I’m trying to debug a problematic interaction, between our software, and SELinux on RHEL6. Under default SELinux=enforcing configurations, our server fails with
Error while loading shared libraries : /usr/lib/xxxx : cannot enable executable stack as shared object requires
This is a known issue with how one of our modules is built, that isn’t scheduled to be addressed in the near future (the part that requires changing has a lengthy government certification processes, we want all changes to this area done at the same time to limit the number of times we have to certify). It’s been fixable in RHEL5 with a simple chcon -t textrel_shlib_t /usr/lib/xxxx.
But for some reason, while the same command gives no errors back, it also doesn’t prevent the problem that keeps us from running, under RHEL6.
One of the many suggestions for fixing or debugging the issue was to build a custom policy using audit2allow, and deal with it that way. Basically, you set your SELinux machine to permissive, do the offending operation, and them take the errors that it generated-but-ignored, build a policy with them, and then you can set your box back to enforcing, add the policy, and bobsuruncle. So I bring up /etc/selinux/config in my handy editor, but because I’m distracted by other things at work, I don’t notice there are two configurable values in the file, and instead of changing SELINUX, I changed SELINUXTYPE. Which is where things get odd.
According to the docs, the only valid values for SELINUXTYPE are targeted and mls, but I set it to permissive. I didn’t notice this, do my product install, and everything works, as expected. I go to set the config file back to default values, at which point I notice my error. Hrm, I think to myself. Looking in /var/log/audit/audit.log, there aren’t any errors for audit2allow to work off of. I put the config back to default, reboot the box, and miraculously, things are still working.
It’s hard to feel like I’ve really fixed the problem, but it sure doesn’t seem to still be occurring, so….