in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as acroread: [klaus.steinberger@noname ~]$ acroread /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore segment prot after reloc: Permission denied [klaus.steinberger@noname ~]$

On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: Hi, > in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well > as acroread: > > [klaus.steinberger@noname ~]$ acroread > /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > cannot restore segment prot after reloc: Permission denied > [klaus.steinberger@noname ~]$ after some googling I found following advice that worked for me to enable acroread again: 1. Start "System" > "Administration" > "Security Level and Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" 3. Tick the check box next to "Allow the use of shared libraries with Text Relocation".

On Thursday 27 April 2006 09:50, Paul Howarth wrote: >>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as >>> well as acroread: >>> >>> [klaus.steinberger@noname ~]$ acroread >>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading >>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: >>> cannot restore segment prot after reloc: Permission denied >>> [klaus.steinberger@noname ~]$ >> after some googling I found following advice that worked for me to enable >> acroread again: >> >> 1. Start "System" > "Administration" > "Security Level and Firewall" >> 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" >> 3. Tick the check box next to "Allow the use of shared libraries with >> Text Relocation". > A better fix is to label the acroread files correctly, which only > "opens" the protection for acroread and not every process on the system: > > I believe you need: > # chcon -t textrel_shlib_t \ > /usr/lib/acroread/Reader/intellinux/lib/*.so \ > /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > /usr/lib/acroread/Reader/intellinux/plug_ins/*.api I have checked that. As I am using the original RPM packets provided by Adobe the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a chcon -t textrel_shlib_t \ /usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so seems to be sufficient to run acroread and also use the plugin in Firefox. BTW, what are SPPlugins and plug_ins for?

However, thank you Paul for providing this more customized solution. I assume, that I only have to change the type context of the libraries distributed with the Cisco VPN client accordingly to run it with a "fully" enabled selinux.

On Thu, 27 Apr 2006, Paul Howarth wrote: > On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote: >> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: >> >> Hi, >> >>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well >>> as acroread: >>> >>> [klaus.steinberger@noname ~]$ acroread >>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading >>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: >>> cannot restore segment prot after reloc: Permission denied >>> [klaus.steinberger@noname ~]$ >> after some googling I found following advice that worked for me to enable >> acroread again: >> >> 1. Start "System" > "Administration" > "Security Level and Firewall" >> 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility" >> 3. Tick the check box next to "Allow the use of shared libraries with Text >> Relocation". > A better fix is to label the acroread files correctly, which only > "opens" the protection for acroread and not every process on the system: > > I believe you need: > # chcon -t textrel_shlib_t \ > /usr/lib/acroread/Reader/intellinux/lib/*.so \ > /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > /usr/lib/acroread/Reader/intellinux/plug_ins/*.api If I relabel as suggested above, what happens the next time the filesystem is relabeled. If as I suspect they get relabeled back to the previous settings, what is the correct way to make the changes permanent?

On Thursday 27 April 2006 16:43, Paul Howarth wrote: > Tom Diehl wrote: > > On Thu, 27 Apr 2006, Paul Howarth wrote: > >> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote: > >>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: > >>> > >>> Hi, > >>> > >>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as > >>>> well as acroread: > >>>> > >>>> [klaus.steinberger@noname ~]$ acroread > >>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > >>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > >>>> cannot restore segment prot after reloc: Permission denied > >>>> [klaus.steinberger@noname ~]$ > >>> > >>> after some googling I found following advice that worked for me to > >>> enable acroread again: > >>> > >>> 1. Start "System" > "Administration" > "Security Level and Firewall" > >>> 2. On the "SELinux" tab click on "Modify SELinux Policy > > >>> Compatibility" 3. Tick the check box next to "Allow the use of shared > >>> libraries with Text Relocation". > >> > >> A better fix is to label the acroread files correctly, which only > >> "opens" the protection for acroread and not every process on the system: > >> > >> I believe you need: > >> # chcon -t textrel_shlib_t \ > >> /usr/lib/acroread/Reader/intellinux/lib/*.so \ > >> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > >> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api > > > > If I relabel as suggested above, what happens the next time the > > filesystem is relabeled. If as I suspect they get relabeled back to the > > previous settings, what is the correct way to make the changes permanent? > > It can be done using semanage to add new file context objects. However, > I believe the required entries are *supposed* to be in the main policy > package: > > # semanage fcontext -l | grep -Ei 'adobe|intellinux' > /usr/(local/)?Adobe/.*\.api regular file > system_u:object_r:texrel_shlib_t:s0 > /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file > system_u:object_r:texrel_shlib_t:s0 > /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file > system_u:object_r:textrel_shlib_t:s0 > /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file > system_u:object_r:texrel_shlib_t:s0 > # rpm -q selinux-policy > selinux-policy-2.2.34-3.fc5 > > If you have the latest policy and "restorecon -vR /path/to/acroread" > doesn't set the right context, raise it here and mention which files > aren't getting set to textrel_shlib_t. Hopefully it will get fixed so > that this issue stops cropping up on fedora-list every day like it seems > to at the moment. I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a "restorecon -vR /usr/local/Adobe" results in "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t). /etc/selinux/targeted/contexts/files/file_contexts: Multiple different specifications for /opt (system_u:object_r:home_root_t and system_u:object_r:usr_t)."

