FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor


 
 
LinkBack Thread Tools
 
Old 04-02-2008, 08:24 PM
pselinux
 
Default php with oci8

Hi,
I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the
following from oracle

oracle-instantclient-basic-10.2.0.3-1
oracle-instantclient-sqlplus-10.2.0.3-1
oracle-instantclient-devel-10.2.0.3-1

These were the compile used while configure php

'./configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache'
'--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc'
'--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d'
'--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2'
'--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr'
'--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp'
'--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell'
'--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif'
'--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem'
'--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos'
'--enable-ucd-snmp-hack' '--with-snmp=shared,/usr'
'--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar'
'--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite'
'--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared'
'--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm'
'--with-gd=shared' '--with-imap=shared' '--with-imap-ssl'
'--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config'
'--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl'
'--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared'
'--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared'
'--with-ncurses=shared' '--with-ldap=shared' '--with-pdo-pgsql=shared,/usr'
'--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect'
'--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared'
'--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi'
'--with-apxs2=/usr/sbin/apxs'
'--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib'
'--enable-sigchild'

Compile and install was successful. Apache was not working and these are the
sealert messages, i am putting here only summary, raw audit message and
suggestions, which i followed in the same order below to make Apache work


1. Summary
SELinux is preventing /usr/local/php-5.2.5/bin/php from loading
/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text
relocation.

Raw Audit Messages

avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0
exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_ubject_r:lib_t:s0 tty=pts1 uid=0

chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so


2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to
<Unknown> (httpd_t).
Raw Audit Messages

avc: denied { execstack } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907
scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
suid=0
tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0

setsebool -P httpd_disable_trans=1

3. Summary
SELinux is preventing /usr/sbin/httpd from changing the access
protection of
memory on the heap.
Raw Audit Messages

avc: denied { execheap } for comm="httpd" egid=0 euid=0
exe="/usr/sbin/httpd"
exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913
scontext=root:system_r:initrc_t:s0
sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process
tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0

setsebool -P allow_execheap=1



Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out
any selinux issues? Is this the known issue or my procedures are wrong. I
have tried compiling couple of weeks back with Red Hat ent5 php source rpms
and got the same selinux errors. Any possible help to put back
allow_execheap=0 httpd_disable_trans=0.

Thanks.



--
View this message in context: http://www.nabble.com/php-with-oci8-tp16447650p16447650.html
Sent from the Fedora SELinux List mailing list archive at Nabble.com.

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-05-2008, 11:26 AM
Daniel J Walsh
 
Default php with oci8

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

pselinux wrote:
> Hi,
> I am compiling php 5.2.5 with OCI8 on centOS 5. I have installed the
> following from oracle
>
> oracle-instantclient-basic-10.2.0.3-1
> oracle-instantclient-sqlplus-10.2.0.3-1
> oracle-instantclient-devel-10.2.0.3-1
>
> These were the compile used while configure php
>
> './configure' '--prefix=/usr/local/php-5.2.5' '--cache-file=../config.cache'
> '--with-libdir=lib' '--with-config-file-path=/usr/local/php-5.2.5/etc'
> '--with-config-file-scan-dir=/usr/local/php-5.2.5/etc/php.d'
> '--disable-debug' '--with-pic' '--disable-rpath' '--with-pear' '--with-bz2'
> '--with-curl' '--with-exec-dir=/usr/bin' '--with-freetype-dir=/usr'
> '--with-png-dir=/usr' '--enable-gd-native-ttf' '--with-gettext' '--with-gmp'
> '--with-iconv' '--with-jpeg-dir=/usr' '--with-openssl' '--with-pspell'
> '--with-pcre-regex' '--with-zlib' '--with-layout=GNU' '--enable-exif'
> '--enable-ftp' '--enable-magic-quotes' '--enable-sockets' '--enable-sysvsem'
> '--enable-sysvshm' '--enable-sysvmsg' '--enable-wddx' '--with-kerberos'
> '--enable-ucd-snmp-hack' '--with-snmp=shared,/usr'
> '--with-unixODBC=shared,/usr' '--enable-shmop' '--enable-calendar'
> '--with-mime-magic=/etc/httpd/conf/magic' '--without-sqlite'
> '--with-libxml-dir=/usr' '--enable-dom=shared' '--with-pgsql=shared'
> '--disable-dba' '--disable-xmlreader' '--disable-xmlwriter' '--without-gdbm'
> '--with-gd=shared' '--with-imap=shared' '--with-imap-ssl'
> '--with-mysql=shared,/usr' '--with-mysqli=shared,/usr/bin/mysql_config'
> '--enable-mbstring=shared' '--enable-mbregex' '--with-libmbfl'
> '--with-pdo-mysql=shared,/usr/bin/mysql_config' '--enable-pdo=shared'
> '--with-pdo-odbc=shared,unixODBC,/usr' '--with-xmlrpc=shared'
> '--with-ncurses=shared' '--with-ldap=shared' '--with-pdo-pgsql=shared,/usr'
> '--without-pdo-sqlite' '--with-db4=/usr' '--enable-force-cgi-redirect'
> '--enable-pcntl' '--with-xsl=shared,/usr' '--enable-xmlreader=shared'
> '--enable-xmlwriter=shared' '--enable-fastcgi' '--enable-cgi'
> '--with-apxs2=/usr/sbin/apxs'
> '--with-oci8=shared,instantclient,/usr/lib/oracle/10.2.0.3/client/lib'
> '--enable-sigchild'
>
> Compile and install was successful. Apache was not working and these are the
> sealert messages, i am putting here only summary, raw audit message and
> suggestions, which i followed in the same order below to make Apache work
>
>
> 1. Summary
> SELinux is preventing /usr/local/php-5.2.5/bin/php from loading
> /usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so which requires text
> relocation.
>
> Raw Audit Messages
>
> avc: denied { execmod } for comm="php" dev=dm-0 egid=0 euid=0
> exe="/usr/local/php-5.2.5/bin/php" exit=-13 fsgid=0 fsuid=0 gid=0 items=0
> path="/usr/lib/oracle/10.2.0.3/client/lib/libnnz10.so" pid=27356
> scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
> subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
> tcontext=system_ubject_r:lib_t:s0 tty=pts1 uid=0
>
> chcon -t textrel_shlib_t /usr/lib/oracle/10.2.0.3/client/lib/*.so
>
>
> 2. SELinux is preventing /usr/sbin/httpd (httpd_t) "execstack" access to
> <Unknown> (httpd_t).
> Raw Audit Messages
>
> avc: denied { execstack } for comm="httpd" egid=0 euid=0
> exe="/usr/sbin/httpd"
> exit=-13 fsgid=0 fsuid=0 gid=0 items=0 pid=27907
> scontext=root:system_r:httpd_t:s0 sgid=0 subj=root:system_r:httpd_t:s0
> suid=0
> tclass=process tcontext=root:system_r:httpd_t:s0 tty=(none) uid=0
>
> setsebool -P httpd_disable_trans=1
>
> 3. Summary
> SELinux is preventing /usr/sbin/httpd from changing the access
> protection of
> memory on the heap.
> Raw Audit Messages
>
> avc: denied { execheap } for comm="httpd" egid=0 euid=0
> exe="/usr/sbin/httpd"
> exit=0 fsgid=0 fsuid=0 gid=0 items=0 pid=3913
> scontext=root:system_r:initrc_t:s0
> sgid=0 subj=root:system_r:initrc_t:s0 suid=0 tclass=process
> tcontext=root:system_r:initrc_t:s0 tty=(none) uid=0
>
> setsebool -P allow_execheap=1
>
>
>
> Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5 with out
> any selinux issues? Is this the known issue or my procedures are wrong. I
> have tried compiling couple of weeks back with Red Hat ent5 php source rpms
> and got the same selinux errors. Any possible help to put back
> allow_execheap=0 httpd_disable_trans=0.
>
> Thanks.
>
>
>
Seems the oracle php applications is doing some bad things with memory.
It is basically attempting to make it both writeable and executable at
the same time. This can cause potential problems as described in

