Bug 514506 - SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which requires text relocation.
Summary: SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which require...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: x86_64
OS: Linux
low
low
Target Milestone: ---
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-29 13:21 UTC by Joe Murray
Modified: 2012-10-15 14:17 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Prior to this update, SELinux prevented the httpd service from loading the /usr/lib/libnnz11.so (or /usr/lib64/libnnz11.so on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default to "textrel_shlib_t", so that the library can now be loaded as expected.
Clone Of:
Environment:
Last Closed: 2011-01-13 21:47:58 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Joe Murray 2009-07-29 13:21:16 UTC
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061613 CentOS/3.0.11-2.el5.centos Firefox/3.0.11

Note: I'm trying to be helpful by reporting this as requested but frankly the system is not really usable for a newbie to enter these bugs. Might be nice for those getting the reports, but it really doesn't provide the help I need to post this back. Would be better if I could just click a button on the error message to send it to somewhere appropriate. If you don't want this, just delete it.

Summary:

SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which requires
text relocation.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The httpd application attempted to load /usr/lib64/libnnz11.so which requires
text relocation. This is a potential security problem. Most libraries do not
need this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib64/libnnz11.so to use relocation as a workaround, until the library is
fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib64/libnnz11.so to run correctly, you can change the file
context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib64/libnnz11.so'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/lib64/libnnz11.so'"

The following command will allow this access:

chcon -t textrel_shlib_t '/usr/lib64/libnnz11.so'

Additional Information:

Source Context                system_u:system_r:httpd_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib64/libnnz11.so [ file ]
Source                        httpd
Source Path                   /usr/sbin/httpd
Port                          <Unknown>
Host                          localhost
Source RPM Packages           httpd-2.2.3-22.el5.centos.2
Target RPM Packages           liboci8-zend-11-1
Policy RPM                    selinux-policy-2.4.6-203.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmod
Host Name                     localhost
Platform                      Linux localhost 2.6.18-128.2.1.el5xen #1 SMP Tue
                              Jul 14 07:07:49 EDT 2009 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 29 Jul 2009 08:10:10 AM EDT
Last Seen                     Wed 29 Jul 2009 08:10:10 AM EDT
Local ID                      396d924a-879a-4d86-9882-b7934d68b090
Line Numbers                  

Raw Audit Messages            

host=localhost type=AVC msg=audit(1248869410.482:13): avc:  denied  { execmod } for  pid=3826 comm="httpd" path="/usr/lib64/libnnz11.so" dev=dm-0 ino=3506290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

host=localhost type=SYSCALL msg=audit(1248869410.482:13): arch=c000003e syscall=10 success=yes exit=0 a0=2b2686a8c000 a1=2a0000 a2=5 a3=2b2686a8f110 items=0 ppid=1 pid=3826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null)




Reproducible: Always

Steps to Reproduce:
Looks like the library needs to be recompiled/rewritten, or some user documentation provided to noobs like me to help me.

Comment 1 Nalin Dahyabhai 2009-07-29 15:18:09 UTC
Off-hand, I'm guessing this is a bug in the liboci8-zend-11-1 package, which is the package that provides the shared library which is triggering the error.

Running "chcon -t textrel_shlib_t /usr/lib64/libnnz11.so" may disable the protection check and allow the application to run, but it won't actually be fixing the bug.  I don't think we built that package, so there's not much else I can suggest other than reporting the bug to the package's vendor.

I'm leaning toward marking this closed->cantfix.

Comment 2 Daniel Walsh 2009-07-29 16:31:56 UTC
# semanage fcontext -a -t textrel_shlib_t /usr/lib64/libnnz11.so
# restorecon -v /usr/lib64/libnnz11.so

Will actually set this permanent.

We do not ship libnnz11.s0

So please report this as a bug to them.  Most likely they built the library incorrectly,  The library requires a PIC flag.

This link explains the check.

http://people.redhat.com/~drepper/selinux-mem.html

I can add the label to SELinux policy for now.

Comment 3 Daniel Walsh 2009-07-29 16:37:09 UTC
Looks like this is an oracle library.

/usr/lib/oracle/.*/lib/libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)

/opt/(.*/)?oracle/(.*/)?libnnz.*\.so --	gen_context(system_u:object_r:textrel_shlib_t,s0)

Is in the current selinux-policy

So I will add

/usr/lib(64)?/libnnz11.so(\.[^/]*)*	gen_context(system_u:object_r:textrel_shlib_t,s0)

to Rawhide.

Miroslav, 

can you add this label to F11 and F10.

Comment 4 Miroslav Grepl 2009-07-31 09:08:11 UTC
Added to selinux-policy-3.6.12-71.fc11 and selinux-policy-3.5.13-68.fc10

Comment 5 Daniel Walsh 2009-08-21 20:59:09 UTC
Fixed in selinux-policy-2.4.6-255.el5

Comment 10 Jaromir Hradilek 2011-01-05 15:58:20 UTC
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Prior to this update, SELinux prevented the httpd service from loading the /usr/lib/libnnz11.so (or /usr/lib64/libnnz11.so on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default to "textrel_shlib_t", so that the library can now be loaded as expected.

Comment 12 errata-xmlrpc 2011-01-13 21:47:58 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.