SELinux is preventing Perl CGI script from accessing Oracle libraries

apache-2.2 redhat oracle perl selinux

Solution 1:

A number of SELinux policies are flagged dontaudit so that they do not leave messages in the audit log. This is usually because they are policies that would just spam the log with useless entries, but sometimes developers dontaudit a denial rather than fixing the underlying problem. The policy you're hitting is almost certainly among these, since you aren't seeing any messages being logged in audit.log.

You can temporarily disable dontaudit by running:

semodule -DB

After you've discovered the cause of the problem, re-enable dontaudit with:

semodule -B

To build your policy once you've generated it, run:

make -f /usr/share/selinux/devel/Makefile

Solution 2:

To correctly identify the problem - you must run test with SELinux permissive mode, otherwise you will need to run tests one by one and might take a time. After, stop web service, be sure that your audit logs are empty or rotated, run web service, run scripts/test, check audit logs and write new policy. As I understand your scripts want to access oracle libraries for read, so you will need to add read permission for "system_u:object_r:textrel_shlib_t:s0" on your application. I don't know what is the labeling structure for oracle, but i'm sure you can find out. Check audit2allow.

Solution 3:

You can also try setroubleshoot.. it will also give you clues to what is being restricted and the commands to resolve the issue. Most of the time all you have to do is copy and paste exactly what is given.

yum install -y setroubleshoot

then

grep setrouble /var/log/messages

For example:

Aug  6 12:36:11 cnt3 setroubleshoot: [avc.ERROR] Plugin Exception catchall_boolean #012Traceback (most recent call last):#012  File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 191, in analyze_avc#012    report = plugin.analyze(avc)#012  File "/usr/share/setroubleshoot/plugins/catchall_boolean.py", line 90, in analyze#012    man_page = self.check_for_man(b)#012  File "/usr/share/setroubleshoot/plugins/catchall_boolean.py", line 76, in check_for_man#012    man_page = name.split("_")[0] + "_selinux"#012AttributeError: 'tuple' object has no attribute 'split'
Aug  6 12:36:11 cnt3 setroubleshoot: SELinux is preventing /usr/libexec/gdm-session-worker from read access on the directory /root. For complete SELinux messages. run sealert -l 721b07e3-e0e2-4a0e-a676-8eb622f7ce01

sealert -l 721b07e3-e0e2-4a0e-a676-8eb622f7ce01

sealert -l 721b07e3-e0e2-4a0e-a676-8eb622f7ce01
SELinux is preventing /usr/libexec/gdm-session-worker from read access on the directory /root.

*****  Plugin catchall (100. confidence) suggests  ***************************

If you believe that gdm-session-worker should be allowed read access on the root directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:

grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp

Follow what the sealert -l tells you, and I think your problem should be solved. Hope that helps.

Related

Dovecot: Email clients and duplicated folders
Apache mpm worker + wsgi Python/Django workers stuck
Directly Formatting a Device on a Linux System
Replace MyISAM files without stopping Mysql
Can you tell by the network traffic whether a video was watched or downloaded from YouTube?
Shell script to fix bad filenames?
Scriptable DVD authoring solution for Linux? [closed]
What happens to the content of RAM when a computer turns off?
Is there any way to prevent the current CMD input being erased by a blank history suggestion?
What would be the easiest way of quickly mailing a file through GMail?
How can I image a hard disk multiple times simultaneously?
Installing Windows 7 upgrade version on a clean disk [duplicate]