Thursday, April 2, 2015

Symantec 12.1.5 on Linux LiveUpdate failures -- BouncyCastleProvider

TL;DR version: To fix this, temporarily remove the "noexec" mount option from /tmp and run the install.sh program again.

We recently started using Symantec 12.1.5 on our Linux systems at work. I installed the client on a test system and immediately had issues with LiveUpdate:

/opt/Symantec/symantec_antivirus/sav liveupdate -u
Picked up JAVA_TOOL_OPTIONS:
Command failed: Problem with LiveUpdate.
Check that java directory is in PATH
Unable to perform update

In liveupdt.log:

Apr 1, 2015 11:32:26 AM There was a failure in reading the settings from the .conf file.
Apr 1, 2015 11:32:26 AM org.bouncycastle.jce.provider.BouncyCastleProvider
Apr 1, 2015 11:32:26 AM JLU received a DeleteSetting command.

Running Liveupdate in debug mode:

java -cp /opt/Symantec/LiveUpdate/jlu.jar com.symantec.liveupdate.LiveUpdate -d
Using character set UTF-8
Command-line Product Selections to update:
(ProdName, Version, Lang, ItemSeqName, SeqNum)
Debug - output[nIdx] = uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_java_t:s0-s0:c0.c1023
Adding JLU to the current command line
JLU Linux, 3.10, English, LiveUpdateSeq, 26
Trying to load jar file from /opt/Symantec/LiveUpdate/bcprov-jdk15on-148.jar
Trying to load jar file from current directory or mentioned in classpath
JLUException [
Nested Exception is:
[ java.lang.ClassNotFoundException ] org.bouncycastle.jce.provider.BouncyCastleProvider

java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
at java.net.URLClassLoader.findClass(Unknown Source)
[...]

I will leave out the frustrating troubleshooting my coworker and I did and give you the reason: Our security configuration specifies that we set the "noexec" mount option on /tmp.

Unfortunately, the Symantec install script requires exec on /tmp to install correctly. Specifically, it creates some temporary scripts in /tmp and runs them to install the BC (bouncycastle) provider. Here's an excerpt from the sepjlu-install.log:


Java LiveUpdate version 3.10 Build 26.
Extracted out unixinstall.sh to /tmp/1427202521861/unixinstall.sh.
Extracted out unixuninstall.sh to /tmp/1427202521861/unixuninstall.sh.
Extracted out liveupdate.conf to /tmp/1427202521861/liveupdate.conf.
Extracted out bcprov-jdk15on-148.jar to /tmp/1427202521861/bcprov-jdk15on-148.jar.
Copied /opt/Symantec/LiveUpdate/jlu.jar to /tmp/1427202521861/jlu-3.10.0.26.jar.
Error running /tmp/1427202521861/unixinstall.sh with reason: java.io.IOException: Cannot run program "/tmp/1427202521861/unixinstall.sh": error=13, Permission denied.

The script is supposed to copy bcprov-jdk15on-148.jar into $SYMROOT/LiveUpdate/, but obviously because "noexec" was set on /tmp, it couldn't run.

So in full, the solution is:


mount -o remount,exec /tmp
$INSTALLER_DIR/install.sh -i
mount -o remount,noexec /tmp

No comments:

Post a Comment