Bug #50514 agent install fails on RH, fedora 12 where selinux checks for allow_execstack
Submitted: 21 Jan 2010 16:43 Modified: 30 Apr 2010 10:57
Reporter: Shannon Wade Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Enterprise Monitor: Agent Severity:S3 (Non-critical)
Version:2.1.0.1096 OS:Linux (F12/64)
Assigned to: MySQL Verification Team CPU Architecture:Any

[21 Jan 2010 16:43] Shannon Wade 
Description:
In fedora 12 selinux now checks for allow_execstack by default 

When installing agent with that enabled you will get:

Error running /opt/mysql/enterprise/agent/bin/mysql-monitor-agent 
--defaults-file=/opt/mysql/enterprise/agent/etc/mysql-monitor-agent.ini 
--plugins=agent --agent-generate-uuid=true : 2010-01-20 18:07:14: (critical) 
loading module '/opt/mysql/enterprise/agent/lib/mysql-proxy/libagent.so' failed: 
libcrypto.so.0.9.8: cannot enable executable stack as shared object requires: 
Permission denied
2010-01-20 18:07:14: (critical) setting --plugin-dir=<dir> might help
2010-01-20 18:07:14: (critical) shutting down normally

setting that flag with execstack -c /opt/mysql/enterprise/agent/lib/mysql-proxy/libcrypto.so.0.9.8

on  just that file does not work as post install wasn't completed. So while it does work around it, the agent still will not start due to post install fail.

So you have to override global checking for this with:

shell> setsebool -P allow_execstack 1

delete the /opt/mysql/enterprise/agent directory, then re-install

after install though you can then re-enable globally (allow_execstack=0), and disable just that flag with execstack -c /opt/mysql/enterprise/agent/lib/mysql-proxy/libcrypto.so.0.9.8

 

How to repeat:
Install fedora 12 (selinux is enabled by default). Try to install agent. Get error.

More info:
http://docs.fedoraproject.org/selinux-faq-fc5/
http://people.redhat.com/drepper/selinux-mem.html
http://linux.die.net/man/8/execstack
http://danwalsh.livejournal.com/13716.html
http://danwalsh.livejournal.com/6736.html

Suggested fix:
While the work around is simple enough, if I understand this correctly, it seems this is something we can fix on our end by not having the execstack flag on the shared library.

http://danwalsh.livejournal.com/6736.html

# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be
# marked as not requiring an executable stack.

This eliminates the execstack flag on the shared library.
[2 Feb 2010 11:50] Kent Boortz 
OpenSSL is now compiled with a patch that removes the execstack property
from the shared library

--- a/Makefile.shared.ORIG      2008-09-17 17:56:40.000000000 +0200
+++ b/Makefile.shared   2010-02-02 02:07:53.859011400 +0100
@@ -149,7 +149,7 @@
        SHLIB_SUFFIX=; \
        ALLSYMSFLAGS='-Wl,--whole-archive'; \
        NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-       SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+       SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-znoexecstack"
 
 DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
[30 Apr 2010 10:57] MC Brown 
A note has been added to the 2.1.1 changelog: 

        When installing &merlin_agent; on a Linux operating system                                                                                         
        using the SELinux security environment, the installation would                                                                                     
        fail if the <literal>allow_execstack</literal> option had been                                                                                     
        enabled.