Bug 514506

Summary: SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which requires text relocation.
Product: Red Hat Enterprise Linux 5 Reporter: Joe Murray <joe.murray>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: low Docs Contact:
Priority: low    
Version: 5.4CC: dwalsh, mgrepl, mmalik
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Prior to this update, SELinux prevented the httpd service from loading the /usr/lib/libnnz11.so (or /usr/lib64/libnnz11.so on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default to "textrel_shlib_t", so that the library can now be loaded as expected.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:47:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joe Murray 2009-07-29 13:21:16 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061613 CentOS/3.0.11-2.el5.centos Firefox/3.0.11

Note: I'm trying to be helpful by reporting this as requested but frankly the system is not really usable for a newbie to enter these bugs. Might be nice for those getting the reports, but it really doesn't provide the help I need to post this back. Would be better if I could just click a button on the error message to send it to somewhere appropriate. If you don't want this, just delete it.

Summary:

SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which requires
text relocation.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The httpd application attempted to load /usr/lib64/libnnz11.so which requires
text relocation. This is a potential security problem. Most libraries do not
need this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib64/libnnz11.so to use relocation as a workaround, until the library is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib64/libnnz11.so to run correctly, you can change the file
context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib64/libnnz11.so'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/lib64/libnnz11.so'"

The following command will allow this access:

chcon -t textrel_shlib_t '/usr/lib64/libnnz11.so'

Additional Information:

Source Context                system_u:system_r:httpd_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib64/libnnz11.so [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           httpd-2.2.3-22.el5.centos.2
Target RPM Packages           liboci8-zend-11-1
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmod
Host Name                     localhost
Platform                      Linux localhost 2.6.18-128.2.1.el5xen #1 SMP Tue
                              Jul 14 07:07:49 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 29 Jul 2009 08:10:10 AM EDT
Last Seen                     Wed 29 Jul 2009 08:10:10 AM EDT
Local ID                      396d924a-879a-4d86-9882-b7934d68b090
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1248869410.482:13): avc:  denied  { execmod } for  pid=3826 comm="httpd" path="/usr/lib64/libnnz11.so" dev=dm-0 ino=3506290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

host=localhost type=SYSCALL msg=audit(1248869410.482:13): arch=c000003e syscall=10 success=yes exit=0 a0=2b2686a8c000 a1=2a0000 a2=5 a3=2b2686a8f110 items=0 ppid=1 pid=3826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)




Reproducible: Always

Steps to Reproduce:
Looks like the library needs to be recompiled/rewritten, or some user documentation provided to noobs like me to help me.
Comment 1 Nalin Dahyabhai 2009-07-29 15:18:09 UTC 
Off-hand, I'm guessing this is a bug in the liboci8-zend-11-1 package, which is the package that provides the shared library which is triggering the error.

Running "chcon -t textrel_shlib_t /usr/lib64/libnnz11.so" may disable the protection check and allow the application to run, but it won't actually be fixing the bug.  I don't think we built that package, so there's not much else I can suggest other than reporting the bug to the package's vendor.

I'm leaning toward marking this closed->cantfix.
Comment 2 Daniel Walsh 2009-07-29 16:31:56 UTC 
# semanage fcontext -a -t textrel_shlib_t /usr/lib64/libnnz11.so
# restorecon -v /usr/lib64/libnnz11.so

Will actually set this permanent.

We do not ship libnnz11.s0

So please report this as a bug to them.  Most likely they built the library incorrectly,  The library requires a PIC flag.

This link explains the check.

http://people.redhat.com/~drepper/selinux-mem.html

I can add the label to SELinux policy for now.
Comment 3 Daniel Walsh 2009-07-29 16:37:09 UTC 
Looks like this is an oracle library.

/usr/lib/oracle/.*/lib/libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)

/opt/(.*/)?oracle/(.*/)?libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)

Is in the current selinux-policy

So I will add

/usr/lib(64)?/libnnz11.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)

to Rawhide.

Miroslav, 

can you add this label to F11 and F10.
Comment 4 Miroslav Grepl 2009-07-31 09:08:11 UTC 
Added to selinux-policy-3.6.12-71.fc11 and selinux-policy-3.5.13-68.fc10
Comment 5 Daniel Walsh 2009-08-21 20:59:09 UTC 
Fixed in selinux-policy-2.4.6-255.el5
Comment 10 Jaromir Hradilek 2011-01-05 15:58:20 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, SELinux prevented the httpd service from loading the /usr/lib/libnnz11.so (or /usr/lib64/libnnz11.so on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default to "textrel_shlib_t", so that the library can now be loaded as expected.
Comment 12 errata-xmlrpc 2011-01-13 21:47:58 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html