Bug 512375 - SELinux policy missing for Oracle sqlplus 11.1
Summary: SELinux policy missing for Oracle sqlplus 11.1
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy-targeted
Version: 5.3
Hardware: x86_64
OS: Linux
low
low
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-17 15:10 UTC by Ruben Saar
Modified: 2015-05-05 13:54 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-03-30 07:50:01 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0182 0 normal SHIPPED_LIVE selinux-policy bug fix update 2010-03-29 12:19:53 UTC

Description Ruben Saar 2009-07-17 15:10:06 UTC
Description of problem:
When SELinux is in enforcing mode, start of sqlplus fails with:
sqlplus: error while loading shared libraries: /usr/lib/oracle/default/client64/lib/libclntsh.so.11.1: cannot restore segment prot after reloc: Permission denied

Version-Release number of selected component (if applicable):
RHEL 5.3   2.6.18-128.2.1.el5  x86_64
oracle-instantclient11.1-basic-11.1.0.7.0-1
oracle-instantclient11.1-sqlplus-11.1.0.7.0-1
libselinux-1.33.4-5.1.el5
libselinux-utils-1.33.4-5.1.el5
libselinux-1.33.4-5.1.el5
selinux-policy-2.4.6-203.el5
selinux-policy-targeted-2.4.6-203.el5

Steps to Reproduce:
1. sudo setenforce Enforcing
2. sqlplus
  
Actual results:
the error message above

Expected results:
sqlplus running

Additional info:
Policy can be created and installed manually:
$ sqlplus
$ sudo grep avc /var/log/audit/audit.log | grep '/usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1' | tail -1 | audit2allow -M sqlplus
$ sudo semodule -i sqlplus.pp
$ cat sqlplus.te
module sqlplus 1.0;

require {
        type unconfined_t;
        type lib_t;
        class file execmod;
}

#============= unconfined_t ==============
allow unconfined_t lib_t:file execmod;

Comment 1 Daniel Walsh 2009-07-19 16:21:21 UTC
This is a misbuilt file by oracle.  They build the library incorrectly or require assembly lanquage.

# semanage fcontext -a -t textrel_shlib_t 
/usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1
# restorecon -R -v /usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1

Comment 2 Ruben Saar 2009-07-31 14:43:06 UTC
I confirm that your two commands fix the problem.
But certainly Oracle should fix its library.

Comment 3 Daniel Walsh 2009-08-03 12:02:02 UTC
I agree, but sadly they don't always listen to me.  :^(

Fixed in selinux-policy-2.4.6-256.el5

I believe this has missed RHEL5.4, so it will be in RHEL5.5

Comment 7 Rich Graves 2010-03-26 21:48:20 UTC
New patch for Oracle Instant Client is

/usr/lib/oracle/11.2/client64/lib/libocci.so.11.1

If your policy could allow /usr/lib/oracle/, that'd be fine.

Comment 8 errata-xmlrpc 2010-03-30 07:50:01 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0182.html

Comment 9 Laurent Schneider 2015-02-09 14:04:50 UTC
I tried with the full 12c 12.1.0.2 linux 32bits client on rh5.11/x64 and it also fails with 

sqlplus: error while loading shared libraries: /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1: cannot restore segment prot after reloc: Permission denied

Comment 10 Milos Malik 2015-02-09 14:18:32 UTC
Could you attach SELinux denials which appeared on that machine?

# ausearch -m avc -m user_avc -m selinux_err -i -ts today

Comment 11 Laurent Schneider 2015-02-09 14:51:20 UTC
----
type=SYSCALL msg=audit(02/09/2015 15:04:22.532:236984) : arch=i386 syscall=mprotect success=no exit=-13(Permission denied) a0=f5b98000 a1=2273000 a2=5 a3=ffb78b00 items=0 ppid=3970 pid=3626 auid=u22166 uid=oracle gid=dba euid=oracle suid=oracle fsuid=oracle egid=dba sgid=dba fsgid=dba tty=pts4 ses=43091 comm=sqlplus exe=/u01/app/oracle/product/12.1.0/client32/bin/sqlplus subj=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(02/09/2015 15:04:22.532:236984) : avc:  denied  { execmod } for  pid=3626 comm=sqlplus path=/u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1 dev=dm-2 ino=182385 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file
----


It works with fine with the 12.1.0.2 64bit client 

$ file sqlplus; sqlplus -v
sqlplus: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), not stripped

SQL*Plus: Release 12.1.0.2.0 Production

But not with 32bit

$ file sqlplus; sqlplus -v
sqlplus: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), not stripped
sqlplus: error while loading shared libraries: /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1: cannot restore segment prot after reloc: Permission denied

Comment 12 Laurent Schneider 2015-02-09 14:54:21 UTC
nothing obvious from ls -Z command

$ ls -lZd client* client*/bin client*/lib client*/lib/libclntsh.so.12.1 client*/bin/sqlplus

drwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   client32
drwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   client32/bin
-rwxr-x--x  oracle dba user_u:object_r:user_home_t:s0   client32/bin/sqlplus
drwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   client32/lib
-rwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   client32/lib/libclntsh.so.12.1


drwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   client64
drwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   client64/bin
-rwxr-x--x  oracle dba user_u:object_r:user_home_t:s0   client64/bin/sqlplus
drwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   client64/lib
-rwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   client64/lib/libclntsh.so.12.1

Comment 13 Milos Malik 2015-02-09 15:02:23 UTC
Does it work when you change the label of 32-bit libraries to textrel_shlib_t?

