Description of problem: When SELinux is in enforcing mode, start of sqlplus fails with: sqlplus: error while loading shared libraries: /usr/lib/oracle/default/client64/lib/libclntsh.so.11.1: cannot restore segment prot after reloc: Permission denied Version-Release number of selected component (if applicable): RHEL 5.3 2.6.18-128.2.1.el5 x86_64 oracle-instantclient11.1-basic-11.1.0.7.0-1 oracle-instantclient11.1-sqlplus-11.1.0.7.0-1 libselinux-1.33.4-5.1.el5 libselinux-utils-1.33.4-5.1.el5 libselinux-1.33.4-5.1.el5 selinux-policy-2.4.6-203.el5 selinux-policy-targeted-2.4.6-203.el5 Steps to Reproduce: 1. sudo setenforce Enforcing 2. sqlplus Actual results: the error message above Expected results: sqlplus running Additional info: Policy can be created and installed manually: $ sqlplus $ sudo grep avc /var/log/audit/audit.log | grep '/usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1' | tail -1 | audit2allow -M sqlplus $ sudo semodule -i sqlplus.pp $ cat sqlplus.te module sqlplus 1.0; require { type unconfined_t; type lib_t; class file execmod; } #============= unconfined_t ============== allow unconfined_t lib_t:file execmod;
This is a misbuilt file by oracle. They build the library incorrectly or require assembly lanquage. # semanage fcontext -a -t textrel_shlib_t /usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1 # restorecon -R -v /usr/lib/oracle/11.1/client64/lib/libclntsh.so.11.1
I confirm that your two commands fix the problem. But certainly Oracle should fix its library.
I agree, but sadly they don't always listen to me. :^( Fixed in selinux-policy-2.4.6-256.el5 I believe this has missed RHEL5.4, so it will be in RHEL5.5
New patch for Oracle Instant Client is /usr/lib/oracle/11.2/client64/lib/libocci.so.11.1 If your policy could allow /usr/lib/oracle/, that'd be fine.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2010-0182.html
I tried with the full 12c 12.1.0.2 linux 32bits client on rh5.11/x64 and it also fails with sqlplus: error while loading shared libraries: /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1: cannot restore segment prot after reloc: Permission denied
Could you attach SELinux denials which appeared on that machine? # ausearch -m avc -m user_avc -m selinux_err -i -ts today
---- type=SYSCALL msg=audit(02/09/2015 15:04:22.532:236984) : arch=i386 syscall=mprotect success=no exit=-13(Permission denied) a0=f5b98000 a1=2273000 a2=5 a3=ffb78b00 items=0 ppid=3970 pid=3626 auid=u22166 uid=oracle gid=dba euid=oracle suid=oracle fsuid=oracle egid=dba sgid=dba fsgid=dba tty=pts4 ses=43091 comm=sqlplus exe=/u01/app/oracle/product/12.1.0/client32/bin/sqlplus subj=user_u:system_r:unconfined_t:s0 key=(null) type=AVC msg=audit(02/09/2015 15:04:22.532:236984) : avc: denied { execmod } for pid=3626 comm=sqlplus path=/u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1 dev=dm-2 ino=182385 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:user_home_t:s0 tclass=file ---- It works with fine with the 12.1.0.2 64bit client $ file sqlplus; sqlplus -v sqlplus: ELF 64-bit LSB executable, AMD x86-64, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), not stripped SQL*Plus: Release 12.1.0.2.0 Production But not with 32bit $ file sqlplus; sqlplus -v sqlplus: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), not stripped sqlplus: error while loading shared libraries: /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1: cannot restore segment prot after reloc: Permission denied
nothing obvious from ls -Z command $ ls -lZd client* client*/bin client*/lib client*/lib/libclntsh.so.12.1 client*/bin/sqlplus drwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 client32 drwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 client32/bin -rwxr-x--x oracle dba user_u:object_r:user_home_t:s0 client32/bin/sqlplus drwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 client32/lib -rwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 client32/lib/libclntsh.so.12.1 drwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 client64 drwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 client64/bin -rwxr-x--x oracle dba user_u:object_r:user_home_t:s0 client64/bin/sqlplus drwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 client64/lib -rwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 client64/lib/libclntsh.so.12.1
Does it work when you change the label of 32-bit libraries to textrel_shlib_t? # chcon -t textrel_shlib_t client32/lib/libclntsh.so.12.1
