Re: FC5: Problem with acroread and CISCO VPN

On Thursday 27 April 2006 09:50, Paul Howarth wrote: >>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as >>> well as acroread: >>> >>> [klaus.steinberger@noname ~]$ acroread >>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading >>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: >>> cannot restore segment prot after reloc: Permission denied >>> [klaus.steinberger@noname ~]$ >> after some googling I found following advice that worked for me to enable >> acroread again: >> >> 1. Start "System" > "Administration" > "Security Level and Firewall" >> 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" >> 3. Tick the check box next to "Allow the use of shared libraries with >> Text Relocation". > A better fix is to label the acroread files correctly, which only > "opens" the protection for acroread and not every process on the system: > > I believe you need: > # chcon -t textrel_shlib_t \ > /usr/lib/acroread/Reader/intellinux/lib/*.so \ > /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > /usr/lib/acroread/Reader/intellinux/plug_ins/*.api I have checked that. As I am using the original RPM packets provided by Adobe the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a chcon -t textrel_shlib_t \ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so seems to be sufficient to run acroread and also use the plugin in Firefox. BTW, what are SPPlugins and plug_ins for?

However, thank you Paul for providing this more customized solution. I assume, that I only have to change the type context of the libraries distributed with the Cisco VPN client accordingly to run it with a "fully" enabled selinux.