Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #21 from dks/master
SElinux Problems When Running Indirectly (Константин Дворцов)
- Loading branch information
Showing
2 changed files
with
222 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| /////////////////////////////////////////////////////////////////////////////// | ||
| // Using Unoconv with OpenOffice af Fedora 12 // | ||
| /////////////////////////////////////////////////////////////////////////////// | ||
|
|
||
| //first check whether unoconv is installed at all =) | ||
| [root@localhost ~]# yum info unoconv | ||
| //Must have INSTALLED note at Repository field | ||
|
|
||
| //Give it a try | ||
| [root@localhost ~]# unoconv -f html sample.doc | ||
| Error: Unable to connect or start own listener. Aborting. | ||
| //Ooops, something is wrong | ||
|
|
||
| //Check whether OpenOffice is installed | ||
| [root@localhost ~]# yum info openoffice.org-writer | ||
| //Install if it is not | ||
| [root@localhost ~]# yum install openoffice.org-writer | ||
|
|
||
| //Try again | ||
| [root@localhost ~]# unoconv -f html sample.doc | ||
| /usr/lib/openoffice.org3/program/soffice.bin X11 error: Can't open display: | ||
| Set DISPLAY environment variable, use -display option | ||
| or check permissions of your X-Server | ||
| (See "man X" resp. "man xhost" for details) | ||
| Error: Unable to connect or start own listener. Aborting. | ||
| //Okay, bad thing. We will need X virtual buffer | ||
|
|
||
| //Check whether Xvbf is installed | ||
| [root@localhost ~]# yum info xorg-x11-server-Xvfb | ||
| //Install it if it is not | ||
| [root@localhost ~]# yum install xorg-x11-server-Xvfb | ||
|
|
||
| //Try it | ||
| [root@localhost ~]# xvfb-run -f /tmp/anyXauthority soffice | ||
| ^C[root@localhost ~]# | ||
| //Seems like working. [^C - means CTRL + C was pressed to terminate ongoing job] | ||
|
|
||
| //Run it in the background | ||
| [root@localhost /]# Xvfb :2 | ||
| (EE) config/hal: NewInputDeviceRequest failed (2) | ||
| (EE) config/hal: NewInputDeviceRequest failed (2) | ||
| (EE) config/hal: NewInputDeviceRequest failed (2) | ||
| ^C | ||
| //Wooo, bad thing. But don't scare. This error does not prevent it from working. | ||
| //Just suppress error messages and run it in the background | ||
| [root@localhost /]# Xvfb :2 2>/dev/null & | ||
| [2] 22360 | ||
| //Seems OK | ||
|
|
||
| //Get it from background and terminate the job. | ||
| [root@localhost /]# fg | ||
| Xvfb :2 2> /dev/null | ||
| ^C[root@localhost /]# | ||
|
|
||
| //Now we need to set up DISPLAY environmental variable for OO to work with XVFB | ||
| [root@localhost /]# export DISPLAY=localhost:2.0 | ||
|
|
||
| //Here we go! | ||
| [root@localhost /]# Xvfb :2 2>/dev/null & | ||
| [2] 22370 | ||
|
|
||
| //TRY AGAIN! | ||
| [root@localhost /]# unoconv -f html sample.doc | ||
| Xlib: extension "RANDR" missing on display "localhost:2.0". | ||
| //Success!! Yep, this error also can be ignored. | ||
|
|
||
| //Suppress the error when using unoconv | ||
| [root@localhost ~]# unoconv -f html sample.doc 2>/dev/null | ||
| //YES!!! WE DID IT! | ||
|
|
||
| //Once finished, shutdown the virtual frame buffer | ||
| [root@localhost ~]# fg | ||
| Xvfb :2 2> /dev/null (wd: /) | ||
| ^C | ||
|
|
||
| /////////////////////////////////////////////////////////////////////////////// |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,146 @@ | ||
| /////////////////////////////////////////////////////////////////////////////// | ||
| // // | ||
| // THIS BRIEF NOTE IS AIMED TO HELP THOSE WHO WANT TO INSTALL UNOCONV // | ||
| // AS A SERVICE AVAILABLE TO HTTP SERVER IN ORDER PROVIDE ONLINE DOCUMENT // | ||
| // CONVERSION. // | ||
| // // | ||
| /////////////////////////////////////////////////////////////////////////////// | ||
|
|
||
| PREREQUISITES: It is implied that you have successfully installed Linux system | ||
