Selinux attacks acroread again

Mike Carney mc-al34luc at sbcglobal.net
Thu Apr 13 18:19:37 UTC 2006 

Paul Smith wrote:

> On 4/13/06, Gérard Milmeister <gemi at bluewin.ch> wrote:
>> > > What errors does acroread still show?
>> >
>> > It fails to load some api plugins.
>> >
>> > Paul
>> Try the following:
>> /usr/sbin/semanage fcontext -a -t textrel_shlib_t
>> '/usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/.*\.so'
>>
>> followed by restorecon.
> 
> No progress after that.
> 
> Paul
> 

Unfortunately this sets the contexts for the symbolic links, not the
libraries the links point to. I added entries to the shared libraries
themselves, not the links, and acroread works: (note that I installed
in /opt, not /usr/local, so you'll have to adjust the following).

semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libACE.so.2.07
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libAGM.so.4.14
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libadobelinguistic.so.2.0.0
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libAXE16SharedExpat.so
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libAXE8SharedExpat.so
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libAXSLE.so
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libBIB.so.1.1
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libCoolType.so.5.01
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libResAccess.so.0.1
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libWRServices.so
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libaglcnv.so.28.0
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libagldata.so.28.0
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libagli18n.so.28.0
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libagluc.so.28.0
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libcrypto.so.0.9.6
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libcurl.so.2.0.2
semanage fcontext -a -t
textrel_shlib_t /opt/Adobe/Acrobat7.0/Reader/intellinux/lib/libssl.so.0.9.6

It's unfortunate that some *.so's are files, others are links, and some
libraries don't have a corresponding *.so link, making things rather
complicated regular-expression-wise. It would be nice if there was an
option to semanage that told it to follow the links and apply the
context to the link target, rather than the link itself.

More information about the users mailing list