Description of problem: I installed IBM Tivoli Access Manager (TAM) 6.1.1 while enforcement was set to passive. When enforcement is set on, the TAM services fail to start. I see this message in the messages file. Jun 19 13:34:52 stamsr11 setroubleshoot: SELinux is preventing pdmgrd from loading /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7 which requires text relocation. For complete SELinux messages. run sealert -l 508b672b-8599-4c39-9617-d241df78b5fd Version-Release number of selected component (if applicable): How reproducible: Easily reproducible. Steps to Reproduce: 1. Turn on SELINUX enforcement 2. Is PD_START START command to start TAM services 3. Actual results: The SELinux error shown above. Expected results: TAM should start successfully. Additional info: I'll be openning a problem report with IBM regarding this problem. Here is the descriptive messages from running the sealert command: [root@stamsr11 log]# sealert -l 508b672b-8599-4c39-9617-d241df78b5fd Summary: SELinux is preventing pdmgrd from loading /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7 which requires text relocation. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The pdmgrd application attempted to load /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7 to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7'" The following command will allow this access: chcon -t textrel_shlib_t '/usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7' Additional Information: Source Context user_u:system_r:unconfined_t:s0 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/local/ibm/gsk7/icc/osslib/libcrypto.so.0.9.7 [ file ] Source ldapsearch Source Path /opt/ibm/ldap/V6.1/bin/32/ldapsearch Port <Unknown> Host stamsr11.wtc.opm.gov Source RPM Packages PDMgr-PD-6.1.1-0 Target RPM Packages gsk7bas-7.0-4.28 Policy RPM selinux-policy-2.4.6-300.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execmod Host Name stamsr11.wtc.opm.gov Platform Linux stamsr11.wtc.opm.gov 2.6.18-238.9.1.el5 #1 SMP Fri Mar 18 14:40:59 EDT 2011 s390x s390x Alert Count 135 First Seen Fri Jun 17 16:53:06 2011 Last Seen Sun Jun 19 13:34:52 2011 Local ID 508b672b-8599-4c39-9617-d241df78b5fd Line Numbers Raw Audit Messages
The alert tells you what to do. Did you open a bug report with IBM to fix their library?