several problems after successful update, wine, texlive and selinux
Ken YANG
spng.yang at gmail.com
Wed Aug 22 07:31:00 UTC 2007
Antonio Olivares wrote:
> Dear all,
>
> I have successfully updated the machine I asked help to update for which advice was quickly given and resolved. However, after updating I find the following problems:
>
> 1) wine does not work. Is it because of selinux? dmesg does not show this :(
>
> [olivares at localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe &
> [1] 3004
> [olivares at localhost ~]$ bash: /usr/bin/wine: Permission denied
>
> [1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe
> [olivares at localhost ~]$ wine --help
> bash: /usr/bin/wine: Permission denied
> [olivares at localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe &
> [1] 3007
> [olivares at localhost ~]$ bash: /usr/bin/wine: Permission denied
>
> [1]+ Exit 126 wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe
> [olivares at localhost ~]$ rpm -qa wine*
> wine-capi-0.9.43-2.fc8
> wine-twain-0.9.43-2.fc8
> wine-nas-0.9.43-2.fc8
> wine-jack-0.9.43-2.fc8
> wine-0.9.43-2.fc8
> wine-cms-0.9.43-2.fc8
> wine-tools-0.9.43-2.fc8
> wine-core-0.9.43-2.fc8
> wine-esd-0.9.43-2.fc8
> wine-ldap-0.9.43-2.fc8
does your audit running? if yes, all avc will be there, so are there
any messages when your wine denied, except "permission denied"
>
>
> 2) texlive install was almost successfull all the way except for tetex-xdvi no equivalent texlive package. I am surprised that f8 test 1 still had tetex instead of texlive, but here I installed it using the instructions on the Wiki.
>
> [root at localhost Downloads]# yum install texlive texlive-latex
> Setting up Install Process
> Parsing package install arguments
> development 100% |=========================| 2.1 kB 00:00
> primary.sqlite.bz2 100% |=========================| 4.2 MB 00:03
> texlive 100% |=========================| 951 B 00:00
> primary.xml.gz 100% |=========================| 7.2 kB 00:00
> texlive : ################################################## 23/23
> Resolving Dependencies
> --> Running transaction check
> ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
> --> Processing Dependency: texlive-texmf = 2007 for package: texlive
> --> Processing Dependency: libt1.so.5 for package: texlive
> --> Processing Dependency: libTECkit.so.0 for package: texlive
> --> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive-latex
> --> Processing Dependency: texlive-dvips = 2007 for package: texlive-latex
> --> Processing Dependency: texlive-texmf-latex = 2007 for package: texlive-latex
> --> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive
> --> Processing Dependency: texlive-fonts = 2007-0.10.fc7 for package: texlive
> --> Processing Dependency: libkpathsea.so.4 for package: texlive
> --> Restarting Dependency Resolution with new changes.
> --> Running transaction check
> ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated
> ---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated
> ---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated
> --> Processing Dependency: texlive-texmf-fonts >= 2007 for package: texlive-fonts
> --> Processing Dependency: texlive-texmf-errata-latex = 2007 for package: texlive-texmf-latex
> --> Processing Dependency: texlive-texmf-common = 2007 for package: texlive-texmf-latex
> --> Processing Dependency: texlive-texmf-dvips = 2007 for package: texlive-dvips
> --> Restarting Dependency Resolution with new changes.
> --> Running transaction check
> ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
> --> Processing Dependency: texlive-texmf-errata-common = 2007-0.9.fc7 for package: texlive-texmf-errata-latex
> --> Processing Dependency: texlive-texmf-errata-fonts = 2007 for package: texlive-texmf-fonts
> --> Processing Dependency: texlive-texmf-errata-dvips = 2007 for package: texlive-texmf-dvips
> --> Restarting Dependency Resolution with new changes.
