PyNGL under SELinux

From: Jesper Larsen <jlar_at_nyahnyahspammersnyahnyah>
Date: Tue, 25 Mar 2008 15:48:33 +0100

Hi,

I have tried to install PyNGL on a Linux CentOS (derivative of Redhat
Enterprise) system with SELinux (Security Enhanced Linux) enabled. When
using PyNGL SELinux complains that _hlu.so and nio.so require "text
relocation". It is not really a showstopper since I have just followed
the recipe in the error log pasted in below for allowing text relocation
for these libraries. But SELinux claims that it is probably a bug in
PyNGL so I thought it was worth reporting. There is a link in the error
log below on how to fix it.

Regards,
Jesper

Summary
    SELinux is preventing python from loading /usr/lib/python2.4/site-
    packages/PyNGL/_hlu.so which requires text relocation.

Detailed Description
    The python application attempted to load /usr/lib/python2.4/site-
    packages/PyNGL/_hlu.so which requires text relocation. This is a
potential
    security problem. Most libraries do not need this permission.
Libraries are
    sometimes coded incorrectly and request this permission. The
    http://people.redhat.com/drepper/selinux-mem.html web page explains
how to
    remove this requirement. You can configure SELinux temporarily to
allow
    /usr/lib/python2.4/site-packages/PyNGL/_hlu.so to use relocation as
a
    workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Allowing Access
    If you trust /usr/lib/python2.4/site-packages/PyNGL/_hlu.so to run
    correctly, you can change the file context to textrel_shlib_t.
"chcon -t
    textrel_shlib_t /usr/lib/python2.4/site-packages/PyNGL/_hlu.so"

    The following command will allow this access:
    chcon -t
textrel_shlib_t /usr/lib/python2.4/site-packages/PyNGL/_hlu.so

Additional Information

Source Context user_u:system_r:unconfined_t
Target Context user_u:object_r:lib_t
Target
Objects /usr/lib/python2.4/site-packages/PyNGL/_hlu.so [
                              file ]
Affected RPM Packages
Policy RPM selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_execmod
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.18-53.1.14.el5 #1
                              SMP Wed Mar 5 06:36:49 EST 2008 i686 i686
Alert Count 1
Line Numbers

Raw Audit Messages

avc: denied { execmod } for comm="python" dev=dm-0 egid=500 euid=500
exe="/usr/bin/python" exit=-13 fsgid=500 fsuid=500 gid=500 items=0
path="/usr/lib/python2.4/site-packages/PyNGL/_hlu.so" pid=32471
scontext=user_u:system_r:unconfined_t:s0 sgid=500
subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=file
tcontext=user_u:object_r:lib_t:s0 tty=pts3 uid=500

Summary
    SELinux is preventing python from loading /usr/lib/python2.4/site-
    packages/PyNGL/nio.so which requires text relocation.

Detailed Description
    The python application attempted to load /usr/lib/python2.4/site-
    packages/PyNGL/nio.so which requires text relocation. This is a
potential
    security problem. Most libraries do not need this permission.
Libraries are
    sometimes coded incorrectly and request this permission. The
    http://people.redhat.com/drepper/selinux-mem.html web page explains
how to
    remove this requirement. You can configure SELinux temporarily to
allow
    /usr/lib/python2.4/site-packages/PyNGL/nio.so to use relocation as a
    workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
package.

Allowing Access
    If you trust /usr/lib/python2.4/site-packages/PyNGL/nio.so to run
correctly,
    you can change the file context to textrel_shlib_t. "chcon -t
    textrel_shlib_t /usr/lib/python2.4/site-packages/PyNGL/nio.so"

    The following command will allow this access:
    chcon -t
textrel_shlib_t /usr/lib/python2.4/site-packages/PyNGL/nio.so

Additional Information

Source Context user_u:system_r:unconfined_t
Target Context user_u:object_r:lib_t
Target
Objects /usr/lib/python2.4/site-packages/PyNGL/nio.so [
                              file ]
Affected RPM Packages
Policy RPM selinux-policy-2.4.6-106.el5_1.3
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_execmod
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.18-53.1.14.el5 #1
                              SMP Wed Mar 5 06:36:49 EST 2008 i686 i686
Alert Count 1
Line Numbers

Raw Audit Messages

avc: denied { execmod } for comm="python" dev=dm-0 egid=500 euid=500
exe="/usr/bin/python" exit=-13 fsgid=500 fsuid=500 gid=500 items=0
path="/usr/lib/python2.4/site-packages/PyNGL/nio.so" pid=19175
scontext=user_u:system_r:unconfined_t:s0 sgid=500
subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=file
tcontext=user_u:object_r:lib_t:s0 tty=pts3 uid=500

_______________________________________________
pyngl-talk mailing list
pyngl-talk_at_ucar.edu
http://mailman.ucar.edu/mailman/listinfo/pyngl-talk
Received on Tue Mar 25 2008 - 08:48:33 MDT

This archive was generated by hypermail 2.2.0 : Thu Jun 19 2008 - 10:44:30 MDT