SELinux: cannot restore segment prot after reloc: Permission denied

Question

We are testing our application in SELinux environment. Now, we are getting the following error:

dlopen failed to load libFoo.so -libFoo.so: cannot restore segment prot after reloc: Permission denied

As far as I understand from my searches, this is related to relocations in .text section in the shared library. As far as I can see, we are already using -fPIC for all of our shared libraries. Though there are possibly some static libraries also linked into those shared libraries.

How can I find out what relocations/symbols are causing this error to pop up? What should I look for in nm or objdump -rR output for the shared library?

Or am I fishing for wrong information and the problem lies somewhere else than the produced relocations in the shared library?

Answer 1

I have found this: http://akkadia.org/drepper/textrelocs.html, which basically boils down to a suggestion to use eu-findtextrel to see what text relocations do exist. Recompiling affected libraries with -fPIC then fixes the problem.

Answer 2

I thought this was good advice because it did not set SELinux to permissive mode.

You can also from here.

chcon -t texrel_shlib_t <lib>

So for instance

chcon -t texrel_shlib_t libmylib.so

But, this is still getting around SELinux so -fPIC is the way to do it. I had some problems because I incorrectly put -fPIC in in the linker flags. -fPIC is a compiler option!