

    a) Make sure you are running with the latest update for the policycoreutils RPM.

    b) Issue the following eight commands:
      semanage fcontext -a -t textrel_shlib_t \
        /usr/lib/libLiS.so
      semanage fcontext -a -t textrel_shlib_t \
        /usr/lib/libpLiS.so
      semanage fcontext -a -t textrel_shlib_t \
        /usr/local/ibm/gsk7/lib/libgsk7krsw.so
      semanage fcontext -a -t textrel_shlib_t \
        /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7
      chcon -f -t textrel_shlib_t \
        /usr/lib/libLiS.so
      chcon -f -t textrel_shlib_t \
        /usr/lib/libpLiS.so

      chcon -f -t textrel_shlib_t \
        /usr/local/ibm/gsk7/lib/libgsk7krsw.so
      chcon -f -t textrel_shlib_t \
        /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7

    c) If the "-- /usr/sbin/strmakenodes" errors were encountered during install of LiS or CS Linux, you can continue with the LiS 'make', or the LiS 'buildLiS' for v6.4.0.2 and later, and the rest of the CS Linux install.

    If LiS and CS Linux are already installed, then the errors encountered were due to setting the SELinux mode to "enforcing". After the permissions to run LiS and CS Linux are added to the policy, you should re-boot the machine.

    See the RedHat documentation for more details on SELinux.

    [{"Product":{"code":"SSHQLW","label":"Communications Server for Linux"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"All","Platform":[{"code":"PF016","label":"Linux"}],"Version":"6.2.2;6.2.3;6.2.3.1;6.2.3.2;6.4;6.4.0.1;6.4.0.2;6.4.0.3;6.4.0.4;7.0.0.0","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}},{"Product":{"code":"SSDMF3","label":"Communications Server for Linux on zSeries"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Component":"All","Platform":[{"code":"","label":"Linux Red Hat - zSeries"}],"Version":"6.2.2;6.2.3;6.2.3.1;6.4;6.2.3.2;6.4.0.1;6.4.0.2;6.4.0.3;6.4.0.4;7.0.0.0","Edition":"","Line of Business":{"code":"LOB35","label":"Mainframe SW"}}]

    Document Information

    Modified date:
    02 August 2018

    UID

    swg21255980

    Page Feedback