denvercoder denvercoder - 3 years ago 292
Linux Question

Apache executes MATLAB binary on CentOS 7 with SELinux

I am trying to trigger the run of a pre compiled MATLAB program on a CentOS 7 server form within an Apache context. The system allowes the user to upload some files. Then some sanity checks are performed. Then the MATLAB program is called and it performes some MATLAB magic.

I installed the MATLAB environment with:

unzip -d mcr_unzipped
sudo mcr_unzipped/install -glnx86 -tmpdir ~/tmp -mode silent -agreeToLicense yes

I added LD_LIBRARY_PATH to the http.conf file:

SetEnv LD_LIBRARY_PATH /usr/local/MATLAB/MATLAB_Runtime/v90/runtime/glnxa64:/usr/local/MATLAB/MATLAB_Runtime/v90/bin/glnxa64:/usr/local/MATLAB/MATLAB_Runtime/v90/sys/os/glnxa64:/usr/local/MATLAB/MATLAB_Runtime/v90/sys/opengl/lib/glnxa64

I tried giving the folder of my webapplication the type httpd_sys_rw_content_t and the MATLAB environment got the type httpd_fastcgi_script_exec_t:

chcon -R -t httpd_sys_rw_content_t /var/www/webapp
#allow exec:
setsebool -P httpd_ssi_exec 1
chcon -Rv --type=httpd_fastcgi_script_exec_t /usr/local/MATLAB/

When I disable SELinux with "setenforce 0" then the setup works. Apache runs the MATLAB binary, and all my plots and stuff are available.

I fixed some issues by adding a policy from the audit.log:

audit2allow -a -M mypolicy
semodule -i mypolicy.pp

And adding the paths to the /etc/ like this:

echo "/usr/local/MATLAB/MATLAB_Runtime/v90/runtime/glnxa64" > /etc/

and calling ldconfig afterwards.

My problem:

When SELinux is enforcing, the MATLAB runtime environment can not be loaded. Here is /var/log/httpd/error_log for the specific time:

[Thu Jul 13 15:54:28.676588 2017] [:error] [pid 1382] [client] PHP Notice: ... some warning or notice
Error:Could not find version 9.0 of the MATLAB Runtime.
Attempting to load
Please install the correct version of the MATLAB Runtime.
Contact your vendor if you do not have an installer for the MATLAB Runtime.
[Thu Jul 13 15:54:29.056179 2017] [:error] [pid 1382] [client] PHP Warning: ... some warning or notice

As you can see the execution fails as if the path to the MATLAB environment is not set.

  • I tried calling the script that the MATLAB C compiler generated, instead of the binary, but to no avail.

  • I tried "chcon -t textrel_shlib_t" for the MATLAB *.so's and my binary.

  • I tried enabeling different/even all bools of SELinux (virtual machine dev environment FTW)

  • I installed setroubleshoot + setroubleshoot-server

  • I do not have any entries in /var/log/message and /var/log/audit/audit.log when the PHP file is called

Has anybody an idea what I could do about that, except disabeling SELinux?

Answer Source

The solution was a combination of more things:

#since MATLAB is JAVA based:
sudo setsebool -P httpd_execmem 1

#allow exec tempfiles for httpd service
sudo setsebool -P httpd_tmp_exec 1

#flag MATLAB runtime lib as such an executable:
semanage fcontext -a -t systemd_tmpfiles_exec_t '/usr/local/MATLAB/MATLAB_Runtime/v90/sys/os/glnxa64/'
restorecon -v /usr/local/MATLAB/MATLAB_Runtime/v90/sys/os/glnxa64/

#flag my own binary as shell executable:
semanage fcontext -a -t shell_exec_t '/var/www/html/myMatlabCompiledBinary'
restorecon -v /var/www/html/myMatlabCompiledBinary
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download