SElinux, ioncube and local.te

bill1282
bill1282 used Ask the Experts™
on
I am using these instructions to get ioncube to work on a dedicated server running Web server      Apache/2.2.3 (CentOS). Install Ioncube Loader while SELinux Enabled http://www.cuteshift.com/57/install-ioncube-loader-while-selinux-enabled/ 

I have already added the files and the entry to the /etc/php.ini file and used the Loader Wizard to try to install

Where do I add the local.te file?

Thank you,
Bill
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Kerem ERSOYPresident

Commented:
Hi,

You wont add it anywhere once you've run the commands in the document say you should be creating a policy and inserting it. However it is not a good document.

First of allow you should finf SELinux errors with such a command:

ausearch -m AVC --comm http | audit2allow -M htttprls && semodule -i httprls.pp

The first command au search finds policy deniess with AVC module and filters only the http errors

audit2allow will create a new module called httprls and finally the third command will insert the generated rule.

This should be it..

Cheers,
K.


Author

Commented:
This is what I got after running the command
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i htttprls.pp

semodule:  Could not read file 'httprls.pp': No such file or directory

when semodule -i htttprls.pp is run i get for all accounts on the server

 homedir /var/www/vhosts/website.com or its parent directory conflicts with a
defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account.  If it is a system account please make sure its login shell is /sbin/nologin.

Author

Commented:
This is what I get when I run audit2allow -l -a -r


require {
        type httpd_t;
        class process execmem;
}

#============= httpd_t ==============
allow httpd_t self:process execmem;
Become a CompTIA Certified Healthcare IT Tech

This course will help prep you to earn the CompTIA Healthcare IT Technician certification showing that you have the knowledge and skills needed to succeed in installing, managing, and troubleshooting IT systems in medical and clinical settings.

President
Commented:
Sorry I had a typo in the command the first hs 3 ts while the second has two please correct it to read:

ausearch -m AVC --comm http | audit2allow -M httprls && semodule -i httprls.pp


As you may have noticed -M httprls is the module name which semodule tries to insert into running policies so the name should be identical.

Cheers,
K.

Author

Commented:
Still getting errors:

 homedir /var/www/vhosts/mydomain.com or its parent directory conflicts with a
defined context in /etc/selinux/targeted/contexts/files/file_contexts,
/usr/sbin/genhomedircon will not create a new context. This usually indicates an incorrectly defined system account.  If it is a system account please make sure its login shell is /sbin/nologin.

output of  audit2allow -l -a -r

require {
        type httpd_t;
        type httpd_sys_content_t;
        class file execmod;
}

#============= httpd_t ==============
allow httpd_t httpd_sys_content_t:file execmod;

Author

Commented:
Cancel that I ran it again and it worked thank you very much!
Kerem ERSOYPresident

Commented:
You're welcome

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial