Installing Third Party Libraries on Fedora
SELinux on Fedora has matured greatly over the last couple of years. Once in rarely, however, I run into a problem. Here's a solution to one problem you may encounter.
I recently downloaded and tested a proprietary, third party extension for Ruby called "Uncharted". When I tried to run its example scripts, I got the error: "cannot restore segment prot after reloc: Permission denied". Looking at /var/log/message, it was obvious that SELinux was causing the permission denied.
People unfamiliar with SELinux would probably just turn it off at this point. Hopefully you, my gentle reader, have been getting more comfortable with SELinux and would instead try the same thing I did:
This didn't solve my problem because most libraries in /usr/lib are labelled with type lib_t. I did some googling and came across a solution that did work:
But wait! Before you try this yourself, please read what I discovered.
Curious about the implications of type textrel_shlib_t I did some more research and came across an email with links to documentation by Ulrich Drepper:
I was impressed by how well written the information was. I've included below the conclusion of the second link because I feel it is important:
Using the eu-findtextrel it is in most situations relatively painless to determine the culprit(s) for the text relocations easily. There is usually no reason to not fix the problems. While a programs with text relocations can be made to run by relaxing the SELinux security this is a bad idea. The kind of permissions which have to be granted to the program create a gaping hole in the security policy. Attackers will be able to modify the memory as well. If this is not the case a program can enforce a strict W^X policy. I.e., no memory page is writable and executable at the same time. And more: SElinux can also enforce that no writable page can be marked as read/exec-only. With these provisions an attacker has no room where to place his/her exploit code. This is a huge win. So, always fix all text relocations. We've made it as easy as possible.
Unfortunately, this is one of the disadvantages of using proprietary software. If Uncharted were F/OSS, I could do the work myself and submit a patch to the developers. Because it is proprietary, I can only try to provide a bug report and hope the issue will be fixed. Which is a real shame because I'd like to be able to recommend their product. Until this important issue is fixed, however, I don't feel I can.
Update: Less than 12 hours after I contacted them, the creators of Uncharted contacted me with a correctly compiled version of their product. As you might be able to guess from the name, Uncharted is a charting library with bindings for Ruby, Java, Perl, Python, PHP, and C++. Although their API feels like Java with a Ruby wrapper, I'm impressed by how quickly they responded to my report. If your looking for a charting library, give Uncharted a try.
