[Spacewalk-list] selinux blocking

Jan Pazdziora jpazdziora at redhat.com
Tue Feb 10 08:42:57 UTC 2009 

On Tue, Feb 10, 2009 at 08:50:38AM +0100, Jan-Frode Myklebust wrote:
> I'm a bit puzzled by this one... I'm sure I've been running spacewalk
> for a while with selinux enabled (on RHEL5u3), but suddenly it stopped
> working. When I try to start httpd, I get:
> 
> type=AVC msg=audit(1234251828.657:352996): avc:  denied  { execstack }
> for  pid=30881 comm="httpd" scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0 tclass=process
> type=AVC msg=audit(1234252060.463:353046): avc:  denied  { execmem } for
> pid=30967 comm="httpd" scontext=user_u:system_r:httpd_t:s0
> tcontext=user_u:system_r:httpd_t:s0 tclass=process
> 
> 
> [Tue Feb 10 08:43:48 2009] [error] Can't load
> '/usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/auto/DBD/Oracle/Oracle.so'
> for module DBD::Oracle: libocci.so.10.1: cannot enable executable stack
> as shared object requires: Permission denied at
> /usr/lib64/perl5/5.8.8/x86_64-linux-thread-multi/DynaLoader.pm line
> 230.\n at /usr/lib/perl5/site_perl/5.8.8/RHN/DB.pm line 539\nCompilation
> failed in require at /usr/lib/perl5/site_perl/5.8.8/RHN/DB.pm line
> 539.\nBEGIN failed--compilation aborted at
> /usr/lib/perl5/site_perl/5.8.8/RHN/DB.pm line 539.\nCompilation failed
> in require at /etc/rhn/satellite-httpd/conf/startup.pl line 9.\nBEGIN
> failed--compilation aborted at /etc/rhn/satellite-httpd/conf/startup.pl
> line 9.\nCompilation failed in require at (eval 2) line 1.\n
> [Tue Feb 10 08:43:48 2009] [error] Can't load Perl file:
> /etc/rhn/satellite-httpd/conf/startup.pl for server
> spacewalk.example.com:80, exiting...
> 
> But both /usr/lib/oracle/10.2.0.3/client64/lib/libocci.so.10.1 and
> /usr/lib64/perl5/vendor_perl/5.8.8/x86_64-linux-thread-multi/auto/DBD/Oracle/Oracle.so
> is labeled textrel_shlib_t.
> 
> Also, simply disabling transition for httpd (httpd_disable_trans=on)
> doesn't help. I have to put selinux into permissive mode to get past
> this one.. Any ideas what might cause it ?

Could you please check that the libocci.so.10.1 has execstack cleared?
What does

	execstack -q /usr/lib/oracle/10.2.0.3/client64/lib/libocci.so.10.1

return?

-- 
Jan Pazdziora
Satellite Engineering, Red Hat

More information about the Spacewalk-list mailing list