Bug 844811 - selinux-policy-2.4.6-327.el5
Summary: selinux-policy-2.4.6-327.el5
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.7
Hardware: All
OS: Linux
unspecified
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-07-31 21:51 UTC by John Scanlon
Modified: 2012-08-06 08:28 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-08-06 08:28:38 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description John Scanlon 2012-07-31 21:51:39 UTC
Description of problem:
sealert -l c505d9af-9dfb-4a6b-928d-bc685f393e29

Summary:

SELinux is preventing clnaddrd from loading
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 which requires
text relocation.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The clnaddrd application attempted to load
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 which requires
text relocation. This is a potential security problem. Most libraries do not
need this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 to use relocation
as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 to
run correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'"

The following command will allow this access:

chcon -t textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'

Additional Information:

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:default_t
Target Objects                /u01/app/oracle/product/11.2.0/client_1/lib/libcln
                              tsh.so.11.1 [ file ]
Source                        sqlplus
Source Path                   /u01/app/oracle/product/11.2.0/client_1/bin/sqlplu
                              s
Port                          <Unknown>
Host                          WITB07
Source RPM Packages
Target RPM Packages
Policy RPM                    selinux-policy-2.4.6-327.el5
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmod
Host Name                     WITB07
Platform                      Linux WITB07 2.6.18-308.1.1.el5 #1 SMP Fri Feb 17
                              16:51:01 EST 2012 x86_64 x86_64
Alert Count                   24
First Seen                    Fri Jul 13 09:23:54 2012
Last Seen                     Mon Jul 30 09:28:41 2012
Local ID                      c505d9af-9dfb-4a6b-928d-bc685f393e29
Line Numbers

Raw Audit Messages

host=WITB07 type=AVC msg=audit(1343654921.310:4292): avc:  denied  { execmod } for  pid=23716 comm="clnaddrd" path="/u01/app/     oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1" dev=dm-8 ino=3375455 scontext=user_u:system_r:unconfined_t:s0 tcontext=     system_u:object_r:default_t:s0 tclass=file

host=WITB07 type=SYSCALL msg=audit(1343654921.310:4292): arch=c000003e syscall=10 success=yes exit=0 a0=2ad2161a7000 a1=228a0     00 a2=5 a3=2ad216243578 items=0 ppid=23680 pid=23716 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 f     sgid=505 tty=pts1 ses=692 comm="clnaddrd" exe="/u02/app/clnaddr/clean_address_linux/bin/clnaddrd" subj=user_u:system_r:unconf     ined_t:s0 key=(null)



Version-Release number of selected component (if applicable):

uname -a
Linux WITB07 2.6.18-308.1.1.el5 #1 SMP Fri Feb 17 16:51:01 EST 2012 x86_64 x86_64 x86_64 GNU/Linux


How reproducible:
Re-boot host for /etc/init.d to autostart clean_address daemon

Steps to Reproduce:
1. re-boot
2. attempt a connection from host to oracle database using sqlplus 11gr2
3.
  
Actual results:
SELinux in /var/log/messages

Expected results:

no SELinix message
Additional info:

Clean Address is product from vendor runner technologies:

http://www.runnertechnologies.com/cln_addr_faqs.html

Comment 1 Milos Malik 2012-08-01 08:25:13 UTC
The file mentioned in Target Objects is mislabelled. Following command should label it correctly:

# chcon -t textrel_shlib_t /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1

Comment 2 RHEL Program Management 2012-08-01 08:28:28 UTC
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.

Comment 3 Miroslav Grepl 2012-08-01 08:36:41 UTC
You will need to tell SELinux how to label

/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1

how Milos wrote above. Or you can use semanage how the alert tells you.

Comment 4 John Scanlon 2012-08-01 15:39:01 UTC
I have performed command as advised:
# chcon -t textrel_shlib_t /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1
How can I confirm or test it ?
Regards,
John

Comment 5 Milos Malik 2012-08-01 15:46:44 UTC
Please use the same command which caused the original AVC. Perhaps the command which connects from host to oracle database using sqlplus 11gr2.


Note You need to log in before you can comment on or make changes to this bug.