Troubleshooting
Problem
RedHat Enterprise Linux 5 (RHEL5) and RHEL6 comes with a feature called Security Enhanced Linux (SELinux). Using the default RHEL5 installation choices and the default SELinux configuration, CS Linux will not starting properly. The default RHEL6 SELinux settings do not prohibit CS Linux from installing properly.
Cause
The SELinux feature checks for permission for software to do certain things. The permissions are detailed in the SELinux 'policy'. The default SELinux mode and policy for RHEL5 will not allow CS Linux to install and run properly. For RHEL6, it is possible that the SELinux will prohibit CS Linux from starting properly.
If SELinux is set for 'enforcing' with the default policy, then various parts of the LiS and CS Linux installation will generate error messages as shown below.
- -- /usr/sbin/strmakenodes: error while loading shared libraries: /usr/lib/libLiS.so: cannot restore segment prot after reloc:
Permission denied
-- make: *** [install] Error 127
- -- setroubleshoot: SELinux is preventing /usr/sbin/strmakenodes from loading /usr/lib/libLiS.so which requires text relocation.
For complete SELinux messages run
sealert -l 9c8d1003-103e-4708-aa0e-d05cf98a132d
- The CS Linux /etc/init.d/snastart script will generate the following:
- -- /usr/sbin/strmakenodes: error while loading shared libraries: /usr/lib/libLiS.so: cannot restore segment prot after reloc:
Permission denied
- -- setroubleshoot: SELinux is preventing /usr/sbin/strmakenodes from loading /usr/lib/libLiS.so which requires text relocation.
For complete SELinux messages run
sealert -l 9c8d1003-103e-4708-aa0e-d05cf98a132d
- The ./installibmcs script that installs and starts the Communications Server may show this message:
.../snatrydrivers permission denied
Resolving The Problem
The default SELinux mode and policy for RHEL5 does not allow LiS and CS Linux to install and run properly. For RHEL6, the default settings to not effect CS Linux start, but it can be configured to interfere with CS Linux. In order to have CS Linux run properly, you may need change one of the following:
- The SELinux mode
- The SELinux policy
1. Check the Communications Server for Linux support pages for the latest PTF updates. RHEL 5 and SLES 11 XEN kernels will need the v6.4.0.1 LiS patch file to address some make issues with the new kernel changes. RHEL6 will need v6.4.0.2 LiS patch file to allow CS Linux to run. The latest PTF maintenance available for CS Linux can be found at:
http://www.ibm.com/support/docview.wss?uid=swg21411972
2. Disable the SELinux feature at boot time. This is done by putting the flag 'selinux=0' on the kernel line in the /boot/grub/grub.conf file (for i686 and x86_64) and then rebooting. For s390x you would modify the /etc/zipl.conf file and for ppc64 you would modify the /etc/yaboot.conf file.
3. Set SELinux to permissive or disabled mode instead of 'enforcing'. This is done by changing the SELINUX= value in the /etc/sysconfig/selinux file and then rebooting.
- vi /etc/selinux/config
#SELINUX=disabled
SELINUX=permissive
4. Add the specific permissions that LiS and CS Linux want to use to the policy being used by SELinux. This is done by following these steps:
a) Make sure you are running with the latest update for the policycoreutils RPM.
b) Issue the following eight commands:
- semanage fcontext -a -t textrel_shlib_t \
- /usr/lib/libLiS.so
- /usr/lib/libpLiS.so
- /usr/local/ibm/gsk7/lib/libgsk7krsw.so
- /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7
- /usr/lib/libLiS.so
- /usr/lib/libpLiS.so
chcon -f -t textrel_shlib_t \
- /usr/local/ibm/gsk7/lib/libgsk7krsw.so
- /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7
c) If the "-- /usr/sbin/strmakenodes" errors were encountered during install of LiS or CS Linux, you can continue with the LiS 'make', or the LiS 'buildLiS' for v6.4.0.2 and later, and the rest of the CS Linux install.
If LiS and CS Linux are already installed, then the errors encountered were due to setting the SELinux mode to "enforcing". After the permissions to run LiS and CS Linux are added to the policy, you should re-boot the machine.
See the RedHat documentation for more details on SELinux.
Related Information
Was this topic helpful?
Document Information
Modified date:
02 August 2018
UID
swg21255980