Bug 844811 - selinux-policy-2.4.6-327.el5
selinux-policy-2.4.6-327.el5
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy (Show other bugs)
5.7
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Miroslav Grepl
BaseOS QE Security Team
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-07-31 17:51 EDT by John Scanlon
Modified: 2012-08-06 04:28 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-06 04:28:38 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Scanlon 2012-07-31 17:51:39 EDT
Description of problem:
sealert -l c505d9af-9dfb-4a6b-928d-bc685f393e29

Summary:

SELinux is preventing clnaddrd from loading
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 which requires
text relocation.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The clnaddrd application attempted to load
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 which requires
text relocation. This is a potential security problem. Most libraries do not
need this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 to use relocation
as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 to
run correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'"

The following command will allow this access:

chcon -t textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:default_t
Target Objects                /u01/app/oracle/product/11.2.0/client_1/lib/libcln
                              tsh.so.11.1 [ file ]
Source                        sqlplus
Source Path                   /u01/app/oracle/product/11.2.0/client_1/bin/sqlplu
                              s
Port                          <Unknown>
Host                          WITB07
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-327.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmod
Host Name                     WITB07
Platform                      Linux WITB07 2.6.18-308.1.1.el5 #1 SMP Fri Feb 17
                              16:51:01 EST 2012 x86_64 x86_64
Alert Count                   24
First Seen                    Fri Jul 13 09:23:54 2012
Last Seen                     Mon Jul 30 09:28:41 2012
Local ID                      c505d9af-9dfb-4a6b-928d-bc685f393e29
Line Numbers

Raw Audit Messages

host=WITB07 type=AVC msg=audit(1343654921.310:4292): avc:  denied  { execmod } for  pid=23716 comm="clnaddrd" path="/u01/app/     oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1" dev=dm-8 ino=3375455 scontext=user_u:system_r:unconfined_t:s0 tcontext=     system_u:object_r:default_t:s0 tclass=file

host=WITB07 type=SYSCALL msg=audit(1343654921.310:4292): arch=c000003e syscall=10 success=yes exit=0 a0=2ad2161a7000 a1=228a0     00 a2=5 a3=2ad216243578 items=0 ppid=23680 pid=23716 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 f     sgid=505 tty=pts1 ses=692 comm="clnaddrd" exe="/u02/app/clnaddr/clean_address_linux/bin/clnaddrd" subj=user_u:system_r:unconf     ined_t:s0 key=(null)



Version-Release number of selected component (if applicable):

uname -a
Linux WITB07 2.6.18-308.1.1.el5 #1 SMP Fri Feb 17 16:51:01 EST 2012 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:
Re-boot host for /etc/init.d to autostart clean_address daemon

Steps to Reproduce:
1. re-boot
2. attempt a connection from host to oracle database using sqlplus 11gr2
3.
  
Actual results:
SELinux in /var/log/messages

Expected results:

no SELinix message
Additional info:

Clean Address is product from vendor runner technologies:

http://www.runnertechnologies.com/cln_addr_faqs.html
Comment 1 Milos Malik 2012-08-01 04:25:13 EDT
The file mentioned in Target Objects is mislabelled. Following command should label it correctly:

# chcon -t textrel_shlib_t /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1
Comment 2 RHEL Product and Program Management 2012-08-01 04:28:28 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 3 Miroslav Grepl 2012-08-01 04:36:41 EDT
You will need to tell SELinux how to label

/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1

how Milos wrote above. Or you can use semanage how the alert tells you.
Comment 4 John Scanlon 2012-08-01 11:39:01 EDT
I have performed command as advised:
# chcon -t textrel_shlib_t /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1
How can I confirm or test it ?
Regards,
John
Comment 5 Milos Malik 2012-08-01 11:46:44 EDT
Please use the same command which caused the original AVC. Perhaps the command which connects from host to oracle database using sqlplus 11gr2.

Note You need to log in before you can comment on or make changes to this bug.