| and Web server, as well as you have superuser [root] access. | ||
| It is also implied that you have sucessfully installed OpenOffice/LibreOffice | ||
| and Unoconv packages and Unoconv is working correctly from the console. | ||
|
|
||
| [Since it is impossible to cover all webservers only Apache + PHP is described.] | ||
|
|
||
| Apache Configuration: | ||
| Make sure your server is not running in chroot environment, since the rest of | ||
| the system will be isolated. | ||
|
|
||
| PHP Configuration: | ||
| Make sure you server can perform system calls: you would need to use commands | ||
| like exec(), shell_exec(), passthru(), system() etc. Basically you need to check | ||
| that in php.ini or script settings: | ||
| -safe_mode flag is off | ||
| -disable_functions value is empty | ||
| If everything is OK, you should be able to run unoconv with statements like: | ||
| exec("unoconv -f html -o target_dir $filename"); | ||
|
|
||
| Possible trouble makers: | ||
|
|
||
| 1. Wrong Java. Possibility: Highly Unlikely. | ||
| Keep in mind that open source java [openjdk] and Sun's java are NOT the same. | ||
| LibreOffice uses openjdk, however typically they do not interfere with each | ||
| other, even if they both installed at the same machine. | ||
|
|
||
| 2. Iptables. Possibility: Highly Unlikely. | ||
| Iptables firewall can block ports requred for LibreOffice communications. | ||
| However most of the default settings on modern Linux distributions allow free | ||
| access to ports from the inside (localhost), so this should not cause a problem. | ||
| If you still think it is iptables, try to disable it temporary and see what | ||
| happens (keep in mind you must be root): | ||
| [root@localhost ~]# service iptables stop | ||
| Stopping iptables (via systemctl): [ OK ] | ||
| //try run unoconv and then | ||
| [root@localhost ~]# service iptables start | ||
| Starting iptables (via systemctl): [ OK ] | ||
|
|
||
| 3. Linux File Permissions Problem. Possibility: Low. | ||
| Well, if unoconv and LibreOffice installations was correct anybody on the system | ||
| can use them. It is possible however that due some omissions or manual file | ||
| access rights changes only specific user can execute them. If that is the case, | ||
| you can either change the file access modes using "chmod" command, or [ since | ||
| most of us does not know all LibreOffice files by name] login server under a | ||
| different username. Keep in mind Apache runs under specific username, specified | ||
| at "httpd.conf" file (typically located at "/etc/httpd/conf/httpd.conf"), change | ||
| there "User" and "Group" settings. Alternatively you could run command using | ||
| "sudo". In that case however you would possibly have to set sudoers file,usually | ||
| running a "visudo" command. You would have to understand it syntax, though. | ||
|
|
||
| 4. Libreoffice-Headless. Possibility: Medium. | ||
| It is possible that package libreoffice-headless was not initially installed. | ||
| This package is required by LibreOffice to run in console mode. | ||
| //check whether it is installed | ||
| [root@localhost ~]# yum info libreoffice-headless | ||
| //if not - install it. | ||
| [root@localhost ~]# yum install libreoffice-headless | ||
|
|
||
| 5. Selinux. Possibility: VERY HIGH. | ||
| Despite unindicative error messages this is the most probable culpruit of office | ||
| services and consequently unoconv errors. Example error messages can look like: | ||
|
|
||
| [Java framework] Error in function createSettingsDocument (elements.cxx). | ||
| javaldx failed! | ||
| Failed to connect to /usr/bin/soffice (pid=4478) in 6 seconds. | ||
| Connector : couldn't connect to socket (Success) | ||
| Error: Unable to connect or start own listener. Aborting. | ||
|
|
||
| To check whether it is truly SElinux problem turn off enforcing mode: | ||
