Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 621885

Summary: All Oracle libraries requires textrel_shlib_t
Product: Red Hat Enterprise Linux 5 Reporter: Göran Uddeborg <goeran>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: low    
Version: 5.5CC: mmalik, tomasstraupis
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Since certain Oracle libraries require a text relocation, the SELinux context for libraries in the /usr/lib/oracle/ directory has been changed to "textrel_shlib_t".
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-13 21:50:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Göran Uddeborg 2010-08-06 11:53:25 UTC 
Description of problem:
The current policy identifies two libraries, libnnz and libclntsh, in the directory for Oracle's Instant Client, /usr/lib/oracle, as needing text relocations.  There are however additional libraries in the directory.  All of them seems to require text relocations when you use them.  (Not surprisingly, I guess, they are probably built in the same broken way.)


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-279.el5_5.1

Some Oracle packages having the bug are:
oracle-instantclient11.1-basic-11.1.0.7.0-1
oracle-instantclient11.1-devel-11.1.0.7.0-1
oracle-instantclient11.1-jdbc-11.1.0.7.0-1
oracle-instantclient11.1-sqlplus-11.1.0.7.0-1


How reproducible:
Every time


Steps to Reproduce:
1.sqlplus
  
Actual results:
sqlplus: error while loading shared libraries: /usr/lib/oracle/11.1/client64/lib/libsqlplus.so: cannot restore segment prot after reloc: Permission denied


Expected results:
Login prompt from sqlplus

Sqlplus is a binary included in oracle-instantclient11.1-sqlplus.  It uses some of the libraries not yet singled out in the policy as an example.

Additional info:
Until we can get Oracle to build these libraries properly (yes, I've told them, and no I haven't got any reaction), I suggest the policy assumes all .so files in /usr/lib/oracle/… need textrel_shlib_t

/usr/lib/oracle/.*/lib/lib.*\.so(\.[^/]*)* …textrel_shlib_t…
Comment 1 Daniel Walsh 2010-08-10 15:35:48 UTC 
Seems ok to me.
Comment 3 Miroslav Grepl 2010-09-09 13:11:48 UTC 
Fixed in selinux-policy-2.4.6-283.el5.noarch
Comment 6 Tomas Straupis 2010-11-20 12:53:54 UTC 
I have the same problem after upgrade to Fedora14 (it was ok in Fedora13):

$ sqlplus
sqlplus: error while loading shared libraries: libsqlplus.so: cannot enable executable stack as shared object requires: Permission denied

Should I report it separately with product "Fedora"?

selinux-policy-3.9.7-10.fc14.noarch
Comment 7 Jaromir Hradilek 2011-01-05 16:18:57 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Since certain Oracle libraries require a text relocation, the SELinux context for libraries in the /usr/lib/oracle/ directory has been changed to "textrel_shlib_t".
Comment 9 errata-xmlrpc 2011-01-13 21:50:15 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html