Re: PyNGL under SELinux from Mary Haley on 2008-03-25 (pyngl-talk 2008 archive)

From: Mary Haley <haley_at_nyahnyahspammersnyahnyah>
Date: Tue, 25 Mar 2008 10:09:25 -0600 (MDT)

Hi Jesper,

Thanks for pointing this out and for the info on how to fix it. We'll
take a look at it.

It looks like PyNIO is affected as well, so I'm almost wondering if
this is due to some common library that both PyNGL and PyNIO depend
on.

--Mary

On Tue, 25 Mar 2008, Jesper Larsen wrote:

> Hi,
>
> I have tried to install PyNGL on a Linux CentOS (derivative of Redhat
> Enterprise) system with SELinux (Security Enhanced Linux) enabled. When
> using PyNGL SELinux complains that _hlu.so and nio.so require "text
> relocation". It is not really a showstopper since I have just followed
> the recipe in the error log pasted in below for allowing text relocation
> for these libraries. But SELinux claims that it is probably a bug in
> PyNGL so I thought it was worth reporting. There is a link in the error
> log below on how to fix it.
>
> Regards,
> Jesper
>
> Summary
> SELinux is preventing python from loading /usr/lib/python2.4/site-
> packages/PyNGL/_hlu.so which requires text relocation.
>
> Detailed Description
> The python application attempted to load /usr/lib/python2.4/site-
> packages/PyNGL/_hlu.so which requires text relocation. This is a
> potential
> security problem. Most libraries do not need this permission.
> Libraries are
> sometimes coded incorrectly and request this permission. The
> http://people.redhat.com/drepper/selinux-mem.html web page explains
> how to
> remove this requirement. You can configure SELinux temporarily to
> allow
> /usr/lib/python2.4/site-packages/PyNGL/_hlu.so to use relocation as
> a
> workaround, until the library is fixed. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Allowing Access
> If you trust /usr/lib/python2.4/site-packages/PyNGL/_hlu.so to run
> correctly, you can change the file context to textrel_shlib_t.
> "chcon -t
> textrel_shlib_t /usr/lib/python2.4/site-packages/PyNGL/_hlu.so"
>
> The following command will allow this access:
> chcon -t
> textrel_shlib_t /usr/lib/python2.4/site-packages/PyNGL/_hlu.so
>
> Additional Information
>
> Source Context user_u:system_r:unconfined_t
> Target Context user_u:object_r:lib_t
> Target
> Objects /usr/lib/python2.4/site-packages/PyNGL/_hlu.so [
> file ]
> Affected RPM Packages
> Policy RPM selinux-policy-2.4.6-106.el5_1.3
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.allow_execmod
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.18-53.1.14.el5 #1
> SMP Wed Mar 5 06:36:49 EST 2008 i686 i686
> Alert Count 1
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execmod } for comm="python" dev=dm-0 egid=500 euid=500
> exe="/usr/bin/python" exit=-13 fsgid=500 fsuid=500 gid=500 items=0
> path="/usr/lib/python2.4/site-packages/PyNGL/_hlu.so" pid=32471
> scontext=user_u:system_r:unconfined_t:s0 sgid=500
> subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=file
> tcontext=user_u:object_r:lib_t:s0 tty=pts3 uid=500
>
> Summary
> SELinux is preventing python from loading /usr/lib/python2.4/site-
> packages/PyNGL/nio.so which requires text relocation.
>
> Detailed Description
> The python application attempted to load /usr/lib/python2.4/site-
> packages/PyNGL/nio.so which requires text relocation. This is a
> potential
> security problem. Most libraries do not need this permission.
> Libraries are
> sometimes coded incorrectly and request this permission. The
> http://people.redhat.com/drepper/selinux-mem.html web page explains
> how to
> remove this requirement. You can configure SELinux temporarily to
> allow
> /usr/lib/python2.4/site-packages/PyNGL/nio.so to use relocation as a
> workaround, until the library is fixed. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Allowing Access
> If you trust /usr/lib/python2.4/site-packages/PyNGL/nio.so to run
> correctly,
> you can change the file context to textrel_shlib_t. "chcon -t
> textrel_shlib_t /usr/lib/python2.4/site-packages/PyNGL/nio.so"
>
> The following command will allow this access:
> chcon -t
> textrel_shlib_t /usr/lib/python2.4/site-packages/PyNGL/nio.so
>
> Additional Information
>
> Source Context user_u:system_r:unconfined_t
> Target Context user_u:object_r:lib_t
> Target
> Objects /usr/lib/python2.4/site-packages/PyNGL/nio.so [
> file ]
> Affected RPM Packages
> Policy RPM selinux-policy-2.4.6-106.el5_1.3
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.allow_execmod
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.18-53.1.14.el5 #1
> SMP Wed Mar 5 06:36:49 EST 2008 i686 i686
> Alert Count 1
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execmod } for comm="python" dev=dm-0 egid=500 euid=500
> exe="/usr/bin/python" exit=-13 fsgid=500 fsuid=500 gid=500 items=0
> path="/usr/lib/python2.4/site-packages/PyNGL/nio.so" pid=19175
> scontext=user_u:system_r:unconfined_t:s0 sgid=500
> subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=file
> tcontext=user_u:object_r:lib_t:s0 tty=pts3 uid=500
>
>
> _______________________________________________
> pyngl-talk mailing list
> pyngl-talk_at_ucar.edu
> http://mailman.ucar.edu/mailman/listinfo/pyngl-talk
>
_______________________________________________
pyngl-talk mailing list
pyngl-talk_at_ucar.edu
http://mailman.ucar.edu/mailman/listinfo/pyngl-talk
Received on Tue Mar 25 2008 - 10:09:25 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 19 2008 - 10:44:30 MDT