Hello,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
type=AVC msg=audit(1146115808.601:23): avc: denied { execmod } for pid=3366 comm="acroread" name="libJP2K.so" dev=hda2 ino=2680495 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1146115808.601:23): arch=40000003 syscall=125 success=no exit=-13 a0=2d4000 a1=aa000 a2=5 a3=bfb2dfd0 items=0 pid=3366 auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100 sgid=100 fsgid=100 comm="acroread" exe="/usr/lib/acroread/Reader/intellinux/bin/acroread" type=AVC_PATH msg=audit(1146115808.601:23): path="/usr/lib/acroread/Reader/intellinux/lib/libJP2K.so"
[klaus.steinberger@noname ~]$ vpnclient connect lrz vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
type=AVC msg=audit(1146115819.449:24): avc: denied { execmod } for pid=3437 comm="vpnclient" name="libvpnapi.so" dev=hda2 ino=2676482 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1146115819.449:24): arch=40000003 syscall=125 success=no exit=-13 a0=5ce000 a1=43000 a2=5 a3=bfa87450 items=0 pid=3437 auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100 sgid=100 fsgid=100 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient" type=AVC_PATH msg=audit(1146115819.449:24): path="/opt/cisco-vpnclient/lib/libvpnapi.so"
My system is up2date: [klaus.steinberger@noname ~]$ rpm -q selinux-policy-targeted selinux-policy-targeted-2.2.34-3.fc5 [klaus.steinberger@noname ~]$ rpm -q acroread acroread-7.0.5-2.2 [klaus.steinberger@noname ~]$
I'm currently not to familiar with selinux, so the only workaround I know is to "setenforce 0".
Sincerly, Klaus
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
1. Start "System" > "Administration" > "Security Level and Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" 3. Tick the check box next to "Allow the use of shared libraries with Text Relocation".
Regards, Stephan.
Hi,
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and Firewall"
- On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
- Tick the check box next to "Allow the use of shared libraries with Text Relocation".
Yep, that fixed it. Also the CISCO Client runs with this setting.
Sincerly, Klaus Steinberger
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and Firewall"
- On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
- Tick the check box next to "Allow the use of shared libraries with Text Relocation".
A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
Paul.
On Thursday 27 April 2006 09:50, Paul Howarth wrote:
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and Firewall"
- On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
- Tick the check box next to "Allow the use of shared libraries with
Text Relocation".
A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
I have checked that. As I am using the original RPM packets provided by Adobe the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a
chcon -t textrel_shlib_t \ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so
seems to be sufficient to run acroread and also use the plugin in Firefox. BTW, what are SPPlugins and plug_ins for?
However, thank you Paul for providing this more customized solution. I assume, that I only have to change the type context of the libraries distributed with the Cisco VPN client accordingly to run it with a "fully" enabled selinux.
Stephan Groß wrote:
On Thursday 27 April 2006 09:50, Paul Howarth wrote:
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and Firewall"
- On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
- Tick the check box next to "Allow the use of shared libraries with
Text Relocation".
A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
I have checked that. As I am using the original RPM packets provided by Adobe the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a
chcon -t textrel_shlib_t \ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so
seems to be sufficient to run acroread and also use the plugin in Firefox. BTW, what are SPPlugins and plug_ins for?
Dunno; I don't use it myself (evince is fine for my needs) and I picked up the need to fix the two sets of plugins from various posts on fedora-list.
However, thank you Paul for providing this more customized solution. I assume, that I only have to change the type context of the libraries distributed with the Cisco VPN client accordingly to run it with a "fully" enabled selinux.
Probably, yes.
If that works, please provide details of what needed to be changed so that it can make it into the Core policy.
Paul.
On Thu, 27 Apr 2006, Paul Howarth wrote:
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and Firewall"
- On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
- Tick the check box next to "Allow the use of shared libraries with Text Relocation".
A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
If I relabel as suggested above, what happens the next time the filesystem is relabeled. If as I suspect they get relabeled back to the previous settings, what is the correct way to make the changes permanent?
Regards,
Tom Diehl tdiehl@rogueind.com Spamtrap address mtd123@rogueind.com
Tom Diehl wrote:
On Thu, 27 Apr 2006, Paul Howarth wrote:
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and Firewall"
- On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
- Tick the check box next to "Allow the use of shared libraries with Text Relocation".
A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
If I relabel as suggested above, what happens the next time the filesystem is relabeled. If as I suspect they get relabeled back to the previous settings, what is the correct way to make the changes permanent?
