Description of problem: SELinux is preventing StandaloneInit from loading /opt/<software_package>//lib/libguide.so which requires text relocation. I ran the suggested command: #chcon -t textrel_shlib_t '/opt/<software_package>//lib/libguide.so' But it does not work. I need the /opt///lib/libguide.so to work so I can install the software program and its license manager properly. Thanks in advance for the help. Summary: SELinux is preventing StandaloneInit from loading /opt/<software_package>//lib/libguide.so which requires text relocation. Detailed Description: The StandaloneInit application attempted to load /opt/<software_package>//lib/libguide.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /opt/D<software_package>//lib/libguide.so to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /opt/<software_package>//lib/libguide.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/opt/<software_package>//lib/libguide.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/opt/<software_package>//lib/libguide.so'" The following command will allow this access: chcon -t textrel_shlib_t '/opt/<software_package>//lib/libguide.so' Additional Information: Source Context user_u:system_r:unconfined_t Target Context system_u:object_r:lib_t Target Objects /opt/D<software_package>//lib/libguide.so [ file ] Source StandaloneInit Source Path /opt/<software_package>/bin/StandaloneInit Port <Unknown> Host localhost.gmprc.ksu.edu Source RPM Packages <software_package> Target RPM Packages <software_package> Policy RPM selinux-policy-2.4.6-255.el5_4.4 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmod Host Name (removed) Platform Linux (removed) 2.6.18-164.11.1.el5 #1 SMP Wed Jan 6 13:26:04 EST 2010 x86_64 x86_64 Alert Count 2 First Seen Fri 07 May 2010 03:16:44 PM CDT Last Seen Fri 07 May 2010 03:20:58 PM CDT Local ID d8f9cd8a-9164-4c53-8b29-88c70531cb12 Line Numbers Raw Audit Messages host=localhost.(removed) type=AVC msg=audit(1273263658.607:137): avc: denied { execmod } for pid=11230 comm="StandaloneInit" path="/opt/<software_package>//lib/libguide.so" dev=dm-0 ino=68354803 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file host=localhost.gmprc.ksu.edu type=SYSCALL msg=audit(1273263658.607:137): arch=c000003e syscall=10 success=no exit=-13 a0=2b3333584000 a1=38000 a2=5 a3=2b33335892e0 items=0 ppid=10497 pid=11230 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="StandaloneInit" exe="/opt/<software_package>//bin/StandaloneInit" subj=user_u:system_r:unconfined_t:s0 key=(null) Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
The report tells you what to do. Or set the boolean allow_execmod to remove the check. setsebool -P allow_execmod 1 libguide.so is built incorrectly. http://people.redhat.com/~drepper/selinux-mem.html explains the access.
Thanks! I run the ff. commands: disable the selinux: #echo 0 >/selinux/enforce run this: #chcon -t textrel_shlib_t /opt/<software_package>//lib/libguide.so and I was able to install the software. Why do you think the libguide.so is not built correctly?
It either was not built with -fPIC or it has some assembly code that is causing the executable to load the library as an executable and writable at the same time. That is what execmod means.
Does that mean even if the software is running now, I still need to run the command below to make sure libguide.so will continue to work? # setsebool -P allow_execmod 1 Thanks!
No, only if you want to eliminate the AVC message. Since this happened in January. I would guess an update fixed it. Is the library labeled textrel_shlib_t?
I see. Is the update fix automatic? No, the library is not labeled textrel_shlib_t. It is labeled /lib.
ls -lZ /opt/<software_package>//lib/libguide.so
Here's the result: [root@localhost ~]# ls -lZ /opt/DEMSolutions/EDEM_2.2/lib/libguide.so -rwxr-xr-x root root system_u:object_r:textrel_shlib_t /opt/DEMSolutions/EDEM_2.2/lib/libguide.so What to do next? Thanks.
Nothing that is correct, and that is why it is working.
I see what you mean by the library. Thank you very much.