Red Hat Bugzilla – Bug 844811
selinux-policy-2.4.6-327.el5
Last modified: 2012-08-06 04:28:38 EDT
Description of problem: sealert -l c505d9af-9dfb-4a6b-928d-bc685f393e29 Summary: SELinux is preventing clnaddrd from loading /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 which requires text relocation. Detailed Description: [SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.] The clnaddrd application attempted to load /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1'" The following command will allow this access: chcon -t textrel_shlib_t '/u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1' Additional Information: Source Context user_u:system_r:unconfined_t Target Context system_u:object_r:default_t Target Objects /u01/app/oracle/product/11.2.0/client_1/lib/libcln tsh.so.11.1 [ file ] Source sqlplus Source Path /u01/app/oracle/product/11.2.0/client_1/bin/sqlplu s Port <Unknown> Host WITB07 Source RPM Packages Target RPM Packages Policy RPM selinux-policy-2.4.6-327.el5 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Permissive Plugin Name allow_execmod Host Name WITB07 Platform Linux WITB07 2.6.18-308.1.1.el5 #1 SMP Fri Feb 17 16:51:01 EST 2012 x86_64 x86_64 Alert Count 24 First Seen Fri Jul 13 09:23:54 2012 Last Seen Mon Jul 30 09:28:41 2012 Local ID c505d9af-9dfb-4a6b-928d-bc685f393e29 Line Numbers Raw Audit Messages host=WITB07 type=AVC msg=audit(1343654921.310:4292): avc: denied { execmod } for pid=23716 comm="clnaddrd" path="/u01/app/ oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1" dev=dm-8 ino=3375455 scontext=user_u:system_r:unconfined_t:s0 tcontext= system_u:object_r:default_t:s0 tclass=file host=WITB07 type=SYSCALL msg=audit(1343654921.310:4292): arch=c000003e syscall=10 success=yes exit=0 a0=2ad2161a7000 a1=228a0 00 a2=5 a3=2ad216243578 items=0 ppid=23680 pid=23716 auid=505 uid=505 gid=505 euid=505 suid=505 fsuid=505 egid=505 sgid=505 f sgid=505 tty=pts1 ses=692 comm="clnaddrd" exe="/u02/app/clnaddr/clean_address_linux/bin/clnaddrd" subj=user_u:system_r:unconf ined_t:s0 key=(null) Version-Release number of selected component (if applicable): uname -a Linux WITB07 2.6.18-308.1.1.el5 #1 SMP Fri Feb 17 16:51:01 EST 2012 x86_64 x86_64 x86_64 GNU/Linux How reproducible: Re-boot host for /etc/init.d to autostart clean_address daemon Steps to Reproduce: 1. re-boot 2. attempt a connection from host to oracle database using sqlplus 11gr2 3. Actual results: SELinux in /var/log/messages Expected results: no SELinix message Additional info: Clean Address is product from vendor runner technologies: http://www.runnertechnologies.com/cln_addr_faqs.html
The file mentioned in Target Objects is mislabelled. Following command should label it correctly: # chcon -t textrel_shlib_t /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux release for currently deployed products. This request is not yet committed for inclusion in a release.
You will need to tell SELinux how to label /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 how Milos wrote above. Or you can use semanage how the alert tells you.
I have performed command as advised: # chcon -t textrel_shlib_t /u01/app/oracle/product/11.2.0/client_1/lib/libclntsh.so.11.1 How can I confirm or test it ? Regards, John
Please use the same command which caused the original AVC. Perhaps the command which connects from host to oracle database using sqlplus 11gr2.