php with oci8

Daniel J Walsh dwalsh at redhat.com
Sat Apr 5 11:26:20 UTC 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

pselinux wrote:
> Hi,
>   I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the
> following from oracle
> 
> oracle-instantclient-basic-10.2.0.3-1
> oracle-instantclient-sqlplus-10.2.0.3-1
> oracle-instantclient-devel-10.2.0.3-1
> 
> These were the compile used while configure php
> 
> './configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache'
> '--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc'
> '--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d'
> '--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2'
> '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr'
> '--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp'
> '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell'
> '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif'
> '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem'
> '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos'
> '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr'
> '--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar'
> '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite'
> '--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared' 
> '--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm'
> '--with-gd=shared' '--with-imap=shared' '--with-imap-ssl'
> '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config'
> '--enable-mbstring=shared' '--enable-mbregex'  '--with-libmbfl'
> '--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared' 
> '--with-pdo-odbc=shared,unixODBC,/usr'  '--with-xmlrpc=shared'
> '--with-ncurses=shared' '--with-ldap=shared'  '--with-pdo-pgsql=shared,/usr'
> '--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect'
> '--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared'
> '--enable-xmlwriter=shared' '--enable-fastcgi'  '--enable-cgi'
> '--with-apxs2=/usr/sbin/apxs'
> '--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib'
> '--enable-sigchild'
> 
> Compile and install was successful. Apache was not working and these are the
> sealert messages, i am putting here only summary, raw audit message and
> suggestions, which i followed in the same order below to make Apache work
> 
> 
> 1. Summary
>     SELinux is preventing /usr/local/php-5.2.5/bin/php from loading
>     /usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text
>     relocation.
>    
>     Raw Audit Messages            
> 
> avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0
> exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356
> scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
> subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
> tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0
> 
>     chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so
> 
> 
> 2.  SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to
>     <Unknown> (httpd_t).
>     Raw Audit Messages            
> 
> avc: denied { execstack } for comm="httpd" egid=0 euid=0
> exe="/usr/sbin/httpd"
> exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907
> scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
> suid=0
> tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
> 
>      setsebool -P httpd_disable_trans=1
> 
> 3. Summary
>     SELinux is preventing /usr/sbin/httpd from changing the access
> protection of
>     memory on the heap.
>     Raw Audit Messages            
> 
> avc: denied { execheap } for comm="httpd" egid=0 euid=0
> exe="/usr/sbin/httpd"
> exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913
> scontext=root:system_r:initrc_t:s0
> sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process
> tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0
> 
>      setsebool -P allow_execheap=1
> 
> 
> 
> Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out
> any selinux issues? Is this the known issue or my procedures are wrong. I
> have tried compiling couple of weeks back with Red Hat ent5 php source rpms
> and got the same selinux errors. Any possible help to put back
> allow_execheap=0  httpd_disable_trans=0.
> 
> Thanks.
> 
> 
> 
Seems the oracle php applications is doing some bad things with memory.
 It is basically attempting to make it both writeable and executable at
the same time.  This can cause potential problems as described in

http://people.redhat.com/~drepper/selinux-mem.html

and

http://danwalsh.livejournal.com/16975.html

You should probably report this as a bug to oracle,  and you can
customize your policy to allow this access using audit2allow

# grep http /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp

This should allow you to run these oracle apps with SELinux in enforcing
mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkf3YdwACgkQrlYvE4MpobO/GACgsA5VR0ssGrwZlIddxm/1WPJa
gawAoMJ8eSXysoImLtX46S+rkfXIrQ3t
=wb1A
-----END PGP SIGNATURE-----

More information about the fedora-selinux-list mailing list