It can be done using semanage to add new file context objects. However, I believe the required entries are *supposed* to be in the main policy package:
# semanage fcontext -l | grep -Ei 'adobe|intellinux' /usr/(local/)?Adobe/.*.api regular file system_u:object_r:texrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?lib/[^/]*.so(.[^/]*)* regular file system_u:object_r:texrel_shlib_t:s0 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin.apl regular file system_u:object_r:textrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf.so regular file system_u:object_r:texrel_shlib_t:s0 # rpm -q selinux-policy selinux-policy-2.2.34-3.fc5
If you have the latest policy and "restorecon -vR /path/to/acroread" doesn't set the right context, raise it here and mention which files aren't getting set to textrel_shlib_t. Hopefully it will get fixed so that this issue stops cropping up on fedora-list every day like it seems to at the moment.
Paul.
On Thursday 27 April 2006 16:43, Paul Howarth wrote:
Tom Diehl wrote:
On Thu, 27 Apr 2006, Paul Howarth wrote:
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and Firewall"
- On the "SELinux" tab click on "Modify SELinux Policy >
Compatibility" 3. Tick the check box next to "Allow the use of shared libraries with Text Relocation".
A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
If I relabel as suggested above, what happens the next time the filesystem is relabeled. If as I suspect they get relabeled back to the previous settings, what is the correct way to make the changes permanent?
It can be done using semanage to add new file context objects. However, I believe the required entries are *supposed* to be in the main policy package:
# semanage fcontext -l | grep -Ei 'adobe|intellinux' /usr/(local/)?Adobe/.*.api regular file system_u:object_r:texrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?lib/[^/]*.so(.[^/]*)* regular file system_u:object_r:texrel_shlib_t:s0 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin.apl regular file system_u:object_r:textrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf.so regular file system_u:object_r:texrel_shlib_t:s0 # rpm -q selinux-policy selinux-policy-2.2.34-3.fc5
If you have the latest policy and "restorecon -vR /path/to/acroread" doesn't set the right context, raise it here and mention which files aren't getting set to textrel_shlib_t. Hopefully it will get fixed so that this issue stops cropping up on fedora-list every day like it seems to at the moment.
I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a "restorecon -vR /usr/local/Adobe" results in
"/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t)."
and no file contexts changed. I am clueless about the details of selinux. Is this a bug in the policy script or might this be a failure in my installation. Don't know if it matters but I upgraded from FC4.
Regards, Stephan.
On Thu, 2006-04-27 at 20:43 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 16:43, Paul Howarth wrote:
Tom Diehl wrote:
On Thu, 27 Apr 2006, Paul Howarth wrote:
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread:
[klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and Firewall"
- On the "SELinux" tab click on "Modify SELinux Policy >
Compatibility" 3. Tick the check box next to "Allow the use of shared libraries with Text Relocation".
A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
If I relabel as suggested above, what happens the next time the filesystem is relabeled. If as I suspect they get relabeled back to the previous settings, what is the correct way to make the changes permanent?
It can be done using semanage to add new file context objects. However, I believe the required entries are *supposed* to be in the main policy package:
# semanage fcontext -l | grep -Ei 'adobe|intellinux' /usr/(local/)?Adobe/.*.api regular file system_u:object_r:texrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?lib/[^/]*.so(.[^/]*)* regular file system_u:object_r:texrel_shlib_t:s0 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin.apl regular file system_u:object_r:textrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf.so regular file system_u:object_r:texrel_shlib_t:s0 # rpm -q selinux-policy selinux-policy-2.2.34-3.fc5
If you have the latest policy and "restorecon -vR /path/to/acroread" doesn't set the right context, raise it here and mention which files aren't getting set to textrel_shlib_t. Hopefully it will get fixed so that this issue stops cropping up on fedora-list every day like it seems to at the moment.
I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a "restorecon -vR /usr/local/Adobe" results in
"/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t)."
Have you moved root's home directory from /root to somewhere under /opt?
and no file contexts changed. I am clueless about the details of selinux. Is this a bug in the policy script or might this be a failure in my installation. Don't know if it matters but I upgraded from FC4.
I've upgraded too; it shouldn't matter.
Paul.
On Friday 28 April 2006 08:36, Paul Howarth wrote:
On Thu, 2006-04-27 at 20:43 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 16:43, Paul Howarth wrote:
Tom Diehl wrote:
On Thu, 27 Apr 2006, Paul Howarth wrote:
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, > as well as acroread: > > [klaus.steinberger@noname ~]$ acroread > /usr/lib/acroread/Reader/intellinux/bin/acroread: error while > loading shared libraries: > /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore > segment prot after reloc: Permission denied > [klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable acroread again:
- Start "System" > "Administration" > "Security Level and
Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" 3. Tick the check box next to "Allow the use of shared libraries with Text Relocation".
A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
If I relabel as suggested above, what happens the next time the filesystem is relabeled. If as I suspect they get relabeled back to the previous settings, what is the correct way to make the changes permanent?