http://people.redhat.com/~drepper/selinux-mem.html

and

http://danwalsh.livejournal.com/16975.html

You should probably report this as a bug to oracle, and you can
customize your policy to allow this access using audit2allow

# grep http /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp

This should allow you to run these oracle apps with SELinux in enforcing
mode.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkf3YdwACgkQrlYvE4MpobO/GACgsA5VR0ssGrwZlIddxm/1WPJa
gawAoMJ8eSXysoImLtX46S+rkfXIrQ3t
=wb1A
-----END PGP SIGNATURE-----

--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 
Old 04-05-2008, 02:49 PM
"Pad Hosmane"
 
Default php with oci8

>
>
> Has anybody compiled PHP 5 with Oracle client on Redhat or Centos 5
with out
> any selinux issues? Is this the known issue or my procedures are
wrong. I
> have tried compiling couple of weeks back with Red Hat ent5 php source
rpms
> and got the same selinux errors. Any possible help to put back
> allow_execheap=0 httpd_disable_trans=0.
>
> Thanks.
>
>
>
Seems the oracle php applications is doing some bad things with memory.
It is basically attempting to make it both writeable and executable at
the same time. This can cause potential problems as described in

http://people.redhat.com/~drepper/selinux-mem.html

and

http://danwalsh.livejournal.com/16975.html

You should probably report this as a bug to oracle, and you can
customize your policy to allow this access using audit2allow

# grep http /var/log/audit/audit.log | audit2allow -M myhttp
# semodule -i myhttp.pp

This should allow you to run these oracle apps with SELinux in enforcing
mode.


Hi Dan,
Thank you for the reply. I found this on Oracle website

------------------------------------------------------------------------
----
5.2 Error While Loading Shared Library When SELinux is Enforcing on
Oracle Enterprise Linux 5.0 and Red Hat Enterprise Linux 5.0

SQL*Plus and Oracle Call Interface (OCI) program calls fail with SELinux
in the Enforcing mode on Oracle Enterprise Linux 5.0 and Red Hat
Enterprise Linux 5.0. Refer to the OracleMetaLink note 454196.1 for more
details about the issue.

Workaround: Shift SELinux to Permissive mode on the system.

This issue is tracked with Oracle bugs 6140224 and 6342166.
------------------------------------------------------------------------
----

The above comment can be found at:

http://download.oracle.com/docs/cd/B28359_01/relnotes.111/b32001/toc.htm
#CJAFABGC

I don't have Oracle Meta link access to get more details.

Thanks,
PH



--
fedora-selinux-list mailing list
fedora-selinux-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
 

Thread Tools




All times are GMT. The time now is 01:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org