环境:
Oracle Linux 5.2 32bit
Oracle Database 11g 11.1.0.7.0
现象:
执行sqlplus报错,
sqlplus: error while loading shared libraries: $ORACLE_HOME/lib/libnnz11.so: cannot restore segment prot after reloc: Permission denied
解决过程:
# tail -f /var/log/message
Sep 12 12:50:33 node1 setroubleshoot: SELinux is preventing sqlplus from loading /u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so which requires text relocation. For complete SELinux messages. run sealert -l 3485ff82- 7fb5- 4150-b246- 2dd3e2cf679e
根据提示,执行:
# sealert -l 3485ff82-7fb5-4150-b246-2dd3e2cf679e
得到进一步信息
根据以上信息逐步修改后的后续提示执行下列指令:
$ chcon -t textrel_shlib_t '/u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so'
$ chcon -t textrel_shlib_t '/u01/app/oracle/product/11.1.0/dbhome_1/lib/libclntsh.so.11.1'
$ chcon -t textrel_shlib_t '/u01/app/oracle/product/11.1.0/dbhome_1/lib/libsqlplus.so'
$ chcon -t textrel_shlib_t '/u01/app/oracle/product/11.1.0/dbhome_1/lib/libnque11.so'
关闭SELinux也可以解决:
# getenforce
Enforcing
# setenforce 0
# getenforce
Permissive
也可永久关闭SELinux:
# vim /etc/sysconfig/selinux
SELINUX=disabled
附,SELinux的三种状态:
Oracle Linux 5.2 32bit
Oracle Database 11g 11.1.0.7.0
现象:
执行sqlplus报错,
sqlplus: error while loading shared libraries: $ORACLE_HOME/lib/libnnz11.so: cannot restore segment prot after reloc: Permission denied
解决过程:
# tail -f /var/log/message
Sep 12 12:50:33 node1 setroubleshoot: SELinux is preventing sqlplus from loading /u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so which requires text relocation. For complete SELinux messages. run sealert -l 3485ff82- 7fb5- 4150-b246- 2dd3e2cf679e
根据提示,执行:
# sealert -l 3485ff82-7fb5-4150-b246-2dd3e2cf679e
得到进一步信息
点击(此处)折叠或打开
- Summary:
- SELinux is preventing sqlplus from loading
- /u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so which requires text
- relocation.
- Detailed Description:
- The sqlplus application attempted to load
- /u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so which requires text
- relocation. This is a potential security problem. Most libraries do not need
- this permission. Libraries are sometimes coded incorrectly and request this
- permission. The SELinux Memory Protection Tests
- (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
- remove this requirement. You can configure SELinux temporarily to allow
- /u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so to use relocation as a
- workaround, until the library is fixed. Please file a bug report
- (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
- Allowing Access:
- If you trust /u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so to run
- correctly, you can change the file context to textrel_shlib_t. \"chcon -t
- textrel_shlib_t \'/u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so\'\" You
- must also change the default file context files on the system in order to
- preserve them even on a full relabel. \"semanage fcontext -a -t textrel_shlib_t
- \'/u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so\'\"
- The following command will allow this access:
- chcon -t textrel_shlib_t \'/u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so\'
- Additional Information:
- Source Context user_u:system_r:unconfined_t
- Target Context user_u:object_r:default_t
- Target Objects /u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz
- 11.so [ file ]
- Source sqlplus
- Source Path /u01/app/oracle/product/11.1.0/dbhome_1/bin/sqlplu
- s
- Port
- Host node1.ocm.com
- Source RPM Packages
- Target RPM Packages
- Policy RPM selinux-policy-2.4.6-137.el5
- Selinux Enabled True
- Policy Type targeted
- MLS Enabled True
- Enforcing Mode Enforcing
- Plugin Name allow_execmod
- Host Name node1.ocm.com
- Platform Linux node1.ocm.com 2.6.18-92.el5PAE #1 SMP Fri
- May 23 22:26:05 EDT 2008 i686 i686
- Alert Count 2
- First Seen Fri Sep 12 12:47:19 2014
- Last Seen Fri Sep 12 12:50:31 2014
- Local ID 3485ff82-7fb5-4150-b246-2dd3e2cf679e
- Line Numbers
- Raw Audit Messages
- host=node1.ocm.com type=AVC msg=audit(1410497431.868:19): avc: denied { execmod } for pid=7697 comm=\"sqlplus\" path=\"/u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so\" dev=dm-0 ino=8647328 scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:object_r:default_t:s0 tclass=file
- host=node1.ocm.com type=SYSCALL msg=audit(1410497431.868:19): arch=40000003 syscall=125 success=no exit=-13 a0=308000 a1=184000 a2=5 a3=bf9df450 items=0 ppid=7671 pid=7697 auid=500 uid=500 gid=12000 euid=500 suid=500 fsuid=500 egid=12000 sgid=12000 fsgid=12000 tty=pts1 ses=2 comm=\"sqlplus\" exe=\"/u01/app/oracle/product/11.1.0/dbhome_1/bin/sqlplus\" subj=user_u:system_r:unconfined_t:s0 key=(null)
$ chcon -t textrel_shlib_t '/u01/app/oracle/product/11.1.0/dbhome_1/lib/libnnz11.so'
$ chcon -t textrel_shlib_t '/u01/app/oracle/product/11.1.0/dbhome_1/lib/libclntsh.so.11.1'
$ chcon -t textrel_shlib_t '/u01/app/oracle/product/11.1.0/dbhome_1/lib/libsqlplus.so'
$ chcon -t textrel_shlib_t '/u01/app/oracle/product/11.1.0/dbhome_1/lib/libnque11.so'
关闭SELinux也可以解决:
# getenforce
Enforcing
# setenforce 0
# getenforce
Permissive
也可永久关闭SELinux:
# vim /etc/sysconfig/selinux
SELINUX=disabled
附,SELinux的三种状态:
- enforcing 检测并执行SELinux条目值
- permissive 检测SELinux条目值,不执行,但会弹出警告
- disabled 彻底关闭SELinux
来自 “ ITPUB博客 ” ,链接:http://blog.itpub.net/24644775/viewspace-1268413/,如需转载,请注明出处,否则将追究法律责任。
转载于:http://blog.itpub.net/24644775/viewspace-1268413/