It can be done using semanage to add new file context objects. However, I believe the required entries are *supposed* to be in the main policy package:
# semanage fcontext -l | grep -Ei 'adobe|intellinux' /usr/(local/)?Adobe/.*.api regular file system_u:object_r:texrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?lib/[^/]*.so(.[^/]*)* regular file system_u:object_r:texrel_shlib_t:s0 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin.apl regular file system_u:object_r:textrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf.so regular file system_u:object_r:texrel_shlib_t:s0 # rpm -q selinux-policy selinux-policy-2.2.34-3.fc5
If you have the latest policy and "restorecon -vR /path/to/acroread" doesn't set the right context, raise it here and mention which files aren't getting set to textrel_shlib_t. Hopefully it will get fixed so that this issue stops cropping up on fedora-list every day like it seems to at the moment.
I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a "restorecon -vR /usr/local/Adobe" results in
"/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t)."
Have you moved root's home directory from /root to somewhere under /opt?
No, its still in /root. I only have the Brockhaus Multimedia Encyclopedia (the german answer to MS Encarte) installed that registers a user bmm having its home directory in /opt/bmm. However, I just checked that /opt is of type home_root_t and all of its subdirectories are of type user_home_dir_t. Should I change any of these settings?
Stephan.
Stephan Groß wrote:
On Friday 28 April 2006 08:36, Paul Howarth wrote:
On Thu, 2006-04-27 at 20:43 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 16:43, Paul Howarth wrote:
Tom Diehl wrote:
On Thu, 27 Apr 2006, Paul Howarth wrote:
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote: > On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: > > Hi, > >> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, >> as well as acroread: >> >> [klaus.steinberger@noname ~]$ acroread >> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while >> loading shared libraries: >> /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore >> segment prot after reloc: Permission denied >> [klaus.steinberger@noname ~]$ > after some googling I found following advice that worked for me to > enable acroread again: > > 1. Start "System" > "Administration" > "Security Level and > Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy > > Compatibility" 3. Tick the check box next to "Allow the use of > shared libraries with Text Relocation". A better fix is to label the acroread files correctly, which only "opens" the protection for acroread and not every process on the system:
I believe you need: # chcon -t textrel_shlib_t \ /usr/lib/acroread/Reader/intellinux/lib/*.so \ /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
If I relabel as suggested above, what happens the next time the filesystem is relabeled. If as I suspect they get relabeled back to the previous settings, what is the correct way to make the changes permanent?
It can be done using semanage to add new file context objects. However, I believe the required entries are *supposed* to be in the main policy package:
# semanage fcontext -l | grep -Ei 'adobe|intellinux' /usr/(local/)?Adobe/.*.api regular file system_u:object_r:texrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?lib/[^/]*.so(.[^/]*)* regular file system_u:object_r:texrel_shlib_t:s0 /usr/(.*/)?intellinux/SPPlugins/ADMPlugin.apl regular file system_u:object_r:textrel_shlib_t:s0 /usr/(local/)?Adobe/(.*/)?intellinux/nppdf.so regular file system_u:object_r:texrel_shlib_t:s0 # rpm -q selinux-policy selinux-policy-2.2.34-3.fc5
If you have the latest policy and "restorecon -vR /path/to/acroread" doesn't set the right context, raise it here and mention which files aren't getting set to textrel_shlib_t. Hopefully it will get fixed so that this issue stops cropping up on fedora-list every day like it seems to at the moment.
I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a "restorecon -vR /usr/local/Adobe" results in
"/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t)."
Have you moved root's home directory from /root to somewhere under /opt?
No, its still in /root. I only have the Brockhaus Multimedia Encyclopedia (the german answer to MS Encarte) installed that registers a user bmm having its home directory in /opt/bmm. However, I just checked that /opt is of type home_root_t and all of its subdirectories are of type user_home_dir_t. Should I change any of these settings?
Moving its home directory to somewhere under /home might help.
Paul.
On Friday 28 April 2006 12:22, Paul Howarth wrote:
I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a "restorecon -vR /usr/local/Adobe" results in
"/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t)."
Have you moved root's home directory from /root to somewhere under /opt?
No, its still in /root. I only have the Brockhaus Multimedia Encyclopedia (the german answer to MS Encarte) installed that registers a user bmm having its home directory in /opt/bmm. However, I just checked that /opt is of type home_root_t and all of its subdirectories are of type user_home_dir_t. Should I change any of these settings?
Moving its home directory to somewhere under /home might help.
I finally found a solution for that issue. Changing the bmm users login shell to /sbin/nologin (he must not login anyway) did the trick. Then I ran a /usr/sbin/genhomedircon to generate a new /etc/selinux/targeted/contexts/files/file_contexts.homedirs. Now Adobe Acroread works like a charm (using selinux-policy-targeted-2.2.36-2.fc5).
Stephan.
selinux@lists.fedoraproject.org