SELinux is preventing Perl CGI script from accessing Oracle libraries
Solution 1:
A number of SELinux policies are flagged dontaudit
so that they do not leave messages in the audit log. This is usually because they are policies that would just spam the log with useless entries, but sometimes developers dontaudit
a denial rather than fixing the underlying problem. The policy you're hitting is almost certainly among these, since you aren't seeing any messages being logged in audit.log
.
You can temporarily disable dontaudit
by running:
semodule -DB
After you've discovered the cause of the problem, re-enable dontaudit
with:
semodule -B
To build your policy once you've generated it, run:
make -f /usr/share/selinux/devel/Makefile
Solution 2:
To correctly identify the problem - you must run test with SELinux permissive mode, otherwise you will need to run tests one by one and might take a time. After, stop web service, be sure that your audit logs are empty or rotated, run web service, run scripts/test, check audit logs and write new policy. As I understand your scripts want to access oracle libraries for read, so you will need to add read permission for "system_u:object_r:textrel_shlib_t:s0" on your application. I don't know what is the labeling structure for oracle, but i'm sure you can find out. Check audit2allow.
Solution 3:
You can also try setroubleshoot.. it will also give you clues to what is being restricted and the commands to resolve the issue. Most of the time all you have to do is copy and paste exactly what is given.
yum install -y setroubleshoot
then
grep setrouble /var/log/messages
For example:
Aug 6 12:36:11 cnt3 setroubleshoot: [avc.ERROR] Plugin Exception catchall_boolean #012Traceback (most recent call last):#012 File "/usr/lib/python2.6/site-packages/setroubleshoot/analyze.py", line 191, in analyze_avc#012 report = plugin.analyze(avc)#012 File "/usr/share/setroubleshoot/plugins/catchall_boolean.py", line 90, in analyze#012 man_page = self.check_for_man(b)#012 File "/usr/share/setroubleshoot/plugins/catchall_boolean.py", line 76, in check_for_man#012 man_page = name.split("_")[0] + "_selinux"#012AttributeError: 'tuple' object has no attribute 'split'
Aug 6 12:36:11 cnt3 setroubleshoot: SELinux is preventing /usr/libexec/gdm-session-worker from read access on the directory /root. For complete SELinux messages. run sealert -l 721b07e3-e0e2-4a0e-a676-8eb622f7ce01
sealert -l 721b07e3-e0e2-4a0e-a676-8eb622f7ce01
sealert -l 721b07e3-e0e2-4a0e-a676-8eb622f7ce01
SELinux is preventing /usr/libexec/gdm-session-worker from read access on the directory /root.
***** Plugin catchall (100. confidence) suggests ***************************
If you believe that gdm-session-worker should be allowed read access on the root directory by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing:
grep gdm-session-wor /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
Follow what the sealert -l tells you, and I think your problem should be solved. Hope that helps.