Hey guys, I know this is an old post, but I just ran into this exact issue and this thread is the first result.
I'm not satisfied with disabling SELinux, because I'd prefer to utilize the extra security it offers. I'm on CentOS 6.7 x64. I did a little bit of research, and found out how to go about creating a policy specific to running hlds with AMXMODX.
Reading through CentOS' wiki on SELinux, there's a good way to test if SELinux is keeping a process from running without disabling it entirely. To check if SELinux is enabled, run:
Code:
[user@server ~]$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 24
Policy from config file: targeted
To test if SELinux is keeping something from running, do:
Code:
[user@server ~]$ su
[root@server ~/user]# setenforce 0
This sets SELinux to 'Permissive' mode, which will allow processes access where before they were denied. Try to run the server through command line, or if you're using a
script like I am, do:
Code:
[root@server ~/user]# su csserver
[csserver@server ~/user]$ cd
[csserver@server ~]$ ./csserver debug
In my case, the server then ran, loaded AMXMODX, and was left at
Code:
VAC secure mode is activated.
So, to fix the SELinux access without disabling it entirely, you'll need a package called "setroubleshoot". You'll also want to set SELinux back to "Enforcing".
Code:
[csserver@server ~]$ su
[root@server ~/csserver]# setenforce 1
[root@server ~/csserver]# yum -y install setroubleshoot
This package provides a bunch of tools, but we're only interested in two of them. The first is "sealert", the second is "audit2allow". Here's how you use them:
Code:
[root@server ~/csserver]# sealert -a /var/log/audit/audit.log > selog.txt
This command looks for SELinux entries in the audit log, and parses it into a text file that is more human readable. I use vi, but you can use your preferred text editor (e.g. nano).
Code:
[root@server ~/csserver]# vi selog.txt
Read through this, and you'll find some cool stuff. Particularly:
Code:
SELinux is preventing /home/csserver/serverfiles/hlds_linux from using the execheap access on a process.
This file even tells you how to create and install the requisite SELinux policy. Read through it, but what it suggests is this:
Code:
# grep hlds_linux /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
I prefer not to leave file names to default, so I ran:
Code:
[root@server ~/csserver]# grep hlds_linux /var/log/audit/audit.log | audit2allow -M hlds_amx_pol
[root@server ~/csserver]# semodule -i hlds_amx_pol.pp
The first command searches through the audit log, and pipes (with the | character) entries for "hlds_linux" into the audit2allow tool, which creates SELinux policies from the audit log. The second command installs the policy. Note: it took a minute, so don't worry. Just give it time.
Once it's done, test it:
Code:
[root@server ~/csserver]# su csserver
[csserver@server ~]$ ./csserver debug
Your server should launch normally. If it did while SELinux was in Permissive mode, but doesn't after this fix, run through this process again to figure out what's getting denied.
Once again, I got to
Code:
VAC secure mode is activated.
Whereas before, I would see exactly the same as OP.