SELinux is preventing Perl CGI script from accessing Oracle libraries

slec asked:

I’m trying to configure SELinux on a Red Hat Enterprise Linux 6.2 web server that runs Apache 2.2.15 and Perl 5.10.1, and connects to remote Oracle databases. The Oracle 11.2g client is installed. The PHP scripts that access Oracle are working, but the Perl scripts are not. When SELinux is enforcing and I try to access the Perl scripts through my web browser, Apache’s error logs show this message:

Can't load '/usr/local/lib64/perl5/auto/DBD/Oracle/Oracle.so' for module DBD::Oracle: libclntsh.so.11.1: cannot open shared object file: No such file or directory at /usr/lib64/perl5/DynaLoader.pm line 200.

Oddly, the audit log does not record any corresponding messages. However, when I run set SELinux to permissive mode, the Perl script works perfectly.

This is the output of ls -lZ on libclntsh.so.11.1:

-rwxr-xr-x. oracle oracle system_u:object_r:textrel_shlib_t:s0 /path/to/oracle/product/11.2.0/client/lib/libclntsh.so.11.1

Does anyone have any suggestions to fix this? I would like to be able to run the web server with SELinux.

UPDATE: After setting selinux to dontaudit, I got more output in audit.log. However, the module I created with audit2allow does not install. The output of semodule -i is: semodule: Failed on cgi_oracle!

cgi_oracle.te contains:

module cgi_oracle 1.0;

require {
    type httpd_log_t;
    type httpd_t;
    type httpd_sys_script_t;
    class process { siginh noatsecure rlimitinh };
    class file { read write };
}

#============= httpd_sys_script_t ==============
allow httpd_sys_script_t httpd_log_t:file { read write };

#============= httpd_t ==============
allow httpd_t httpd_sys_script_t:process { siginh rlimitinh noatsecure };

My answer:


A number of SELinux policies are flagged dontaudit so that they do not leave messages in the audit log. This is usually because they are policies that would just spam the log with useless entries, but sometimes developers dontaudit a denial rather than fixing the underlying problem. The policy you’re hitting is almost certainly among these, since you aren’t seeing any messages being logged in audit.log.

You can temporarily disable dontaudit by running:

semodule -DB

After you’ve discovered the cause of the problem, re-enable dontaudit with:

semodule -B

To build your policy once you’ve generated it, run:

make -f /usr/share/selinux/devel/Makefile

View the full question and answer on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.