« »

Komodo and SELinux

Thursday, 22 December 2005

Recently we had been noticing some reports of Komodo startup failing on some modern Linux boxes. See bug 43260. It was tracked down to SELinux on the particular machine disallowing text-segment relocation in a specific shared object in Komodo.

The problem became more acute with the recent releases because Fedora Core 4 now comes with SELinux installed, enabled and enforcing (in certain areas of the file system) by default.

(Gory details: Basically there is a micro chance for a security hole during text-segment relocation when loading a shared object that was not compiled with position-independent code -- i.e. without "-fPIC" with gcc. I need to find the reference -- deep in a PDF a co-worker found -- that described those details again.)

So either you need to build all your .so's -fPIC or you need to set SELinux attributes appropriately (a.k.a. set the "security context") on certain files post-install. Komodo 3.5.x did a bit of both. First we made the changes that we could to get all .so's building -fPIC. However, we still have one that could not be, so we need to set its security context on install. One does this "chcon" (change context).

chcon -t security-context-name path/to/file.so

Easy peasy. Except one thing. What is that "security-context-name"? On FC4 it is "texrel_shlib_t". (This is what Komodo's Linux installer attempts to do on that one file, "libnpscimoz.so", if SELinux is detected.) On CentOS (a clone of RHEL) it is apparently something else because:

chcon: failed to change context of /home/msoulier/komodo/lib/mozilla/plugins/libnpscimoz.so to user_u:object_r:texrel_shlib_t: Invalid argument

On other Linux distros: who knows? I am not currently aware of a way to programmatically figure out what the built-in and user-defined set of valid security context names is for a given SELinux install. Any pointers anyone could provide would be appreciated.

Tagged: komodo, activestate


blog comments powered by Disqus