RE: Adobe Reader 7
by Fred New
On Mon 4/11/2005 6:25 PM, Daniel J Walsh wrote:
> Fred New wrote:
>
> > [fred@darth ~]$ /usr/local/Adobe/Acrobat7.0/bin/acroread
> > /usr/local/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread: error
> > while loading shared libraries:
> > /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so: cannot
> > restore segment prot after reloc: Permission denied
> > [fred@darth ~]$
> >
> Which policy are you running
> rpm -q -i selinux-policy-targeted
I am running the latest policy:
[fred@darth ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-1.23.9-1
[fred@darth ~]$
(I'm assuming you didn't really want the "-i" in "rpm -q -i ...".)
When I originally wrote a couple days ago, I was running the previous
policy, selinux-policy-targeted-1.23.8-2. So I just now deleted the
/usr/local/Adobe directory and re-installed it - same results.
And "restorecon /usr/local/Adobe" doesn't change anything either.
I noticed when I installed selinux-policy-targeted-1.23.9-1
that the context for the Adobe Reader Firefox plugin,
/usr/lib/firefox-1.0.2/plugins/nppdf.so, changed from
lib_t to shlib_t. Everything in /usr/local/Adobe is still usr_t.
Fred
19 years
Can somebody help me?
by Hongwei Li
Hi,
I just found that my fc3 system log shows many, many entries like below:
Apr 5 14:50:42 morpheus kernel: audit(1112730642.889:0): avc: denied {
ioctl } for pid=32509 exe=/usr/bin/perl path=/proc/loadavg dev=proc
ino=-268435456 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:proc_t tclass=file
Apr 5 14:51:19 morpheus kernel: audit(1112730679.318:0): avc: denied {
ioctl } for pid=32579 exe=/usr/bin/perl path=/proc/loadavg dev=proc
ino=-268435456 scontext=user_u:system_r:httpd_sys_script_t
tcontext=system_u:object_r:proc_t tclass=file
...
what does it mean? Although I haven't got real trouble in email service,
web service, squirrelmail, etc., I'd like to know if it means something
bad in the system and how to fix it.
Thanks a lot!
Hongwei Li
19 years
Adobe Reader 7
by Fred New
I have installed the beta Adobe Reader 7.0 on my Fedora Core 4 Test 1
system, targeted policy,
(ftp://ftp.adobe.com/pub/adobe/reader/unix/7x/7.0/enu/AdbeRdr70_linux_enu....)
and I had to make the following context changes in order to get it to
work:
find /usr/local/Adobe -exec chcon -t lib_t {} \;
find /usr/local/Adobe/Acrobat7.0/Reader/intellinux \
-type f -exec chcon -t shlib_t {} \;
find /usr/local/Adobe/Acrobat7.0/Browser/intellinux \
-type f -exec chcon -t shlib_t {} \;
Is this a correct and accepted way of dealing with this without
installing the policy sources?
Fred
19 years
Policies for bastille?
by R. Jensen
I recently downloaded Bastille and was unable to get
the PSAD portion to install. [Bastille is trying to
install /usr/sbin/psad (among others)].
[root@lankhmar log]# ls -ldZ /usr/sbin
drwxr-xr-x root root system_u:object_r:sbin_t
So I would *expect* an SELinux error if the psad isn't of sbin_t.
[But I don't see any avc messages in the log.]
Here's a portion of Bastille's error log:
{Fri Mar 4 11:15:28 2005} Failed to place /psad as /usr/sbin/psad
{Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/psad doesn't exist!
{Fri Mar 4 11:15:28 2005} Failed to place /psadwatchd as
/usr/sbin/psadwatchd
{Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/psadwatchd
doesn't exist!
{Fri Mar 4 11:15:28 2005} Failed to place /kmsgsd as /usr/sbin/kmsgsd
{Fri Mar 4 11:15:28 2005} #ERROR: chmod: File /usr/sbin/kmsgsd doesn't
exist!
Does this look like an SELinux issue or just Bastille?
Richard.
19 years
snmpd bug
by Farkas Levente
hi,
i'm just notice this bug in out firewall's log file:
-----------------------------------
Apr 7 17:50:23 portal kernel: audit(1112889023.021:0): avc: denied {
search } for pid=6409 exe=/usr/sbin/snmpd name=net dev=proc
ino=-268435351 scontext=user_u:system_r:snmpd_t
tcontext=system_u:object_r:sysctl_net_t tclass=dir
-----------------------------------
it seems snmpd try to do something which is not allowed:-)
yours.
--
Levente "Si vis pacem para bellum!"
19 years
Error loading libsepol on during system boot
by W. Michael Petullo
I have been sitting on a problem for a few weeks, waiting to see if a
forthcoming policy package would fix it. I wanted to mention it on this
mailing list before entering it into Bugzilla because I am not convinced
it is not my fault.
When I try to boot my system with Fedora's strict policy, the process
stops with the following message:
... denied { execmem } for pid=1 comm=init scontext=system_u:system_r:init_t tcontext=system_u:system_r:init_t tclass=process
/sbin/init: error while loading shared libraries: libsepol.so.1: failed to map segment from shared object: Permission denied
kernel panic - not syncing: Attempted to kill init!
I am using:
SysVinit-2.85-37
selinux-policy-strict-1.23.6-3
libsepol-1.5.3-1
Has anyone else experienced this?
--
Mike
:wq
19 years
Another Apache problem
by David Hampton
I noticed that I had "r_dir_file(httpd_t, httpdcontent)" in my
domains/misc/local.te file so I removed it. After I did this I started
getting avc errors for all web access to my server. Audit2allow says I
need:
allow httpd_t httpd_sys_content_t:dir { getattr search };
allow httpd_t httpd_sys_content_t:file { getattr read };
Poking through the policy sources, it appears that httpd_t no longer has
permission to read files with the httpdcontent attribute. Grep shows
only this one place where httpd_t gets permission to read the content...
./domains/program/apache.te:create_dir_file(httpd_t, httpdcontent)
...but this line is protected by what looks like a four way conditional
and doesn't appear to have any effect. Would it make sense to add
unconditional read access to httpd before checking/allowing write and
execute access on the files?
My system is an FC3 base running with Daniel Walsh's 1.23.6-1 strict
policy.
David
19 years
New policy for razor
by David Hampton
This is a new strict policy for the razor spam filter. It is based on
the selinux-policy-strict-sources-1.23.2-1 fedora RPM. This policy
requires the definition of a razor reserved port that was in the
net_contexts diff I sent last Wednesday. Please let me know if there
are any problems with or changes needed to this policy.
David
19 years
Additions to net_contexts
by David Hampton
Here are some additions to net_contexts to define additional privileged
ports. I'll be submitting policies that reference these ports over the
next week or so as I get them cleaned up. This is based on the file
from the selinux-policy-strict-sources-1.22.1-2 rpm on my FC3 system.
David
19 years
CGI permissions for targeted policy
by Ben
I have been having some problems with a CGI program, and audit2allow
shows I should add these permissions:
allow httpd_sys_script_t devpts_t:chr_file { read write };
allow httpd_sys_script_t httpd_tmp_t:file getattr;
allow httpd_sys_script_t httpd_tmp_t:file read;
I'm pretty green at SELinux, so I'm not too sure what these allow. I
suspect that the last rule lets httpd_sys_script_t programs read files
of type httpd_tmp_t, and the second rule lets them stat() those files.
What does the first rule mean, exactly? The CGI program I'm trying to
run creates a random filename, and I expect this is related to that,
but there ends my speculation.
19 years
