Tom Diehl wrote:
On Thu, 27 Apr 2006, Paul Howarth wrote:
> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well
>>> as acroread:
>>> [klaus.steinberger@noname ~]$ acroread
>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
>>> cannot restore segment prot after reloc: Permission denied
>>> [klaus.steinberger@noname ~]$
>> after some googling I found following advice that worked for me to enable
>> acroread again:
>> 1. Start "System" > "Administration" > "Security
Level and Firewall"
>> 2. On the "SELinux" tab click on "Modify SELinux Policy >
>> 3. Tick the check box next to "Allow the use of shared libraries with Text
> A better fix is to label the acroread files correctly, which only
> "opens" the protection for acroread and not every process on the system:
> I believe you need:
> # chcon -t textrel_shlib_t \
> /usr/lib/acroread/Reader/intellinux/lib/*.so \
> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
If I relabel as suggested above, what happens the next time the filesystem
is relabeled. If as I suspect they get relabeled back to the previous settings,
what is the correct way to make the changes permanent?
It can be done using semanage to add new file context objects. However,
I believe the required entries are *supposed* to be in the main policy
# semanage fcontext -l | grep -Ei 'adobe|intellinux'
/usr/(local/)?Adobe/.*\.api regular file
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file
# rpm -q selinux-policy
If you have the latest policy and "restorecon -vR /path/to/acroread"
doesn't set the right context, raise it here and mention which files
aren't getting set to textrel_shlib_t. Hopefully it will get fixed so
that this issue stops cropping up on fedora-list every day like it seems
to at the moment.