On Thursday 27 April 2006 16:43, Paul Howarth wrote:
Tom Diehl wrote:
> On Thu, 27 Apr 2006, Paul Howarth wrote:
>> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
>>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
>>>
>>> Hi,
>>>
>>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as
>>>> well as acroread:
>>>>
>>>> [klaus.steinberger@noname ~]$ acroread
>>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
>>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
>>>> cannot restore segment prot after reloc: Permission denied
>>>> [klaus.steinberger@noname ~]$
>>>
>>> after some googling I found following advice that worked for me to
>>> enable acroread again:
>>>
>>> 1. Start "System" > "Administration" >
"Security Level and Firewall"
>>> 2. On the "SELinux" tab click on "Modify SELinux Policy >
>>> Compatibility" 3. Tick the check box next to "Allow the use of
shared
>>> libraries with Text Relocation".
>>
>> A better fix is to label the acroread files correctly, which only
>> "opens" the protection for acroread and not every process on the
system:
>>
>> I believe you need:
>> # chcon -t textrel_shlib_t \
>> /usr/lib/acroread/Reader/intellinux/lib/*.so \
>> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
>> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
>
> If I relabel as suggested above, what happens the next time the
> filesystem is relabeled. If as I suspect they get relabeled back to the
> previous settings, what is the correct way to make the changes permanent?
It can be done using semanage to add new file context objects. However,
I believe the required entries are *supposed* to be in the main policy
package:
# semanage fcontext -l | grep -Ei 'adobe|intellinux'
/usr/(local/)?Adobe/.*\.api regular file
system_u:object_r:texrel_shlib_t:s0
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file
system_u:object_r:texrel_shlib_t:s0
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file
system_u:object_r:textrel_shlib_t:s0
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file
system_u:object_r:texrel_shlib_t:s0
# rpm -q selinux-policy
selinux-policy-2.2.34-3.fc5
If you have the latest policy and "restorecon -vR /path/to/acroread"
doesn't set the right context, raise it here and mention which files
aren't getting set to textrel_shlib_t. Hopefully it will get fixed so
that this issue stops cropping up on fedora-list every day like it seems
to at the moment.
I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a
"restorecon -vR /usr/local/Adobe" results in
"/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /opt (system_u:object_r:home_root_t and
system_u:object_r:usr_t).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /opt (system_u:object_r:home_root_t and
system_u:object_r:usr_t)."
and no file contexts changed. I am clueless about the details of selinux. Is
this a bug in the policy script or might this be a failure in my
installation. Don't know if it matters but I upgraded from FC4.
Regards,
Stephan.