GBrowse icon indicating copy to clipboard operation
GBrowse copied to clipboard

Published 20 hours ago verified publisher icon GMOD

Installation fails on SELinux-aware kernel, but with SELinux not enabled

Open rdhayes opened this issue 12 years ago • 6 comments

Hi,

I recently encountered an install issue with GBrowse v2.39 on a machine with SELinux support compiled into the kernel, but were SELinux was disabled or otherwise in permissive mode.

The install helper module GBrowseInstall.pm has a fix_selinux() subroutine that looks for "selinux" in /proc/filesystems and then attempts to run /usr/bin/chcon on various install locations.

However, this machine has SELinux kernel support ("nodev selinux" in in /proc/filesystems) but has /selinux/enforce set to zero. Thus, the calls to /usr/bin/chcon fail and installation does not fully complete.

I suggest that fix_selinux() be changed to also check the value in /selinux/enforce when deciding that SELinux is enabled during an install.

This situation remains in the most recent release v2.49 source as well. One suggested patch, tested out on my server with patched v2.39 source, is the following addition to GBrowseInstall.pm starting after line 528:

my $enabled = IO::File->new('/selinux/enforce') or return;
return unless grep /1/,<$enabled>;

rdhayes avatar Jun 08 '12 22:06 rdhayes

true, it is also especially annoying that I can't pass the SELINUX=0 parameter anymore to override it

epaule avatar Jul 30 '12 16:07 epaule

Hi Richard,

I just did some testing with GBrowse 2.52 on CentOS 6.3 with SELinux both enabled and disabled in VirtualBox, and GBrowse2 installed successfully without this patch. Is there something I'm missing?

scottcain avatar Dec 03 '12 15:12 scottcain

I tried 2.49 on RHEL 6.1 at that time (SE-linux enabled, but not enforced), and tried to install as non-root.

epaule avatar Dec 03 '12 16:12 epaule

Hi Michael,

That seems like a separate issue but is no doubt valid. Would you mind creating a separate issue for it?

scottcain avatar Dec 03 '12 16:12 scottcain

I think it was this issue, as when I hardcoded the SELINUX=0 it worked perfectly fine ... but i guess Lincoln's solution might have as well.

epaule avatar Dec 03 '12 16:12 epaule

Hi all,

This might have been something odd in our server's Debian installation, but I'm not sure. We had at least one instance where the simple test in GBrowseInstall::fix_selinux() for whether /proc/filesystems contains a "selinux" entry meant that the Gbrowse installation process then assumed SELinux was enabled when it was not. This current process in v2.52 only looks at /proc/filesystems. I was proposing that GBrowse also check /selinux/enforce for the value of "1" to verify that SELinux is truly enabled and not just that the kernel has support built in, which is what /proc/filesystems is reporting. Assuming that I have all of that correct :)

On Mon, Dec 3, 2012 at 7:57 AM, Scott Cain [email protected] wrote:

Hi Richard,

I just did some testing with GBrowse 2.52 on CentOS 6.3 with SELinux both enabled and disabled in VirtualBox, and GBrowse2 installed successfully without this patch. Is there something I'm missing?

— Reply to this email directly or view it on GitHubhttps://github.com/GMOD/GBrowse/issues/15#issuecomment-10958596.

Richard D. Hayes, Ph.D. Joint Genome Institute / Lawrence Berkeley National Lab http://www.phytozome.net

rdhayes avatar Dec 03 '12 20:12 rdhayes