[Starkit] loading shared libraries in Starkit with SELinux

[Mark Roseman]

Just a heads up if you start having Linux users complaining that your  
Starkit/Starpack based application won't run (or run properly..) on  
their newer Linux system, but it seems fine on everyone else's..

As background, SELinux is the newer fine-grained permissions system  
that many distros have adopted, and provides all kinds of security  
policies to make it so that bad things don't happen on the system.   
Or, for that matter, many good things.  These include for example  
whether a particular shared library can be loaded, whether certain  
directories (say, /tmp) can be written to, and so on.

When loading a shared library from a Starkit, it's of course copied  
out to a temporary file in /tmp and loaded from there.  Depending on  
SELinux settings, this can result in the load command returning  
useful error messages like "couldn't load file "./htmldiff.so": ./ 
htmldiff.so: cannot restore segment prot after reloc: Permission  
denied" or "couldn't load file "/tmp/tcl0eBzhy": /tmp/tcl0eBzhy:  
failed to map segment from shared object: Operation not permitted".

Both of those were from our customers, after some digging... my  
advice is to capture errors around all "load" calls carefully.   One  
can avoid this by disabling SELinux altogether of course (or setting  
it to 'permissive' mode, which warns rather than prevents  
operations).  For "normal" shared libraries, there are ways to set  
the 'security context' of the file (using the chcon command) to allow  
them to be loaded, but given that in the Starkit case these are  
temporary files created new each time, that'd be hard to do.

Hopefully some SELinux guru can provide some definitive advice in  
terms of how best to approach these sorts of issues (other than  
turning the damn thing off), but at least its something Starkit  
developers should be aware of.

Mark