and no file contexts changed. I am clueless about the details of selinux. Is this a bug in the policy script or might this be a failure in my installation. Don't know if it matters but I upgraded from FC4.

On Friday 28 April 2006 08:36, Paul Howarth wrote: > On Thu, 2006-04-27 at 20:43 +0200, Stephan Groß wrote: >> On Thursday 27 April 2006 16:43, Paul Howarth wrote: >>> Tom Diehl wrote: >>>> On Thu, 27 Apr 2006, Paul Howarth wrote: >>>>> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote: >>>>>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, >>>>>>> as well as acroread: >>>>>>> >>>>>>> [klaus.steinberger@noname ~]$ acroread >>>>>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while >>>>>>> loading shared libraries: >>>>>>> /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore >>>>>>> segment prot after reloc: Permission denied >>>>>>> [klaus.steinberger@noname ~]$ >>>>>> after some googling I found following advice that worked for me to >>>>>> enable acroread again: >>>>>> >>>>>> 1. Start "System" > "Administration" > "Security Level and >>>>>> Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy > >>>>>> Compatibility" 3. Tick the check box next to "Allow the use of >>>>>> shared libraries with Text Relocation". >>>>> A better fix is to label the acroread files correctly, which only >>>>> "opens" the protection for acroread and not every process on the >>>>> system: >>>>> >>>>> I believe you need: >>>>> # chcon -t textrel_shlib_t \ >>>>> /usr/lib/acroread/Reader/intellinux/lib/*.so \ >>>>> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ >>>>> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api >>>> If I relabel as suggested above, what happens the next time the >>>> filesystem is relabeled. If as I suspect they get relabeled back to >>>> the previous settings, what is the correct way to make the changes >>>> permanent? >>> It can be done using semanage to add new file context objects. However, >>> I believe the required entries are *supposed* to be in the main policy >>> package: >>> >>> # semanage fcontext -l | grep -Ei 'adobe|intellinux' >>> /usr/(local/)?Adobe/.*\.api regular file >>> system_u:object_r:texrel_shlib_t:s0 >>> /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file >>> system_u:object_r:texrel_shlib_t:s0 >>> /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file >>> system_u:object_r:textrel_shlib_t:s0 >>> /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file >>> system_u:object_r:texrel_shlib_t:s0 >>> # rpm -q selinux-policy >>> selinux-policy-2.2.34-3.fc5 >>> >>> If you have the latest policy and "restorecon -vR /path/to/acroread" >>> doesn't set the right context, raise it here and mention which files >>> aren't getting set to textrel_shlib_t. Hopefully it will get fixed so >>> that this issue stops cropping up on fedora-list every day like it >>> seems to at the moment. >> I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. >> However, a "restorecon -vR /usr/local/Adobe" results in >> >> "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different >> specifications for /opt (system_u:object_r:home_root_t and >> system_u:object_r:usr_t). >> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different >> specifications for /opt (system_u:object_r:home_root_t and >> system_u:object_r:usr_t)." > Have you moved root's home directory from /root to somewhere under /opt? No, its still in /root. I only have the Brockhaus Multimedia Encyclopedia (the german answer to MS Encarte) installed that registers a user bmm having its home directory in /opt/bmm. However, I just checked that /opt is of type home_root_t and all of its subdirectories are of type user_home_dir_t. Should I change any of these settings?