yes $ file sqlplus; sqlplus -v sqlplus: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for GNU/Linux 2.6.9, dynamically linked (uses shared libs), not stripped SQL*Plus: Release 12.1.0.2.0 Production
and if I restore context, it fails again restorecon client32/lib/libclntsh.so.12.1 thanks for your solution
Here is a command which adds the textrel_shlib_t label permanently: # semanage fcontext -a -t textrel_shlib_t /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1 Here is a command which checks if the pattern is present: # semanage fcontext -l | grep libclntsh Here is a command which deletes the textrel_shlib_t label permanently: # semanage fcontext -d -t textrel_shlib_t /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1
Thanks, this is very useful. # semanage fcontext -d -t textrel_shlib_t /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1 # restorecon /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1 $ client32/bin/sqlplus -v sqlplus: error while loading shared libraries: /u01/app/oracle/product/12.1.0/client32/lib/libclntsh.so.12.1: cannot restore segment prot after reloc: Permission denied Could you explain why the 64bit works? # semanage fcontext -d -t textrel_shlib_t /u01/app/oracle/product/12.1.0/client64/lib/libclntsh.so.12.1 /usr/sbin/semanage: File context for /u01/app/oracle/product/12.1.0/client64/lib/libclntsh.so.12.1 is not defined # restorecon /u01/app/oracle/product/12.1.0/client64/lib/libclntsh.so.12.1 # semanage fcontext -l | grep libclntsh /usr/lib(64)?/oracle/.*/lib/libclntsh\.so(\.[^/]*)* regular file system_u:object_r:textrel_shlib_t:s0 $ client64/bin/sqlplus -v SQL*Plus: Release 12.1.0.2.0 Production Regards Laurent
I'm not sure, but the execmod part of following blog post might help: * http://danwalsh.livejournal.com/6117.html
> So if you get an execmod on a library, you should report this as a bug to the package maintainer or upstream I'll do. I have open a SR by Oracle and post the Oracle Bug Number once filed. Thanks a lot!!!
Could you explain me why the same package works in rh6.6 and not rh5.11 ? # semanage fcontext -l | grep libclntsh /usr/lib/oracle(64)?/.*/lib/libclntsh\.so(\.[^/]*)* all files system_u:object_r:textrel_shlib_t:s0 $ readelf -d 12.1.0/client32/lib/libclntsh.so.12.1 | grep TEXTREL 0x00000016 (TEXTREL) 0x0 $ cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.6 (Santiago) $ 12.1.0/client32/bin/sqlplus -v SQL*Plus: Release 12.1.0.2.0 Production Thanks Laurent
Is the libclntsh.so located in the same path? Could you provide the output of following command ? $ ls -Z 12.1.0/client32/lib/libclntsh.so*
it is exactly the same file and the same location RH5 [root]# ls -Z 12.1.0/client32/lib/libclntsh.so.12.1 -rwxr-xr-x oracle dba user_u:object_r:user_home_t:s0 12.1.0/client32/lib/libclntsh.so.12.1 # cksum 12.1.0/client32/lib/libclntsh.so.12.1 2926082875 45809550 12.1.0/client32/lib/libclntsh.so.12.1 [RH6]# ls -Z 12.1.0/client32/lib/libclntsh.so.12.1 -rwxr-xr-x. oracle dba system_u:object_r:default_t:s0 12.1.0/client32/lib/libclntsh.so.12.1 # cksum 12.1.0/client32/lib/libclntsh.so.12.1 2926082875 45809550 12.1.0/client32/lib/libclntsh.so.12.1 I see a tiny difference... one file has no trailing dot -rwxr-xr-x and one file has a trailing dot -rwxr-xr-x. Cheers Laurent
I believe that both files should be labeled lib_t. Does the sqlplus work after execution of following command? # chcon -t lib_t 12.1.0/client32/lib/libclntsh.so.12.1 If you see the "cannot restore segment prot after reloc: Permission denied" message again then run following command: # chcon -t textrel_shlib_t 12.1.0/client32/lib/libclntsh.so.12.1 Let me know if any of these commands helped. chcon is a temporary solution, restorecon will revert the labels to default values. If it works then we can create a permanent solution via semanage.
lib_t does not help. yes, textrel_shlib_t helps, but not always $ tnsping "(DESCRIPTION=(ADDRESS=(PROTOCOL=TCPS)(HOST=SRV1)(PORT=1521)))" TNS-12560: TNS:protocol adapter error While disable SELINUX solves all problems (but it is not a solution) Oracle promises me they will work on it to provide me a patch for RH5.
for your information : Oracle Support Bug 20915410 (12.1 32-BIT CLIENT SQLPLUS FAILS TO LOAD LIBCLNTSH.SO ON RHEL5/OEL5 WITH SELINUX) can be found at: https://support.oracle.com/epmos/faces/BugDisplay?id=20915410