selinux throwing incomprehensible errors when trying to run GoogleEardh
Daniel J Walsh
dwalsh at redhat.com
Mon Jul 26 15:40:09 UTC 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/26/2010 08:25 AM, Claude Jones wrote:
> On Mon July 26 2010, Daniel J Walsh wrote:
>> On 07/26/2010 01:27 AM, Claude Jones wrote:
>>> It seems to be saying that the directory access requested
>>> requires labeling as usr_t, but its current type is usr_t --
>>> it requires usr_t but it's currently labeled usr_t -- there
>>> appears to confusion here on the part of Selinux, no? I've
>>> tried applying the recommended fix, but the recommended fix
>>> just resets the labelling to what it already is, and I'm
>>> going round in circles
>>>
>>> Summary:
>>>
>>> SELinux is preventing /opt/google-earth/googleearth-bin
>>> "execmod" access to
>>> /opt/google-earth/libIGGfx.so.
>>>
>>> Detailed Description:
>>>
>>> SELinux denied access requested by
>>> /opt/google-earth/googleearth- bin.
>>> /opt/google-earth/googleearth-bin is mislabeled.
>>> /opt/google-earth/googleearth-bin default SELinux type is
>>> usr_t, but its current
>>> type is usr_t. Changing this file back to the default type,
>>> may fix your
>>> problem.
>>
>> Run
>>
>> restorecon -R -v /opt
>>
>> Should fix the labels.
>
> Thanks, Dan. That did something, and I got a little further, with
> the GoogleEarth splash screen displaying for the first time, but
> then it closed out, and the actual program never started, and I
> got another SeAlert message:
>
>
> Summary:
>
> SELinux is preventing /opt/google-earth/googleearth-bin "execmod"
> access to
> /opt/google-earth/libIGGfx.so.
>
> Detailed Description:
>
> SELinux denied access requested by /opt/google-earth/googleearth-
> bin.
> /opt/google-earth/googleearth-bin is mislabeled.
> /opt/google-earth/googleearth-bin default SELinux type is usr_t,
> but its current
> type is usr_t. Changing this file back to the default type, may
> fix your
> problem.
>
> If you believe this is a bug, please file a bug report against
> this package.
>
> Allowing Access:
>
> You can restore the default system context to this file by
> executing the
> restorecon command. restorecon '/opt/google-earth/googleearth-
> bin'.
>
> Fix Command:
>
> /sbin/restorecon '/opt/google-earth/googleearth-bin'
>
> Additional Information:
>
> Source Context
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Context unconfined_u:object_r:usr_t:s0
> Target Objects /opt/google-earth/libIGGfx.so [ file
> ]
> Source googleearth-bin
> Source Path /opt/google-earth/googleearth-bin
> Port <Unknown>
> Host tehogee.localdomain
> Source RPM Packages
> Target RPM Packages
> Policy RPM selinux-policy-3.7.19-39.fc13
> Selinux Enabled True
> Policy Type targeted
> Enforcing Mode Enforcing
> Plugin Name restore_source_context
> Host Name tehogee.localdomain
> Platform Linux tehogee.localdomain
> 2.6.33.6-147.fc13.x86_64
> #1 SMP Tue Jul 6 22:32:17 UTC 2010
> x86_64 x86_64
> Alert Count 8
> First Seen Sun 25 Jul 2010 08:59:32 PM EDT
> Last Seen Mon 26 Jul 2010 01:19:13 AM EDT
> Local ID d0b51729-0e62-41e0-9c03-ff177cd4e671
> Line Numbers
>
> Raw Audit Messages
>
> node=tehogee.localdomain type=AVC msg=audit(1280121553.393:24981):
> avc: denied { execmod } for pid=21349 comm="googleearth-bin"
> path="/opt/google-earth/libIGGfx.so" dev=sdb3 ino=1313604
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:usr_t:s0 tclass=file
>
> node=tehogee.localdomain type=SYSCALL
> msg=audit(1280121553.393:24981): arch=40000003 syscall=125
> success=no exit=-13 a0=8462000 a1=370000 a2=5 a3=ffb78460 items=0
> ppid=18875 pid=21349 auid=500 uid=500 gid=500 euid=500 suid=500
> fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=208
> comm="googleearth-bin" exe="/opt/google-earth/googleearth-bin"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)
>
>
>
>
Easiest thing to do is turn off the check.
# setsebool -P allow_execmod 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxNrFkACgkQrlYvE4MpobPFPQCgmj2GhMfyM8MnmJ8h1XMH2XjZ
m1kAnA+lMu0E4hKNEMntWa744I9QKm+C
=oBrc
-----END PGP SIGNATURE-----
More information about the users
mailing list