| [root@localhost ~]# setenforce 0 | ||
| //try to run unoconv here, once finished, restore enforcing mode | ||
| [root@localhost ~]# setenforce 1 | ||
|
|
||
| If SElinux was causing error we need to find what exactly happened. Let's look | ||
| into logs: | ||
| [root@localhost ~]# tail /var/log/messages | ||
|
|
||
| You would probably see some mesages, any of these can pop out: | ||
|
|
||
| Jan 5 07:55:00 localhost setroubleshoot: SELinux is preventing /usr/bin/python | ||
| from name_connect access on the tcp_socket port 2002. For complete SELinux mess | ||
| ages. run sealert -l 18e8ce5d-6a20-4de6-8e38-1f99f66f007a | ||
|
|
||
| Jan 6 04:26:28 localhost setroubleshoot: SELinux is preventing sudo from nlmsg_ | ||
| relay access on the netlink_audit_socket Unknown. For complete SELinux messages. | ||
| run sealert -l a1dd5ddd-8bef-49a2-b0b1-8674e2f522aa | ||
|
|
||
| Jan 6 04:26:28 localhost setroubleshoot: SELinux is preventing /usr/bin/python | ||
| from read access on the file /root/.libreoffice/3/user/extensions/bundled/regist | ||
| ry/com.sun.star.comp.deployment.component.PackageRegistryBackend/unorc. For comp | ||
| lete SELinux messages. run sealert -l 7d7631c3-6b3f-4101-84e3-f3e46880af26 | ||
|
|
||
| Jan 6 05:34:14 localhost setroubleshoot: SELinux is preventing /usr/lib64/libre | ||
| office/program/soffice.bin from name_bind access on the tcp_socket port 2002. Fo | ||
| r complete SELinux messages. run sealert -l 32267995-c70c-4d67-86f1-552f07ea7 | ||
| 557 | ||
|
|
||
| ... and so on and so forth. For those who is interested in SElinux specific info | ||
| take a look at audit log: | ||
| [root@localhost ~]# tail /var/log/audit/audit.log | ||
| //this one is not easy to read though | ||
|
|
||
| Whatever, we need to explain to our angry friend we really want to use unoconv. | ||
|
|
||
| The rest is really simple or terribly difficult, depending on what you intend to | ||
| do with this problem. You can try figure out every file and process involved and | ||
| handwrite SElinux policy module. Or you can use the proposal contained in the | ||
| log to generate this automatically. The latter is far more simple, so we stick | ||
| to this solution, though it has chances to open up some security holes. | ||
|
|
||
| Anyway, run sealert with the parameters given in log: | ||
| [root@localhost log]# sealert -l d9e5bd7c-50eb-4636-93dd-912ccf800a7e | ||
| //you will get some explanations about error here and a proposal how to fix it | ||
| //like for example "run the following": | ||
| # grep systemd-tmpfile /var/log/audit/audit.log | audit2allow -M mypol | ||
| # semodule -i mypol.pp | ||
|
|
||
| Basically this is the way to go. However here comes the tricky part. If you use | ||
| this to generate several SElinux policy modules sequentially, old module will | ||
| replace the new one, since they have same names, so you will end up exactly | ||
| where you started. But you need all that together. | ||
|
|
||
| For example, judging by the previous messages we need to perform several actions | ||
| like allow python socket access, allow python file access, allow libreoffice | ||
| file access etc. Thus we need to group all these errors together to generate a | ||
| single policy module. | ||
|
|
||
| In my case I had to do give permissions to unoconv, libreoffice and sudo (I used | ||
| it from webserver, however it turned out it was not required later): | ||
|
|
||
| [root@localhost ~]# grep "soffice.bin\|sudo\|unoconv" /var/log/audit/audit.log | | ||
| audit2allow -M phpextpol && semodule -i phpextpol.pp | ||
| //"phpextpol" - can be any name you give to your security module | ||
|
|
||
| That's all for starters. Please, refer to manpages for details. Good luck. | ||
|
|
||
| /////////////////////////////////////////////////////////////////////////////// |