Libxmljs Update on CentOS 3.8 throws an SELinux Wobbley Fit
Monday, 20th August 2012, 15:40
So every now and again, I get brave. And I run "npm update" which can cause all sorts of issues as it updates my most relied on node modules to ones which require changes to my code, or updates to libraries I have installed, or in the case of last week, just plain break on CentOS 3.8.
The offending module this time was libxmljs, and the offending error related to SELinux. Here is what flew up the console when I tried to launch any Node.js app post update:
domain.js:66
throw er;
^
Error: /var/www/node/node_modules/libxmljs/build/Release/libxmljs.node: cannot restore segment prot after reloc: Permission denied
at Object.Module._extensions..node (module.js:485:11)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Module.require (module.js:362:17)
at require (module.js:378:17)
at bindings (/var/www/node/node_modules/libxmljs/node_modules/bindings/bindings.js:74:15)
at Object.<anonymous> (/var/www/node/node_modules/libxmljs/lib/bindings.js:1:99)
at Module._compile (module.js:449:26)
at Object.Module._extensions..js (module.js:467:10)
at Module.load (module.js:356:32)
At first glance, that is a real... uh... um... whut? moment right there. But a quick google and although this specific module isn't mentioned, other Linux related issues appear that link the phrase "cannot restore segment prot after reloc" quite clearly with SELinux, along with a lot of very dodgy looking fixes to the problem.
I say dodgy, because I don't know, perhaps this is just me, but isn't SELinux some security feature? Designed to help protect against things like your database and web servers being compromised and abusing your system? I don't claim to be a world expert in network intrusion, but I'm pretty sure that if something is tripping your burglar alarm, turning it off permanently is not the solution surely?
So some more research later, I discovered how to explicitly allow a specified library (or in this case node module) permission to restore it's segment protection setting after relocating itself. Actually I have no idea if that is what it does which triggers this error, I'm doing what newspapers and radio shows across the world do on a regular basis, pretending my level of knowledge is adequate enough to make a statement on something.
Firstly I am making some assumptions, these are the following:
- It is safe to let the libxmljs module do this
- Because I run every node webapp process under it's own user if this did somehow become compromised damage would be limited
(please tell me you don't run them all under one, or root?)
Now, if you both assume and understand those, here is the a-lot-less-evil-than-just-turning-off-SELinux-command itself...
chcon -t texrel_shlib_t /var/www/node/node_modules/libxmljs/build/Release/libxmljs.node
Note that you will have to change the path to wherever you keep libxmljs for this to work. Also if this isn't the module which is causing you problems, then you'll need to hunt down what that is yourself. Needless to say if your problem is related to a Node.js module, then it is highly likely whatever *.node file is in that module's directory. If the issue is more widespread, then it is probably a library that ends in .so and sits in /usr/local/lib or suchlike.
Happy hunting!