Bug 514506 - SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which requires text relocation.
SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which require...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.4
x86_64 Linux
low Severity low
: ---
: ---
Assigned To: Miroslav Grepl
Milos Malik
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-29 09:21 EDT by Joe Murray
Modified: 2012-10-15 10:17 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, SELinux prevented the httpd service from loading the /usr/lib/libnnz11.so (or /usr/lib64/libnnz11.so on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default to "textrel_shlib_t", so that the library can now be loaded as expected.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 16:47:58 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Joe Murray 2009-07-29 09:21:16 EDT
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061613 CentOS/3.0.11-2.el5.centos Firefox/3.0.11

Note: I'm trying to be helpful by reporting this as requested but frankly the system is not really usable for a newbie to enter these bugs. Might be nice for those getting the reports, but it really doesn't provide the help I need to post this back. Would be better if I could just click a button on the error message to send it to somewhere appropriate. If you don't want this, just delete it.

Summary:

SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which requires
text relocation.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The httpd application attempted to load /usr/lib64/libnnz11.so which requires
text relocation. This is a potential security problem. Most libraries do not
need this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib64/libnnz11.so to use relocation as a workaround, until the library is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib64/libnnz11.so to run correctly, you can change the file
context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib64/libnnz11.so'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/lib64/libnnz11.so'"

The following command will allow this access:

chcon -t textrel_shlib_t '/usr/lib64/libnnz11.so'

Additional Information:

Source Context                system_u:system_r:httpd_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib64/libnnz11.so [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           httpd-2.2.3-22.el5.centos.2
Target RPM Packages           liboci8-zend-11-1
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmod
Host Name                     localhost
Platform                      Linux localhost 2.6.18-128.2.1.el5xen #1 SMP Tue
                              Jul 14 07:07:49 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 29 Jul 2009 08:10:10 AM EDT
Last Seen                     Wed 29 Jul 2009 08:10:10 AM EDT
Local ID                      396d924a-879a-4d86-9882-b7934d68b090
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1248869410.482:13): avc:  denied  { execmod } for  pid=3826 comm="httpd" path="/usr/lib64/libnnz11.so" dev=dm-0 ino=3506290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

host=localhost type=SYSCALL msg=audit(1248869410.482:13): arch=c000003e syscall=10 success=yes exit=0 a0=2b2686a8c000 a1=2a0000 a2=5 a3=2b2686a8f110 items=0 ppid=1 pid=3826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)




Reproducible: Always

Steps to Reproduce:
Looks like the library needs to be recompiled/rewritten, or some user documentation provided to noobs like me to help me.
Comment 1 Nalin Dahyabhai 2009-07-29 11:18:09 EDT
Off-hand, I'm guessing this is a bug in the liboci8-zend-11-1 package, which is the package that provides the shared library which is triggering the error.

Running "chcon -t textrel_shlib_t /usr/lib64/libnnz11.so" may disable the protection check and allow the application to run, but it won't actually be fixing the bug.  I don't think we built that package, so there's not much else I can suggest other than reporting the bug to the package's vendor.

I'm leaning toward marking this closed->cantfix.
Comment 2 Daniel Walsh 2009-07-29 12:31:56 EDT
# semanage fcontext -a -t textrel_shlib_t /usr/lib64/libnnz11.so
# restorecon -v /usr/lib64/libnnz11.so

Will actually set this permanent.

We do not ship libnnz11.s0

So please report this as a bug to them.  Most likely they built the library incorrectly,  The library requires a PIC flag.

This link explains the check.

http://people.redhat.com/~drepper/selinux-mem.html

I can add the label to SELinux policy for now.
Comment 3 Daniel Walsh 2009-07-29 12:37:09 EDT
Looks like this is an oracle library.

/usr/lib/oracle/.*/lib/libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)

/opt/(.*/)?oracle/(.*/)?libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)

Is in the current selinux-policy

So I will add

/usr/lib(64)?/libnnz11.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)

to Rawhide.

Miroslav, 

can you add this label to F11 and F10.
Comment 4 Miroslav Grepl 2009-07-31 05:08:11 EDT
Added to selinux-policy-3.6.12-71.fc11 and selinux-policy-3.5.13-68.fc10
Comment 5 Daniel Walsh 2009-08-21 16:59:09 EDT
Fixed in selinux-policy-2.4.6-255.el5
Comment 10 Jaromir Hradilek 2011-01-05 10:58:20 EST
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, SELinux prevented the httpd service from loading the /usr/lib/libnnz11.so (or /usr/lib64/libnnz11.so on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default to "textrel_shlib_t", so that the library can now be loaded as expected.
Comment 12 errata-xmlrpc 2011-01-13 16:47:58 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html

Note You need to log in before you can comment on or make changes to this bug.