Bug 590162 - SELinux is preventing StandaloneInit from loading /opt/<software_package>//lib/libguide.so which requires text relocation.
Summary: SELinux is preventing StandaloneInit from loading /opt/<software_package>//li...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.4
Hardware: x86_64
OS: Linux
low
urgent
Target Milestone: rc
: ---
Assignee: Daniel Walsh
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-07 21:13 UTC by mark-antec
Modified: 2010-05-11 17:55 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-05-10 18:01:55 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description mark-antec 2010-05-07 21:13:35 UTC
Description of problem:

SELinux is preventing StandaloneInit from loading /opt/<software_package>//lib/libguide.so which requires text relocation.

I ran the suggested command: #chcon -t textrel_shlib_t '/opt/<software_package>//lib/libguide.so'

But it does not work. I need the /opt///lib/libguide.so to work so I can install the software program and its license manager properly. 

Thanks in advance for the help.



Summary:

SELinux is preventing StandaloneInit from loading
/opt/<software_package>//lib/libguide.so which requires text relocation.

Detailed Description:

The StandaloneInit application attempted to load
/opt/<software_package>//lib/libguide.so which requires text relocation. This
is a potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission. The
SELinux Memory Protection Tests(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /opt/D<software_package>//lib/libguide.so to use relocation as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /opt/<software_package>//lib/libguide.so to run correctly, you
can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/opt/<software_package>//lib/libguide.so'" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t textrel_shlib_t
'/opt/<software_package>//lib/libguide.so'"

The following command will allow this access:

chcon -t textrel_shlib_t '/opt/<software_package>//lib/libguide.so'

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:lib_t
Target Objects                /opt/D<software_package>//lib/libguide.so [ file
                              ]
Source                        StandaloneInit
Source Path                   /opt/<software_package>/bin/StandaloneInit
Port                          <Unknown>
Host                          localhost.gmprc.ksu.edu
Source RPM Packages           <software_package>
Target RPM Packages           <software_package>
Policy RPM                    selinux-policy-2.4.6-255.el5_4.4
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed) 2.6.18-164.11.1.el5
                              #1 SMP Wed Jan 6 13:26:04 EST 2010 x86_64 x86_64
Alert Count                   2
First Seen                    Fri 07 May 2010 03:16:44 PM CDT
Last Seen                     Fri 07 May 2010 03:20:58 PM CDT
Local ID                      d8f9cd8a-9164-4c53-8b29-88c70531cb12
Line Numbers                  

Raw Audit Messages            

host=localhost.(removed) type=AVC msg=audit(1273263658.607:137): avc:  denied  { execmod } for  pid=11230 comm="StandaloneInit" path="/opt/<software_package>//lib/libguide.so" dev=dm-0 ino=68354803 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

host=localhost.gmprc.ksu.edu type=SYSCALL msg=audit(1273263658.607:137): arch=c000003e syscall=10 success=no exit=-13 a0=2b3333584000 a1=38000 a2=5 a3=2b33335892e0 items=0 ppid=10497 pid=11230 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="StandaloneInit" exe="/opt/<software_package>//bin/StandaloneInit" subj=user_u:system_r:unconfined_t:s0 key=(null)



Version-Release number of selected component (if applicable):

How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2010-05-10 18:01:55 UTC
The report tells you what to do.  Or set the boolean allow_execmod to remove the check.

setsebool -P allow_execmod 1

libguide.so is built incorrectly.

http://people.redhat.com/~drepper/selinux-mem.html

explains the access.

Comment 2 mark-antec 2010-05-10 18:11:00 UTC
Thanks!

I run the ff. commands:

disable the selinux:
#echo 0 >/selinux/enforce

run this:
#chcon -t textrel_shlib_t /opt/<software_package>//lib/libguide.so


and I was able to install the software.

Why do you think the libguide.so is not built correctly?

Comment 3 Daniel Walsh 2010-05-10 18:37:18 UTC
It either was not built with -fPIC or it has some assembly code that is causing the executable to load the library as an executable and writable at the same time.

That is what execmod means.

Comment 4 mark-antec 2010-05-10 18:44:31 UTC
Does that mean even if the software is running now, I still need to run the command below to make sure libguide.so will continue to work?

# setsebool -P allow_execmod 1


Thanks!

Comment 5 Daniel Walsh 2010-05-11 13:46:20 UTC
No, only if  you want to eliminate the AVC message.  Since this happened in January.  I would guess an update fixed it.  Is the library labeled textrel_shlib_t?

Comment 6 mark-antec 2010-05-11 14:01:58 UTC
I see. Is the update fix automatic?

No, the library is not labeled textrel_shlib_t.

It is labeled /lib.

Comment 7 Daniel Walsh 2010-05-11 15:08:09 UTC
ls -lZ /opt/<software_package>//lib/libguide.so

Comment 8 mark-antec 2010-05-11 15:35:54 UTC
Here's the result:

[root@localhost ~]# ls -lZ /opt/DEMSolutions/EDEM_2.2/lib/libguide.so
-rwxr-xr-x  root root system_u:object_r:textrel_shlib_t /opt/DEMSolutions/EDEM_2.2/lib/libguide.so

What to do next? Thanks.

Comment 9 Daniel Walsh 2010-05-11 17:36:19 UTC
Nothing that is correct, and that is why it is working.

Comment 10 mark-antec 2010-05-11 17:55:40 UTC
I see what you mean by the library. Thank you very much.


Note You need to log in before you can comment on or make changes to this bug.