Citrix ICA Client vs. SELinux

Eric Brunson brunson at brunson.com
Mon Apr 3 18:53:28 UTC 2006 

Daniel J Walsh wrote:
> Eric Brunson wrote:
>> Eric Brunson wrote:
>>> With the latest upgrade of the kernel (2.6.16-1.2080_FC5) my Citrix 
>>> client stopped working.  Booting into the previous kernel 
>>> (2.6.15-1.2054_FC5) will allow me to run it, but in the current 
>>> kernel on two machines it segfaults, on the machine I'm on now it 
>>> gives this error:
>>>
>>>    clotho(~)$ /usr/lib/ICAClient/wfica -icaroot /usr/lib/ICAClient 
>>> -nosplash -desc hemo1
>>>
>>>    Error: 75 (E_DYNLOAD_FAILED)
>>>
>>>    Please refer to the documentation.
>>>
>>>    Error loading dynamic module:
>>>
>>>     "/usr/lib/ICAClient/CHARICONV.DLL"
>>>
>>>    /usr/lib/ICAClient/CHARICONV.DLL: cannot restore segment prot 
>>> after reloc: Permission denied
>>>
>>>
>>> The "Permission denied" led me to try disabling selinux enforcement, 
>>> which allowed it to run again.  Is there enough information in the 
>>> message above for someone to speculate on a policy change that will 
>>> allow that dll to load?
>>>
>> chcon -t texrel_shlib_t /usr/lib/ICAClient/CHARICONV.DLL did the 
>> trick on that library, but now I get a popup that it can't find 
>> libctxssl.so, which is in the same directory, /usr/lib/ICACLIENT.  I 
>> tried adding "/usr/lib/ICAClient/" to the ld.so.conf and running 
>> ldconfig, but it still claims to be unable to find the .so file.  
>> Again, setenforce 0 allows the application to run properly, but 
>> setenforce 1 causes the failure, even though libctxssl.so shows up in 
>> ldconfig -p.
>> Is there something in SELinux policies that interferes with ld.so 
>> searching?  Google hasn't turned anything up yet, but I'm still looking.
>>
>> Thanks,
>> e.
>>
> Look for avc messages in /var/log/messages or 
> /var/log/audit/audit.log.  You might need to change textrel_shlib_t on 
> this file also.
>

Daniel, U da Man.  It's running perfectly now.

Though the message:

clotho kernel: audit(1144088654.838:25): avc:  denied  { execmod } for  
pid=3107 comm="wfica" name="libctxssl.so" dev=dm-0 ino=1053673 
scontext=user_u:system_r:unconfined_t:s0 
tcontext=system_u:object_r:lib_t:s0 tclass=file

leaves something to be desired, having no reference to texrel_shlib_t in 
it to dial you into what permission was denied.  :-)  Of course, that's 
to an untrained eye, those clueful in the ways of selinux may be able to 
get more out if it than I could.

You kick ass.

Thanks.
e.

More information about the users mailing list