Red Hat Bugzilla – Bug 514506
SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which requires text relocation.
Last modified: 2012-10-15 10:17:25 EDT
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.11) Gecko/2009061613 CentOS/3.0.11-2.el5.centos Firefox/3.0.11 Note: I'm trying to be helpful by reporting this as requested but frankly the system is not really usable for a newbie to enter these bugs. Might be nice for those getting the reports, but it really doesn't provide the help I need to post this back. Would be better if I could just click a button on the error message to send it to somewhere appropriate. If you don't want this, just delete it. Summary: SELinux is preventing httpd from loading /usr/lib64/libnnz11.so which requires text relocation. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The httpd application attempted to load /usr/lib64/libnnz11.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib64/libnnz11.so to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/lib64/libnnz11.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib64/libnnz11.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib64/libnnz11.so'" The following command will allow this access: chcon -t textrel_shlib_t '/usr/lib64/libnnz11.so' Additional Information: Source Context system_u:system_r:httpd_t Target Context system_u:object_r:lib_t Target Objects /usr/lib64/libnnz11.so [ file ] Source httpd Source Path /usr/sbin/httpd Port <Unknown> Host localhost Source RPM Packages httpd-2.2.3-22.el5.centos.2 Target RPM Packages liboci8-zend-11-1 Policy RPM selinux-policy-2.4.6-203.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execmod Host Name localhost Platform Linux localhost 2.6.18-128.2.1.el5xen #1 SMP Tue Jul 14 07:07:49 EDT 2009 x86_64 x86_64 Alert Count 1 First Seen Wed 29 Jul 2009 08:10:10 AM EDT Last Seen Wed 29 Jul 2009 08:10:10 AM EDT Local ID 396d924a-879a-4d86-9882-b7934d68b090 Line Numbers Raw Audit Messages host=localhost type=AVC msg=audit(1248869410.482:13): avc: denied { execmod } for pid=3826 comm="httpd" path="/usr/lib64/libnnz11.so" dev=dm-0 ino=3506290 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file host=localhost type=SYSCALL msg=audit(1248869410.482:13): arch=c000003e syscall=10 success=yes exit=0 a0=2b2686a8c000 a1=2a0000 a2=5 a3=2b2686a8f110 items=0 ppid=1 pid=3826 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=system_u:system_r:httpd_t:s0 key=(null) Reproducible: Always Steps to Reproduce: Looks like the library needs to be recompiled/rewritten, or some user documentation provided to noobs like me to help me.
Off-hand, I'm guessing this is a bug in the liboci8-zend-11-1 package, which is the package that provides the shared library which is triggering the error. Running "chcon -t textrel_shlib_t /usr/lib64/libnnz11.so" may disable the protection check and allow the application to run, but it won't actually be fixing the bug. I don't think we built that package, so there's not much else I can suggest other than reporting the bug to the package's vendor. I'm leaning toward marking this closed->cantfix.
# semanage fcontext -a -t textrel_shlib_t /usr/lib64/libnnz11.so # restorecon -v /usr/lib64/libnnz11.so Will actually set this permanent. We do not ship libnnz11.s0 So please report this as a bug to them. Most likely they built the library incorrectly, The library requires a PIC flag. This link explains the check. http://people.redhat.com/~drepper/selinux-mem.html I can add the label to SELinux policy for now.
Looks like this is an oracle library. /usr/lib/oracle/.*/lib/libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) /opt/(.*/)?oracle/(.*/)?libnnz.*\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0) Is in the current selinux-policy So I will add /usr/lib(64)?/libnnz11.so(\.[^/]*)* gen_context(system_u:object_r:textrel_shlib_t,s0) to Rawhide. Miroslav, can you add this label to F11 and F10.
Added to selinux-policy-3.6.12-71.fc11 and selinux-policy-3.5.13-68.fc10
Fixed in selinux-policy-2.4.6-255.el5
Technical note added. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: Prior to this update, SELinux prevented the httpd service from loading the /usr/lib/libnnz11.so (or /usr/lib64/libnnz11.so on a 64-bit system) library, which requires a text relocation. With this update, the SELinux context for this particular library has been changed from the default to "textrel_shlib_t", so that the library can now be loaded as expected.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html