Bug 621885 - All Oracle libraries requires textrel_shlib_t
Summary: All Oracle libraries requires textrel_shlib_t
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy   
(Show other bugs)
Version: 5.5
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: Milos Malik
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-08-06 11:53 UTC by Göran Uddeborg
Modified: 2012-10-15 14:17 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Since certain Oracle libraries require a text relocation, the SELinux context for libraries in the /usr/lib/oracle/ directory has been changed to "textrel_shlib_t".
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-01-13 21:50:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Göran Uddeborg 2010-08-06 11:53:25 UTC 
Description of problem:
The current policy identifies two libraries, libnnz and libclntsh, in the directory for Oracle's Instant Client, /usr/lib/oracle, as needing text relocations.  There are however additional libraries in the directory.  All of them seems to require text relocations when you use them.  (Not surprisingly, I guess, they are probably built in the same broken way.)


Version-Release number of selected component (if applicable):
selinux-policy-2.4.6-279.el5_5.1

Some Oracle packages having the bug are:
oracle-instantclient11.1-basic-11.1.0.7.0-1
oracle-instantclient11.1-devel-11.1.0.7.0-1
oracle-instantclient11.1-jdbc-11.1.0.7.0-1
oracle-instantclient11.1-sqlplus-11.1.0.7.0-1


How reproducible:
Every time


Steps to Reproduce:
1.sqlplus
  
Actual results:
sqlplus: error while loading shared libraries: /usr/lib/oracle/11.1/client64/lib/libsqlplus.so: cannot restore segment prot after reloc: Permission denied


Expected results:
Login prompt from sqlplus

Sqlplus is a binary included in oracle-instantclient11.1-sqlplus.  It uses some of the libraries not yet singled out in the policy as an example.

Additional info:
Until we can get Oracle to build these libraries properly (yes, I've told them, and no I haven't got any reaction), I suggest the policy assumes all .so files in /usr/lib/oracle/… need textrel_shlib_t

/usr/lib/oracle/.*/lib/lib.*\.so(\.[^/]*)* …textrel_shlib_t…
Comment 1 Daniel Walsh 2010-08-10 15:35:48 UTC 
Seems ok to me.
Comment 3 Miroslav Grepl 2010-09-09 13:11:48 UTC 
Fixed in selinux-policy-2.4.6-283.el5.noarch
Comment 6 Tomas Straupis 2010-11-20 12:53:54 UTC 
I have the same problem after upgrade to Fedora14 (it was ok in Fedora13):

$ sqlplus
sqlplus: error while loading shared libraries: libsqlplus.so: cannot enable executable stack as shared object requires: Permission denied

Should I report it separately with product "Fedora"?

selinux-policy-3.9.7-10.fc14.noarch
Comment 7 Jaromir Hradilek 2011-01-05 16:18:57 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Since certain Oracle libraries require a text relocation, the SELinux context for libraries in the /usr/lib/oracle/ directory has been changed to "textrel_shlib_t".
Comment 9 errata-xmlrpc 2011-01-13 21:50:15 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html
Note You need to log in before you can comment on or make changes to this bug.