Citrix ICA Client vs. SELinux
Eric Brunson
brunson at brunson.com
Mon Apr 3 18:53:28 UTC 2006
Daniel J Walsh wrote:
> Eric Brunson wrote:
>> Eric Brunson wrote:
>>> With the latest upgrade of the kernel (2.6.16-1.2080_FC5) my Citrix
>>> client stopped working. Booting into the previous kernel
>>> (2.6.15-1.2054_FC5) will allow me to run it, but in the current
>>> kernel on two machines it segfaults, on the machine I'm on now it
>>> gives this error:
>>>
>>> clotho(~)$ /usr/lib/ICAClient/wfica -icaroot /usr/lib/ICAClient
>>> -nosplash -desc hemo1
>>>
>>> Error: 75 (E_DYNLOAD_FAILED)
>>>
>>> Please refer to the documentation.
>>>
>>> Error loading dynamic module:
>>>
>>> "/usr/lib/ICAClient/CHARICONV.DLL"
>>>
>>> /usr/lib/ICAClient/CHARICONV.DLL: cannot restore segment prot
>>> after reloc: Permission denied
>>>
>>>
>>> The "Permission denied" led me to try disabling selinux enforcement,
>>> which allowed it to run again. Is there enough information in the
>>> message above for someone to speculate on a policy change that will
>>> allow that dll to load?
>>>
>> chcon -t texrel_shlib_t /usr/lib/ICAClient/CHARICONV.DLL did the
>> trick on that library, but now I get a popup that it can't find
>> libctxssl.so, which is in the same directory, /usr/lib/ICACLIENT. I
>> tried adding "/usr/lib/ICAClient/" to the ld.so.conf and running
>> ldconfig, but it still claims to be unable to find the .so file.
>> Again, setenforce 0 allows the application to run properly, but
>> setenforce 1 causes the failure, even though libctxssl.so shows up in
>> ldconfig -p.
>> Is there something in SELinux policies that interferes with ld.so
>> searching? Google hasn't turned anything up yet, but I'm still looking.
>>
>> Thanks,
>> e.
>>
> Look for avc messages in /var/log/messages or
> /var/log/audit/audit.log. You might need to change textrel_shlib_t on
> this file also.
>
Daniel, U da Man. It's running perfectly now.
Though the message:
clotho kernel: audit(1144088654.838:25): avc: denied { execmod } for
pid=3107 comm="wfica" name="libctxssl.so" dev=dm-0 ino=1053673
scontext=user_u:system_r:unconfined_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file
leaves something to be desired, having no reference to texrel_shlib_t in
it to dial you into what permission was denied. :-) Of course, that's
to an untrained eye, those clueful in the ways of selinux may be able to
get more out if it than I could.
You kick ass.
Thanks.
e.
More information about the users
mailing list