> --> Running transaction check
> ---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
>
> Dependencies Resolved
>
> =============================================================================
> Package Arch Version Repository Size
> =============================================================================
> Installing:
> texlive i386 2007-0.10.fc7 texlive 5.8 M
> texlive-latex i386 2007-0.10.fc7 texlive 74 k
> Installing for dependencies:
> kpathsea i386 2007-0.10.fc7 texlive 148 k
> t1lib i386 5.1.1-1.fc8 development 316 k
> teckit i386 2.2.1-1.fc8 development 322 k
> texlive-dvips i386 2007-0.10.fc7 texlive 176 k
> texlive-fonts i386 2007-0.10.fc7 texlive 509 k
> texlive-texmf noarch 2007-0.10.fc7 texlive 8.2 M
> texlive-texmf-common noarch 2007-0.10.fc7 texlive 7.4 k
> texlive-texmf-dvips noarch 2007-0.10.fc7 texlive 826 k
> texlive-texmf-errata noarch 2007-0.9.fc7 texlive 3.3 k
> texlive-texmf-errata-common noarch 2007-0.9.fc7 texlive 3.4 k
> texlive-texmf-errata-dvips noarch 2007-0.9.fc7 texlive 3.3 k
> texlive-texmf-errata-fonts noarch 2007-0.9.fc7 texlive 3.2 k
> texlive-texmf-errata-latex noarch 2007-0.9.fc7 texlive 3.3 k
> texlive-texmf-fonts noarch 2007-0.10.fc7 texlive 55 M
> texlive-texmf-latex noarch 2007-0.10.fc7 texlive 3.1 M
>
> Transaction Summary
> =============================================================================
> Install 17 Package(s)
> Update 0 Package(s)
> Remove 0 Package(s)
>
> Total download size: 74 M
> Is this ok [y/N]: y
> Downloading Packages:
> (1/17): kpathsea-2007-0.1 100% |=========================| 148 kB 00:00
> (2/17): teckit-2.2.1-1.fc 100% |=========================| 322 kB 00:00
> (3/17): texlive-texmf-dvi 100% |=========================| 826 kB 00:00
> (4/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00
> (5/17): t1lib-5.1.1-1.fc8 100% |=========================| 316 kB 00:00
> (6/17): texlive-texmf-com 100% |=========================| 7.4 kB 00:00
> (7/17): texlive-texmf-200 100% |=========================| 8.2 MB 00:05
> (8/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00
> (9/17): texlive-texmf-err 100% |=========================| 3.3 kB 00:00
> (10/17): texlive-latex-20 100% |=========================| 74 kB 00:00
> (11/17): texlive-texmf-fo 100% |=========================| 55 MB 00:37
> (12/17): texlive-texmf-er 100% |=========================| 3.2 kB 00:00
> (13/17): texlive-2007-0.1 100% |=========================| 5.8 MB 00:04
> (14/17): texlive-dvips-20 100% |=========================| 176 kB 00:00
> (15/17): texlive-fonts-20 100% |=========================| 509 kB 00:00
> (16/17): texlive-texmf-er 100% |=========================| 3.4 kB 00:00
> (17/17): texlive-texmf-la 100% |=========================| 3.1 MB 00:02
> Running rpm_check_debug
> --> Populating transaction set with selected packages. Please wait.
> ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated
> ---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated
> ---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated
> ERROR with rpm_check_debug vs depsolve:
> Package tetex-xdvi needs tetex-dvips = 3.0, this is not available.
> Complete!
>
>
> and selinux is causing too much trouble. Here's an example: Sorry for all the text in the selinux alert.
>
> Summary
> SELinux is preventing /usr/lib/firefox-2.0.0.6/firefox-bin from making the
> program stack executable.
>
> Detailed Description
> The /usr/lib/firefox-2.0.0.6/firefox-bin application attempted to make the
> its stack executable. This is a potential security problem. This should
> never ever be necessary. stack memory is not executable on most OSes these
> days and this will not change. Executable stack memory is one of the biggest
> security problems. An execstack error might in fact be most likely raised by
> malicious code. Applications are sometimes coded incorrectly and request
> this permission. The http://people.redhat.com/drepper/selinux-mem.html web
> page explains how to remove this requirement. If /usr/lib/firefox-2.0.0.6
> /firefox-bin does not work and you need it to work, you can configure
> SELinux temporarily to allow this access until the application is fixed.
> Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Allowing Access
> Sometimes a library is accidentally marked with the execstack flag, if you
> find a library with this flag you can clear it with the execstack -c
> LIBRARY_PATH. Then retry your application. If the app continues to not
> work, you can turn the flack back on with execstac -s LIBRARY_PATH.
> Otherwise, if you trust /usr/lib/firefox-2.0.0.6/firefox-bin to run
> correctly, you can change the context of the executable to
> unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
> /usr/lib/firefox-2.0.0.6/firefox-bin" You must also change the default file
> context files on the system in order to preserve them even on a full
> relabel. "semanage fcontext -a -t unconfined_execmem_exec_t
> /usr/lib/firefox-2.0.0.6/firefox-bin"
>
> The following command will allow this access:
> chcon -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin
>
> Additional Information
>
> Source Context system_u:system_r:unconfined_t
> Target Context system_u:system_r:unconfined_t
> Target Objects None [ process ]
> Affected RPM Packages firefox-2.0.0.6-3.fc8 [application]
> Policy RPM selinux-policy-3.0.5-8.fc8
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.allow_execstack
> Host Name localhost
> Platform Linux localhost 2.6.23-0.115.rc3.git1.fc8 #1 SMP
> Fri Aug 17 20:58:14 EDT 2007 i686 athlon
> Alert Count 6
> First Seen Tue 21 Aug 2007 04:17:07 PM CDT
> Last Seen Tue 21 Aug 2007 04:54:17 PM CDT
> Local ID bbd222d8-abbe-4dd8-b54b-46c7d29b434c
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execstack } for comm="firefox-bin" egid=500 euid=500
> exe="/usr/lib/firefox-2.0.0.6/firefox-bin" exit=-13 fsgid=500 fsuid=500 gid=500
> items=0 pid=3011 scontext=system_u:system_r:unconfined_t:s0 sgid=500
> subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
> tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500
this is not the problem of selinux, but the problem of firefox.
as you see, firefox need stack executable, if you trust firefox,
you can enable firefox following the guide of sealert.
>
> SELinux is preventing /usr/sbin/hald (hald_t) "read" to reload (var_lib_t).
> SELinux prevented /usr/sbin/ntpd from using the terminal 0
selinux by default prevents confined daemon from talking to the
terminal. This is actually considered a security feature.
you would not want to compromised daemon to prompt you for a
login/passwd.
Most daemon that are coded correctly will shortly after startup,
close the open file descriptors before going into daemon mode.
So in this case, SELinux is a second line of defense.
if you trust all your confined daemons, you can use following
com to enable your daemon to talk to the tty:
setsebool -P allow_daemons_use_tty=1
BTW, for http, there is specific boolean:
httpd_tty_comm
>
> avc: denied { read, write } for comm="ntpd" dev=devpts egid=0 euid=0 exe="/usr/sbin/ntpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="0" pid=17348 scontext=user_u:system_r:ntpd_t:s0 sgid=0 subj=user_u:system_r:ntpd_t:s0 suid=0 tclass=chr_file tcontext=user_u:object_r:devpts_t:s0 tty=(none) uid=0
>
>
> SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "create" to (unlabeled_t).
> SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "append" to /var/log/cups/error_log (cupsd_log_t).
> SELinux prevented /sbin/rpc.statd from using the terminal /dev/pts/0.
> ......, there are a bunch of them. sorry for not posting them.
>
> dmesg does not show any of these when running dmesg from the terminal.
> see
> http://www.geocities.com/olivares14031//20070821164505-dmesg.htm
> for details. Will do an
>
> # touch /.autorelabel
> # reboot
>
> and hope that it cures many of these issues.
>
> Regards,
>
> Antonio
>
>
>
>
> ____________________________________________________________________________________
> Shape Yahoo! in your own image. Join our Network Research Panel today! http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7
>
>
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
>
More information about the selinux
mailing list