[DSE-Dev] SELinux prevents service from loading shared libraries -- no corresponding audit messages
Christopher-A. Kopel
kopel at student.tugraz.at
Thu May 31 17:34:47 BST 2018
Hi all!
I'm trying to write an SELinux policy module for a special piece of
software -- several services for an embedded system (the software is
proprietary by the device manufacturer, so not publicly available or
documented). I already managed to eliminate all "denied" messages in
audit.log by corresponding allow rules or interface calls. However, when
setting SELinux to enforcing mode, the services don't start, and the
following error message is shown:
"error while loading shared libraries: [library name]: cannot open
shared object file: Permission denied"
The library name is one of the libraries that belong to the software.
What really confuses me is that, when trying in permissive mode, there
is no error message at all in the audit.log anymore. When trying in
enforcing mode and the error occurs, all I can find in the audit.log is
many denied attempts by the blocked service to search the root dir,
which doesn't make any sense to me at all.
I checked file contexts and my policy rules several times; all should be
right. Maybe it could related to text relocation of the libraries: I
labelled all files temporarily to user_home_t in order to bypass all
restrictions, and when I then tried starting the services in enforcing
mode I got the different error message:
"error while loading shared libraries: [library name]: cannot restore
segment prot after reloc: Permission denied"
environment: Debian 9, kernel 4.9.82 x64, SELinux default policy, no MLS
or MCS, "unconfined" module disabled
Does anyone of you have any idea what could cause the problem or where
else to look for any denied accesses?
Thank you very much in advance for any help!
Cheers,
Chris
More information about the SELinux-devel
mailing list