As mentioned before I have just switched to Fedora Core 7. But after switching what I’ve found dead annoying is the SELinux. I haven’t got much clue about what this SELinux is about. It seems to be some kind of new security policy for program execution that has been added for the recent distributions of Linux system. I appreciate the additional security on Linux, but it damn gives some inconvenience especially coming to installing third party software.
The first thing I wanna do after getting my Fedora Core 7 was to get my Apache web server with PHP to run. I quickly mounted my own old hard drive that is still on Fedora Core 3, where I have an Apache there. I tried to start that Apache on the mounted partition, but it failed to start telling me message saying “cannot restore segment prot after reloc: Permission denied” (Preceded with other longer message, so not handy to print here). At first I thought this was due to different lib or modules with the new kernel that I had to recompile my Apache + PHP (I’m used to using the unix compilation version instead of those RPMs). So, I did that for all the Apache and PHP, going thru those ./configure , make, make install. All gone thru well, and then I tried to start Apache again. Agai, it showed me similar problem, the same message.
The only thing I could do then was to google around, by typing the message “”cannot restore segment prot after reloc: Permission denied” into Google’s search text box. And I found this web page telling me that SELinux is the culprit behind all these. So, I followed the instruction, first I tried to issue the command
chcon -t texrel_shlib_t /usr/local/www/modules/libphp4.so
Then tried to restart Apache, but it seemed to give NO avail. So, I then tried using the GUI SELinux Management tool, by adding label, but the system gave me a big window with all the errors… as shown in the following attached screenshot.
Finally, I decided to set SELinux to disabled (I set it to enforcing during installation time as I didn’t know much about what it was. My thought was having extra security was good at first). So, I did that by editing /etc/sysconfig/selinux , then set SELINUX=disabled instead of enforcing. I then thought I probably needed to do some kind of /etc/init.d/selinux restart to activate it, but it has nothing to do with that. When I got back to the SELinux GUI Management, it showed me the System Default Enforcing Mode is now “disabled”, but the Current Enforcing Mode still remained “enforcing”. Then I tried to start my Apache, this time it works! Even though I set the SELINUX variable in the /etc/sysconfig/selinux back to “enforcing”, I still can start and run my Apache web server. So, this currently left me some kind of puzzle which the one that had taken effect to let the Apache run. The only thing I need to do is to explore more about this new SELinux security feature. Or totally disable SELinux to avoid any hassle for running any 3rd party software. Doesn’t it mean, we have to sacrifice some security if we wanna run some 3rd party software on newer disti of Linux? Sounds getting more complex. But, I’ll try to explore more about SELinux when I have some free time later.
