Stephan Groß wrote:
On Thursday 27 April 2006 09:50, Paul Howarth wrote:
>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as
>>> well as acroread:
>>>
>>> [klaus.steinberger@noname ~]$ acroread
>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
>>> cannot restore segment prot after reloc: Permission denied
>>> [klaus.steinberger@noname ~]$
>> after some googling I found following advice that worked for me to enable
>> acroread again:
>>
>> 1. Start "System" > "Administration" > "Security
Level and Firewall"
>> 2. On the "SELinux" tab click on "Modify SELinux Policy >
Compatibility"
>> 3. Tick the check box next to "Allow the use of shared libraries with
>> Text Relocation".
> A better fix is to label the acroread files correctly, which only
> "opens" the protection for acroread and not every process on the system:
>
> I believe you need:
> # chcon -t textrel_shlib_t \
> /usr/lib/acroread/Reader/intellinux/lib/*.so \
> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
I have checked that. As I am using the original RPM packets provided by Adobe
the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a
chcon -t textrel_shlib_t \
/usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so
seems to be sufficient to run acroread and also use the plugin in Firefox.
BTW, what are SPPlugins and plug_ins for?
Dunno; I don't use it myself (evince is fine for my needs) and I picked
up the need to fix the two sets of plugins from various posts on
fedora-list.
However, thank you Paul for providing this more customized solution.
I assume,
that I only have to change the type context of the libraries distributed with
the Cisco VPN client accordingly to run it with a "fully" enabled selinux.
Probably, yes.
If that works, please provide details of what needed to be changed so
that it can make it into the Core policy.
Paul.