-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
pselinux wrote:
Hi,
I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the
following from oracle
oracle-instantclient-basic-10.2.0.3-1
oracle-instantclient-sqlplus-10.2.0.3-1
oracle-instantclient-devel-10.2.0.3-1
These were the compile used while configure php
'./configure' '--prefix=/usr/local/php-5.2.5'
'--cache-file=../config.cache'
'--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc'
'--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d'
'--disable-debug' '--with-pic' '--disable-rpath'
'--with-pear' '--with-bz2'
'--with-curl' '--with-exec-dir=/usr/bin'
'--with-freetype-dir=/usr'
'--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext'
'--with-gmp'
'--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl'
'--with-pspell'
'--with-pcre-regex' '--with-zlib' '--with-layout=GNU'
'--enable-exif'
'--enable-ftp' '--enable-magic-quotes' '--enable-sockets'
'--enable-sysvsem'
'--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx'
'--with-kerberos'
'--enable-ucd-snmp-hack' '--with-snmp=shared,/usr'
'--with-unixODBC=shared,/usr' '--enable-shmop'
'--enable-calendar'
'--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite'
'--with-libxml-dir=/usr' '--enable-dom=shared'
'--with-pgsql=shared'
'--disable-dba' '--disable-xmlreader' '--disable-xmlwriter'
'--without-gdbm'
'--with-gd=shared' '--with-imap=shared' '--with-imap-ssl'
'--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config'
'--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl'
'--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared'
'--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared'
'--with-ncurses=shared' '--with-ldap=shared'
'--with-pdo-pgsql=shared,/usr'
'--without-pdo-sqlite' '--with-db4=/usr'
'--enable-force-cgi-redirect'
'--enable-pcntl' '--with-xsl=shared,/usr'
'--enable-xmlreader=shared'
'--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi'
'--with-apxs2=/usr/sbin/apxs'
'--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib'
'--enable-sigchild'
Compile and install was successful. Apache was not working and these are the
sealert messages, i am putting here only summary, raw audit message and
suggestions, which i followed in the same order below to make Apache work
1. Summary
SELinux is preventing /usr/local/php-5.2.5/bin/php from loading
/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text
relocation.
Raw Audit Messages
avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0
exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=0
chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so
2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to
<Unknown> (httpd_t).
Raw Audit Messages
avc: denied { execstack } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907
scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0
tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
setsebool -P httpd_disable_trans=1
3. Summary
SELinux is preventing /usr/sbin/httpd from changing the access
protection of
memory on the heap.
Raw Audit Messages
avc: denied { execheap } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913
scontext=root:system_r:initrc_t:s0
sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process
tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0
setsebool -P allow_execheap=1
Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out
any selinux issues? Is this the known issue or my procedures are wrong. I
have tried compiling couple of weeks back with Red Hat ent5 php source rpms
and got the same selinux errors. Any possible help to put back
allow_execheap=0 httpd_disable_trans=0.
Thanks.
Seems the oracle php applications is doing some bad things with memory.
It is basically attempting to make it both writeable and executable at
the same time. This can cause potential problems as described in
http://people.redhat.com/~drepper/selinux-mem.html
and
http://danwalsh.livejournal.com/16975.html
You should probably report this as a bug to oracle, and you can
customize your policy to allow this access using audit2allow
# grep http /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp
This should allow you to run these oracle apps with SELinux in enforcing
mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora -
http://enigmail.mozdev.org
iEYEARECAAYFAkf3YdwACgkQrlYvE4MpobO/GACgsA5VR0ssGrwZlIddxm/1WPJa
gawAoMJ8eSXysoImLtX46S+rkfXIrQ3t
=wb1A
-----END PGP SIGNATURE-----