# chcon -t textrel_shlib_t client32/lib/libclntsh.so.12.1

Comment 14 Laurent Schneider 2015-02-09 15:04:19 UTC
yes

$ file sqlplus; sqlplus -v
sqlplus: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), not stripped

SQL*Plus: Release 12.1.0.2.0 Production

Comment 15 Laurent Schneider 2015-02-09 16:52:28 UTC
and if I restore context, it fails again

restorecon client32/lib/libclntsh.so.12.1

thanks for your solution

Comment 16 Milos Malik 2015-02-09 17:54:08 UTC
Here is a command which adds the textrel_shlib_t label permanently:

# semanage fcontext -a -t textrel_shlib_t /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1

Here is a command which checks if the pattern is present:

# semanage fcontext -l | grep libclntsh

Here is a command which deletes the textrel_shlib_t label permanently:

# semanage fcontext -d -t textrel_shlib_t /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1

Comment 17 Laurent Schneider 2015-02-10 08:03:41 UTC
Thanks, this is very useful. 

# semanage fcontext -d -t textrel_shlib_t /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1
# restorecon /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1
$  client32/bin/sqlplus -v
sqlplus: error while loading shared libraries: /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1: cannot restore segment prot after reloc: Permission denied

Could you explain why the 64bit works?

# semanage fcontext -d -t textrel_shlib_t /u01/app/oracle/product/12.1.0/client64/lib/libclntsh.so.12.1
/usr/sbin/semanage: File context for /u01/app/oracle/product/12.1.0/client64/lib/libclntsh.so.12.1 is not defined
# restorecon /u01/app/oracle/product/12.1.0/client64/lib/libclntsh.so.12.1
# semanage fcontext -l | grep libclntsh
/usr/lib(64)?/oracle/.*/lib/libclntsh\.so(\.[^/]*)* regular file       system_u:object_r:textrel_shlib_t:s0
$ client64/bin/sqlplus -v
SQL*Plus: Release 12.1.0.2.0 Production

Regards
Laurent

Comment 18 Milos Malik 2015-02-10 08:36:08 UTC
I'm not sure, but the execmod part of following blog post might help:
 * http://danwalsh.livejournal.com/6117.html

Comment 19 Laurent Schneider 2015-02-10 08:41:16 UTC
> So if you get an execmod on a library, you should report this as a bug to the package maintainer or upstream

I'll do. I have open a SR by Oracle and post the Oracle Bug Number once filed.

Thanks a lot!!!

Comment 20 Laurent Schneider 2015-02-20 14:27:35 UTC
Could you explain me why the same package works in rh6.6 and not rh5.11 ?

# semanage fcontext -l | grep libclntsh
/usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* all files          system_u:object_r:textrel_shlib_t:s0
$ readelf -d 12.1.0/client32/lib/libclntsh.so.12.1 | grep TEXTREL
 0x00000016 (TEXTREL)                    0x0
$ cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
$ 12.1.0/client32/bin/sqlplus -v
SQL*Plus: Release 12.1.0.2.0 Production

Thanks
Laurent

Comment 21 Milos Malik 2015-02-20 15:29:45 UTC
Is the libclntsh.so located in the same path? Could you provide the output of following command ?

$ ls -Z 12.1.0/client32/lib/libclntsh.so*

Comment 22 Laurent Schneider 2015-02-20 15:47:30 UTC
it is exactly the same file and the same location


RH5
[root]# ls -Z 12.1.0/client32/lib/libclntsh.so.12.1
-rwxr-xr-x  oracle dba user_u:object_r:user_home_t:s0   12.1.0/client32/lib/libclntsh.so.12.1
# cksum  12.1.0/client32/lib/libclntsh.so.12.1
2926082875 45809550 12.1.0/client32/lib/libclntsh.so.12.1

[RH6]# ls -Z 12.1.0/client32/lib/libclntsh.so.12.1
-rwxr-xr-x. oracle dba system_u:object_r:default_t:s0   12.1.0/client32/lib/libclntsh.so.12.1
# cksum  12.1.0/client32/lib/libclntsh.so.12.1
2926082875 45809550 12.1.0/client32/lib/libclntsh.so.12.1


I see a tiny difference...
one file has no trailing dot
-rwxr-xr-x 
and one file has a trailing dot
-rwxr-xr-x. 


Cheers
Laurent

Comment 23 Milos Malik 2015-02-20 16:13:57 UTC
I believe that both files should be labeled lib_t. Does the sqlplus work after execution of following command?

# chcon -t lib_t 12.1.0/client32/lib/libclntsh.so.12.1

If you see the "cannot restore segment prot after reloc: Permission denied" message again then run following command:

# chcon -t textrel_shlib_t 12.1.0/client32/lib/libclntsh.so.12.1

Let me know if any of these commands helped. chcon is a temporary solution, restorecon will revert the labels to default values. If it works then we can create a permanent solution via semanage.

Comment 24 Laurent Schneider 2015-02-20 16:29:43 UTC
lib_t does not help. yes, textrel_shlib_t helps, but not always

$ tnsping "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV1)(PORT=1521)))"
TNS-12560: TNS:protocol adapter error

While disable SELINUX solves all problems (but it is not a solution)

Oracle promises me they will work on it to provide me a patch for RH5.

Comment 25 Laurent Schneider 2015-05-05 13:54:26 UTC
for your information :

Oracle Support Bug 20915410 (12.1 32-BIT CLIENT SQLPLUS FAILS TO LOAD LIBCLNTSH.SO ON RHEL5/OEL5 WITH SELINUX) can be found at: https://support.oracle.com/epmos/faces/BugDisplay?id=20915410


Note You need to log in before you can comment on or make changes to this bug.