I was wondering if ASL is a good solution for and/or has been tested on a server with Plesk Expand and the centralized dns controller. It doesn't host any websites and doesn't have psa on it. But I still wanted some extra security and a hardened kernel.
Specs:
CentOS5 64bit (2.6.18-8.1.15.el5)
bind-9.3.3-9.0.1.el5
expand-2.2.1-27
dnscontroller-2.0.2-1
I don't see why it wouldn't be but if ASL isn't really suited for it then I'm open to suggestions.
ASL with Plesk Expand and CDNS
I installed the asl kernel but now I'm getting an error when trying to start the expand services. My guess is that PaX is the cause. Here's the error:
# service expandtm start
Starting expandtm: /usr/local/expand/sbin/expandtm: error while loading shared libraries: libexp.so: cannot enable executable stack as shared object requires: Permission denied
# service expandom start
Starting expandom: /usr/local/expand/sbin/expandom: error while loading shared libraries: libexp.so: cannot enable executable stack as shared object requires: Permission denied
What would be a good way to fix it? I'm not familiar with how to use 'chpax' but I'm guessing the answer lies there.
# service expandtm start
Starting expandtm: /usr/local/expand/sbin/expandtm: error while loading shared libraries: libexp.so: cannot enable executable stack as shared object requires: Permission denied
# service expandom start
Starting expandom: /usr/local/expand/sbin/expandom: error while loading shared libraries: libexp.so: cannot enable executable stack as shared object requires: Permission denied
What would be a good way to fix it? I'm not familiar with how to use 'chpax' but I'm guessing the answer lies there.
-
scott
- Atomicorp Staff - Site Admin
- Posts: 8355
- Joined: Wed Dec 31, 1969 8:00 pm
- Location: earth
- Contact:
Yes indeed, for starters can you give me the output of:
rpm -qf /usr/local/expand/sbin/expandom and
rpm -qf /usr/local/expand/sbin/expandtm
after that you can disable pax (why they need an executable stack I have no idea) with:
chpax -emsrpx /usr/local/expand/sbin/expandom
chpax -emsrpx /usr/local/expand/sbin/expandtm
I'll have that added into ASL soon, so this is just a temp fix for your system.
rpm -qf /usr/local/expand/sbin/expandom and
rpm -qf /usr/local/expand/sbin/expandtm
after that you can disable pax (why they need an executable stack I have no idea) with:
chpax -emsrpx /usr/local/expand/sbin/expandom
chpax -emsrpx /usr/local/expand/sbin/expandtm
I'll have that added into ASL soon, so this is just a temp fix for your system.
# rpm -qf /usr/local/expand/sbin/expandom
expand-2.2.1-27
# rpm -qf /usr/local/expand/sbin/expandtm
expand-2.2.1-27
expandom and expandtm are running now however it looks like pax needs to be disabled for everything else in the '/usr/local/expand/sbin' directory.
Would it be a bad idea to do 'chpax -emsrpx /usr/local/expand/sbin/*' or should that be ok?
Here are a couple of errors from the action log in expand:
/usr/local/expand/sbin/exp_plesk_ev_wd: error while loading shared libraries: libexp.so: cannot enable executable stack as shared object requires: Permission denied
/usr/local/expand/sbin/exp_plesk_centralized_dns_zone: error while loading shared libraries: libexp.so: cannot enable executable stack as shared object requires: Permission denied
Here's a listing of the directory /usr/local/expand/sbin/:
expandctl
expandgreet
expandmysql
expandom
expandsignal
expandtm
expandupm
exp-backup
exp_expand_config
exp_expand_ev
exp_expand_evconf
exp_expand_evconf_notif
exp_expand_evconf_runprog
exp_expand_ev_notif
exp_expand_ev_runprog
exp_expand_license
exp_plesk_auth
exp_plesk_backup
exp_plesk_centralized_db
exp_plesk_centralized_dns
exp_plesk_centralized_dns_zone
exp_plesk_client
exp_plesk_dictionary
exp_plesk_dns
exp_plesk_domain
exp_plesk_domainalias
exp_plesk_ev
exp_plesk_ev_notif
exp_plesk_ev_runprog
exp_plesk_ev_wd
exp_plesk_group
exp_plesk_helpdesk
exp_plesk_ip
exp_plesk_mail_server
exp_plesk_migration
exp_plesk_multi_client
exp_plesk_server
exp_plesk_session
exp_plesk_siteapp
exp_plesk_tmpl_client
exp_plesk_tmpl_domain
exp_plesk_tmpl_srv_client
exp_plesk_tmpl_srv_domain
exp-restore
exp_vz_hn
locale_engine
operator
pamon
sysinfo
xmlchecker
expand-2.2.1-27
# rpm -qf /usr/local/expand/sbin/expandtm
expand-2.2.1-27
expandom and expandtm are running now however it looks like pax needs to be disabled for everything else in the '/usr/local/expand/sbin' directory.
Would it be a bad idea to do 'chpax -emsrpx /usr/local/expand/sbin/*' or should that be ok?Here are a couple of errors from the action log in expand:
/usr/local/expand/sbin/exp_plesk_ev_wd: error while loading shared libraries: libexp.so: cannot enable executable stack as shared object requires: Permission denied
/usr/local/expand/sbin/exp_plesk_centralized_dns_zone: error while loading shared libraries: libexp.so: cannot enable executable stack as shared object requires: Permission denied
Here's a listing of the directory /usr/local/expand/sbin/:
expandctl
expandgreet
expandmysql
expandom
expandsignal
expandtm
expandupm
exp-backup
exp_expand_config
exp_expand_ev
exp_expand_evconf
exp_expand_evconf_notif
exp_expand_evconf_runprog
exp_expand_ev_notif
exp_expand_ev_runprog
exp_expand_license
exp_plesk_auth
exp_plesk_backup
exp_plesk_centralized_db
exp_plesk_centralized_dns
exp_plesk_centralized_dns_zone
exp_plesk_client
exp_plesk_dictionary
exp_plesk_dns
exp_plesk_domain
exp_plesk_domainalias
exp_plesk_ev
exp_plesk_ev_notif
exp_plesk_ev_runprog
exp_plesk_ev_wd
exp_plesk_group
exp_plesk_helpdesk
exp_plesk_ip
exp_plesk_mail_server
exp_plesk_migration
exp_plesk_multi_client
exp_plesk_server
exp_plesk_session
exp_plesk_siteapp
exp_plesk_tmpl_client
exp_plesk_tmpl_domain
exp_plesk_tmpl_srv_client
exp_plesk_tmpl_srv_domain
exp-restore
exp_vz_hn
locale_engine
operator
pamon
sysinfo
xmlchecker