Plex Media Server on Fedora 24 weird SELinux issue

Recently I upgraded my Plex Media Server from Fedora 23 to Fedora 24, and upon restart my Plex Media Server service was not starting.

After digging around a bit, I discovered that with SELinux in enforcing mode the service would not start (exiting with code “127”).

The only error I could find was a message saying that the Plex Media Server binary was not able to load some required library when SELinux was enabled. Funny thing is, that there is no AVC denial error in the audit logs. Also, reloading the Plex Media Server bundled SELinux policy or relabeling the filesystem did not help.

After fiddling around a bit, I discovered that I had to move the LD_LIBRARY_PATH declaration from the Environment to the ExecStart line, otherwise with the system in SELinux Enforcing mode the line is basically ignored and the server does not start:

--- plexmediaserver.service.orig	2016-06-19 21:47:57.793407813 +0200
+++ plexmediaserver.service	2016-06-19 21:48:16.984683363 +0200
@@ -7,11 +7,10 @@
 ExecStartPre=/bin/sh -c '/usr/bin/test -d "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}" || /bin/mkdir -p "${PLEX_MEDIA_SERVER_APPLICATION_SUPPORT_DIR}"'
-ExecStart=/bin/sh -c '/usr/lib/plexmediaserver/Plex\ Media\ Server'
+ExecStart=/bin/sh -c 'LD_LIBRARY_PATH=/usr/lib/plexmediaserver /usr/lib/plexmediaserver/Plex\ Media\ Server'

I don’t even know how to report this bug, does anyone have an idea about it and why does this happen? Is it related to some sort of SELinux boolean?

10 thoughts on “Plex Media Server on Fedora 24 weird SELinux issue

  1. With Plex 1.0.1, the bundled service file seems to allow Plex to start at least, but now it’s unable to access my remote Samba shares (all my movies are stored on my NAS) with SELinux in enforcing mode. Your fix is still required.

  2. Btw, new Plex Media Server package has come out. I still have the same issue with the Environment lines ignored in the unit file.

    1. Your comment is too vague. At least provide the Reddit link. What kind of error do you get? If you say we might help.
      Works fine here.

  3. Probably bashrc or bash_profile (/bin/sh is symlink to bash) overwrites your LD_LIBRARY_PATH variable. Try to add –noprofile –norc to bash. Or you can also remove sh -c and run plexmediaserver directly. It’s not SELinux, it’s bash which is forking and setting up it’s environment.

  4. Interesting. SELinux checks glibc AT_SECURE (the “process noatsecure” access vector), and the SELinux security policy seems to enforce “secureexec”.

    Doesi it work in permissive mode? If so adding the following rule might “fix” it: allow init_t domain:process noatsecure;

    The above rule would be a little too broad but its a just a proof of concept

    1. Apart from the irony of it, can you explain better? This means *all* the Environment lines are actually ignored?

      1. Yes, please explain better.

        If it is now a ‘feature’ to ignore directives in a systemd configuration file or other commands as directed by ‘root’, what are we doing then? How am I, as a developer, supposed to configure a package, define how it is to start, and configure it to run after I have gone through the trouble of keeping everything atomic by kept all executables and required shared libraries (I bring them with in the rpm) in their own directory away from potentially overwriting anything else. Am I supposed to ‘hack’ the command line and put ALL the needed environment variables on the command line, e.g. “/bin/sh -c var1=value1 var2=value2 /path/to/program” ?

        Why does SELinux and bash think it now knows better than I what is needed to run my software, which is installed by root?

Leave a Reply