Bug 844811

Summary: selinux-policy-2.4.6-327.el5
Product: Red Hat Enterprise Linux 5 Reporter: John Scanlon <scanlonj>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED NOTABUG QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 5.7CC: dwalsh, mmalik
Target Milestone: rcKeywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-06 08:28:38 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description John Scanlon 2012-07-31 21:51:39 UTC 
Description of problem:
sealert -l c505d9af-9dfb-4a6b-928d-bc685f393e29

Summary:

SELinux is preventing clnaddrd from loading
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 which requires
text relocation.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The clnaddrd application attempted to load
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 which requires
text relocation. This is a potential security problem. Most libraries do not
need this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 to use relocation
as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 to
run correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'"

The following command will allow this access:

chcon -t textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:default_t
Target Objects                /u01/app/oracle/product/11.2.0/client_1/lib/libcln
                              tsh.so.11.1 [ file ]
Source                        sqlplus
Source Path                   /u01/app/oracle/product/11.2.0/client_1/bin/sqlplu
                              s
Port                          <Unknown>
Host                          WITB07
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-327.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmod
Host Name                     WITB07
Platform                      Linux WITB07 2.6.18-308.1.1.el5 #1 SMP Fri Feb 17
                              16:51:01 EST 2012 x86_64 x86_64
Alert Count                   24
First Seen                    Fri Jul 13 09:23:54 2012
Last Seen                     Mon Jul 30 09:28:41 2012
Local ID                      c505d9af-9dfb-4a6b-928d-bc685f393e29
Line Numbers

Raw Audit Messages

host=WITB07 type=AVC msg=audit(1343654921.310:4292): avc:  denied  { execmod } for  pid=23716 comm="clnaddrd" path="/u01/app/     oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1" dev=dm-8 ino=3375455 scontext=user_u:system_r:unconfined_t:s0 tcontext=     system_u:object_r:default_t:s0 tclass=file

host=WITB07 type=SYSCALL msg=audit(1343654921.310:4292): arch=c000003e syscall=10 success=yes exit=0 a0=2ad2161a7000 a1=228a0     00 a2=5 a3=2ad216243578 items=0 ppid=23680 pid=23716 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 f     sgid=505 tty=pts1 ses=692 comm="clnaddrd" exe="/u02/app/clnaddr/clean_address_linux/bin/clnaddrd" subj=user_u:system_r:unconf     ined_t:s0 key=(null)



Version-Release number of selected component (if applicable):

uname -a
Linux WITB07 2.6.18-308.1.1.el5 #1 SMP Fri Feb 17 16:51:01 EST 2012 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:
Re-boot host for /etc/init.d to autostart clean_address daemon

Steps to Reproduce:
1. re-boot
2. attempt a connection from host to oracle database using sqlplus 11gr2
3.
  
Actual results:
SELinux in /var/log/messages

Expected results:

no SELinix message
Additional info:

Clean Address is product from vendor runner technologies:

http://www.runnertechnologies.com/cln_addr_faqs.html
Comment 1 Milos Malik 2012-08-01 08:25:13 UTC 
The file mentioned in Target Objects is mislabelled. Following command should label it correctly:

# chcon -t textrel_shlib_t /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1
Comment 2 RHEL Program Management 2012-08-01 08:28:28 UTC 
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Miroslav Grepl 2012-08-01 08:36:41 UTC 
You will need to tell SELinux how to label

/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1

how Milos wrote above. Or you can use semanage how the alert tells you.
Comment 4 John Scanlon 2012-08-01 15:39:01 UTC 
I have performed command as advised:
# chcon -t textrel_shlib_t /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1
How can I confirm or test it ?
Regards,
John
Comment 5 Milos Malik 2012-08-01 15:46:44 UTC 
Please use the same command which caused the original AVC. Perhaps the command which connects from host to oracle database using sqlplus 11gr2.