Getting "shared libraries: libruby.so.1.9: cannot open shared object file" errors when executing ruby cgi script

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 6.5
  • Selinux-policy-3.7.19-93.el6.noarch

Issue

  • Getting "shared libraries: libruby.so.1.9" errors when executing ruby cgi script with SELinux in enforcing mode
[Thu Mar 06 12:06:48 2014] [error] [client 192.168.0.1] /opt/rh/ruby193/root/usr/bin/ruby: error while loading shared libraries: libruby.so.1.9: cannot open shared object file: No such file or directory, referer: http://sysadgears.uspto.gov/sysadgears-cgi/cfme-ruby-vm-storage.rb
  • Getting the below errors in audit.log file:
type=AVC msg=audit(1394201051.659:65666): avc:  denied  { rlimitinh } for  pid=6953 comm="cfme-ruby-vm-st" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
type=AVC msg=audit(1394201051.659:65666): avc:  denied  { siginh } for  pid=6953 comm="cfme-ruby-vm-st" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
type=AVC msg=audit(1394201051.659:65666): avc:  denied  { noatsecure } for  pid=6953 comm="cfme-ruby-vm-st" scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:system_r:httpd_sys_script_t:s0 tclass=process
type=SYSCALL msg=audit(1394201051.659:65666): arch=c000003e syscall=59 success=yes exit=0 a0=7fd33f027958 a1=7fd33f025520 a2=7fd33f0295f8 a3=7fffac583ee0 items=3 ppid=6391 pid=6953 auid=4294967295 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="cfme-ruby-vm-st" exe="/opt/rh/ruby193/root/usr/bin/ruby" subj=system_u:system_r:httpd_sys_script_t:s0 key=(null)
type=EXECVE msg=audit(1394201051.659:65666): argc=2 a0="/opt/rh/ruby193/root/usr/bin/ruby" a1="/var/www/html/sysadgears/cgi-bin/cfme-ruby-vm-stateinfo.rb"
type=EXECVE msg=audit(1394201051.659:65666): argc=1 a0="/opt/rh/ruby193/root/usr/bin/ruby"

Resolution

  • Update the SELinux-policy package to the latest version which includes many of the bug fixes https://access.redhat.com/errata/RHBA-2013:1598
  • This would be an indication of silent AVC denials due to the enabled dontaudit rules.
  • To disable, execute:
# semodule -DB
  • The current policy already includes these rules:
# sesearch -A -s httpd_t -t httpd_sys_script_t -c process -C
Found 7 semantic av rules:
ET allow httpd_t httpd_sys_script_t : process { transition sigkill sigstop signal } ; [ httpd_enable_cgi ]
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_use_nfs && ]
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_use_cifs && ]
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_use_fusefs && ]
ET allow httpd_t httpd_sys_script_t : process transition ; [ httpd_enable_cgi httpd_unified && httpd_builtin_scripting && ]
DT allow httpd_t httpd_sys_script_t : process transition ; [ httpd_ssi_exec ]
DT allow httpd_t domain : process getpgid ; [ httpd_run_stickshift ]
  • SELinux transitions do not happen on partitions that are mounted with the nosuid flag. Removing the nosuid flag from the mount point should address the problem.
  • To execute the cgi scripts, following boolean's must be enabled.
# getsebool -a | egrep -i 'httpd_enable_cgi|httpd_unified|httpd_builtin_scripting'
httpd_builtin_scripting --> on
httpd_enable_cgi --> on
httpd_unified --> on
  • If the boolean's are not enabled, enable the boolean using:
# setsebool -P httpd_builtin_scripting on
# setsebool -P httpd_enable_cgi on
# setsebool -P httpd_unified on
  • Rebuild the policy and enable the dontaudit rules.
# semodule -B

Diagnostic Steps

  • Reproduce the issue in Permissive mode which will log any SELinux denials and provide updated AVC's.
# ausearch -i -m avc,user_avc -ts recent > ausearch.out

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments