I tried that command and it came out with an error -<br> >[root@host ~]# chcon -t textrel_shlib_t /opt/cisco-vpnclient/lib/libvpnapi.so<br> > chcon: failed to change context of >/opt/cisco-vpnclient/lib/libvpnapi.so to root:object_r:textrel_shlib_t: Invalid argument<br> and later agian on Pauls adivice I aso ran the command<br> # setsebool -P allow_execmod 1<br> which did not work either.<br> <br> Thanks<br> shyam<br><br><b><i>Daniel J Walsh <dwalsh@redhat.com></i></b> wrote:<blockquote class="replbq" style="border-left: 2px solid rgb(16, 16, 255); margin-left: 5px; padding-left: 5px;"> yukku yukkoooooo wrote:<br>> Hi,<br>> I am running on FC4 and I installed Cisco VPN client software, <br>> however when I run vpnclient I am getting the error message :<br>> "vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied"<br>This is strange.<br><br>Have you
tried<br><br>chcon -t textrel_shlib_t /opt/cisco-vpnclient/lib/libvpnapi.so<br>> Friendly neighbourhood Paul Howarth correctly guessed it to be related <br>> to SELinux.<br>> I am able to run the vpnclient by disabling the SELinux using<br>> setenforce 0<br>> The chcon command did not work (apparently it is not supposed to work <br>> in FC4)<br>> I get a error message "type=AVC msg=audit(1147460693.437:11955217): <br>> avc: denied { execmod } "<br>> if I disable selinux and run the vpnclient command.<br>> > Paul Howarth wrote :<br>> > > The memory checks are present in FC4 but disabled by default. It <br>> > > appears<br>> > > that they have somehow been enabled on your system.<br>> This should fix <br>> it:<br>> > > # setsebool -P allow_execmod 1<br>> > <br>> > I gave this command and it still does not work with<br>> > SELinux. So digged a littlebit and gave the command<br>>
> # getsebool -a | less<br>> > and I got a long output of which I took the ones that might<br>> > make sense to you -<br>> > allow_execmem --> active<br>> > allow_execmod --> active<br>> > allow_execstack --> active<br>> > allow_kerberos --> active<br>> > allow_write_xshm --> active<br>> > allow_ypbind --> active<br>> >> There's something very weird going on there. allow_execmod should do<br>> >> what it says. I'd try asking about this on fedora-selinux-list,<br>><br>> setsebool with execmod is not working either.<br>> I have attached the relevant files as well. Any ideas ?<br>> This should give you an idea of the SELinux version<br>> > selinux-doc-1.19.5-1.noarch.rpm<br>> ><br>> selinux-policy-strict-1.23.16-6.noarch.rpm<br>> > selinux-policy-targeted-1.23.16-6.noarch.rpm<br>><br>> Thanks<br>> Newbie Yukku<br>><br>> <br>><br>>
------------------------------------------------------------------------<br>> New Yahoo! Messenger with Voice. Call regular phones from your PC <br>> <http: //us.rd.yahoo.com/mail_us/taglines/postman5/*http://us.rd.yahoo.com/evt="39666/*http://messenger.yahoo.com"> <br>> and save big.<br>> ------------------------------------------------------------------------<br>><br>> type=SYSCALL msg=audit(1147715609.949:3621791): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfc7b7b8 a2=1 a3=bfc7b7b8 items=0 pid=4330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="setenforce" exe="/usr/sbin/setenforce"<br>> type=AVC msg=audit(1147715609.949:3621791): avc: granted { setenforce } for pid=4330 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security<br>> type=AVC_PATH msg=audit(1147715612.195:3634219): path="/opt/cisco-vpnclient/lib/libvpnapi.so"<br>> type=SYSCALL
msg=audit(1147715612.195:3634219): arch=40000003 syscall=125 per=400000 success=yes exit=0 a0=9be000 a1=41000 a2=5 a3=bfd74540 items=0 pid=4332 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient"<br>> type=AVC msg=audit(1147715612.195:3634219): avc: denied { execmod } for pid=4332 comm="vpnclient" name=libvpnapi.so dev=hda3 ino=32474 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file<br>> <br>> ------------------------------------------------------------------------<br>><br>> SELinux status: enabled<br>> SELinuxfs mount: /selinux<br>> Current mode: enforcing<br>> Mode from config file: enforcing<br>> Policy version: 19<br>> Policy from config file: targeted<br>><br>> Policy booleans:<br>> NetworkManager_disable_trans
inactive<br>> allow_execmem active<br>> allow_execmod active<br>> allow_execstack active<br>> allow_kerberos active<br>> allow_write_xshm inactive<br>> allow_ypbind inactive<br>> apmd_disable_trans inactive<br>> arpwatch_disable_trans inactive<br>> auditd_disable_trans inactive<br>> bluetooth_disable_trans inactive<br>> canna_disable_trans inactive<br>> cardmgr_disable_trans inactive<br>> comsat_disable_trans inactive<br>> cupsd_config_disable_trans inactive<br>> cupsd_disable_trans inactive<br>> cvs_disable_trans inactive<br>> cyrus_disable_trans inactive<br>> dbskkd_disable_trans inactive<br>> dhcpc_disable_trans inactive<br>> dhcpd_disable_trans
inactive<br>> dovecot_disable_trans inactive<br>> fingerd_disable_trans inactive<br>> ftp_home_dir active<br>> ftpd_disable_trans inactive<br>> ftpd_is_daemon active<br>> hald_disable_trans inactive<br>> hotplug_disable_trans inactive<br>> howl_disable_trans inactive<br>> httpd_builtin_scripting active<br>> httpd_can_network_connect inactive<br>> httpd_disable_trans inactive<br>> httpd_enable_cgi active<br>> httpd_enable_homedirs active<br>> httpd_ssi_exec active<br>> httpd_suexec_disable_trans inactive<br>> httpd_tty_comm inactive<br>> httpd_unified active<br>> i18n_input_disable_trans inactive<br>> inetd_child_disable_trans inactive<br>> inetd_disable_trans inactive<br>>
innd_disable_trans inactive<br>> kadmind_disable_trans inactive<br>> klogd_disable_trans inactive<br>> krb5kdc_disable_trans inactive<br>> ktalkd_disable_trans inactive<br>> lpd_disable_trans inactive<br>> mysqld_disable_trans inactive<br>> named_disable_trans inactive<br>> named_write_master_zones inactive<br>> nfs_export_all_ro active<br>> nfs_export_all_rw active<br>> nmbd_disable_trans inactive<br>> nscd_disable_trans inactive<br>> ntpd_disable_trans inactive<br>> portmap_disable_trans inactive<br>> postgresql_disable_trans inactive<br>> pppd_disable_trans inactive<br>> pppd_for_user inactive<br>> privoxy_disable_trans inactive<br>> ptal_disable_trans inactive<br>>
radiusd_disable_trans inactive<br>> radvd_disable_trans inactive<br>> read_default_t active<br>> rlogind_disable_trans inactive<br>> rsync_disable_trans inactive<br>> samba_enable_home_dirs inactive<br>> saslauthd_disable_trans inactive<br>> slapd_disable_trans inactive<br>> smbd_disable_trans inactive<br>> snmpd_disable_trans inactive<br>> squid_connect_any inactive<br>> squid_disable_trans inactive<br>> stunnel_disable_trans inactive<br>> stunnel_is_daemon inactive<br>> syslogd_disable_trans inactive<br>> system_dbusd_disable_trans inactive<br>> telnetd_disable_trans inactive<br>> tftpd_disable_trans inactive<br>> udev_disable_trans inactive<br>> use_nfs_home_dirs inactive<br>>
use_samba_home_dirs inactive<br>> uucpd_disable_trans inactive<br>> winbind_disable_trans inactive<br>> ypbind_disable_trans inactive<br>> ypserv_disable_trans inactive<br>> zebra_disable_trans inactive<br>> <br>> ------------------------------------------------------------------------<br>><br>> --<br>> fedora-selinux-list mailing list<br>> fedora-selinux-list@redhat.com<br>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list<br><br></http:></blockquote><br><p>
<hr size=1>Love cheap thrills? Enjoy PC-to-Phone <a href="http://us.rd.yahoo.com/mail_us/taglines/postman9/*http://us.rd.yahoo.com/evt=39666/*http://messenger.yahoo.com/"> calls to 30+ countries</a> for just 2¢/min with Yahoo! Messenger with Voice.