Getting "shared libraries: libruby.so.1.9: cannot open shared object file" errors when executing ruby cgi script
Environment
- Red Hat Enterprise Linux 6.5
- Selinux-policy-3.7.19-93.el6.noarch
Issue
- Getting "shared libraries: libruby.so.1.9" errors when executing ruby cgi script with SELinux in enforcing mode
[Thu Mar 06 12:06:48 2014] [error] [client 192.168.0.1] /opt/rh/ruby193/root/usr/bin/ruby: error while loading shared libraries: libruby.so.1.9: cannot open shared object file: No such file or directory, referer: http://sysadgears.uspto.gov/sysadgears-cgi/cfme-ruby-vm-storage.rb
- Getting the below errors in
audit.log
file:
type=AVC msg=audit(1394201051.659:65666): avc: denied { rlimitinh } for pid=6953 comm="cfme-ruby-vm-st" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
type=AVC msg=audit(1394201051.659:65666): avc: denied { siginh } for pid=6953 comm="cfme-ruby-vm-st" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
type=AVC msg=audit(1394201051.659:65666): avc: denied { noatsecure } for pid=6953 comm="cfme-ruby-vm-st" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
type=SYSCALL msg=audit(1394201051.659:65666): arch=c000003e syscall=59 success=yes exit=0 a0=7fd33f027958 a1=7fd33f025520 a2=7fd33f0295f8 a3=7fffac583ee0 items=3 ppid=6391 pid=6953 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cfme-ruby-vm-st" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=EXECVE msg=audit(1394201051.659:65666): argc=2 a0="/opt/rh/ruby193/root/usr/bin/ruby" a1="/var/www/html/sysadgears/cgi-bin/cfme-ruby-vm-stateinfo.rb"
type=EXECVE msg=audit(1394201051.659:65666): argc=1 a0="/opt/rh/ruby193/root/usr/bin/ruby"
Resolution
- Update the
SELinux-policy
package to the latest version which includes many of the bug fixes https://access.redhat.com/errata/RHBA-2013:1598 - This would be an indication of silent
AVC
denials due to the enableddontaudit
rules. - To disable, execute:
# semodule -DB
- The current policy already includes these rules:
# sesearch -A -s httpd_t -t httpd_sys_script_t -c process -C
Found 7 semantic av rules:
ET allow httpd_t httpd_sys_script_t : process { transition sigkill sigstop signal } ; [ httpd_enable_cgi ]
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_use_nfs && ]
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_use_cifs && ]
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_use_fusefs && ]
ET allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_ssi_exec ]
DT allow httpd_t domain : process getpgid ; [ httpd_run_stickshift ]
SELinux
transitions do not happen on partitions that are mounted with thenosuid
flag. Removing thenosuid
flag from the mount point should address the problem.- To execute the
cgi
scripts, followingboolean's
must be enabled.
# getsebool -a | egrep -i 'httpd_enable_cgi|httpd_unified|httpd_builtin_scripting'
httpd_builtin_scripting --> on
httpd_enable_cgi --> on
httpd_unified --> on
- If the boolean's are not enabled, enable the boolean using:
# setsebool -P httpd_builtin_scripting on
# setsebool -P httpd_enable_cgi on
# setsebool -P httpd_unified on
- Rebuild the policy and enable the dontaudit rules.
# semodule -B
- Also, update the
ruby
package to the latest version. https://access.redhat.com/errata/RHSA-2014:0011
Diagnostic Steps
- Reproduce the issue in Permissive mode which will log any SELinux denials and provide updated
AVC's
.
# ausearch -i -m avc,user_avc -ts recent > ausearch.out
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments