SELinux
Kostas Sfakiotakis
kostassf at cha.forthnet.gr
Thu Jan 20 21:11:28 UTC 2011
On 20/01/2011 07:25 πμ, Mark Eggers wrote:
< snip >
> My thought is that if you need to run some extended commands as root,
> open a shell and use the command line. You'll have all of your other
> tools available as a normal user.
>
> Here's an approach to fixing Adobe Acrobat. Your mileage may vary.
>
> Adobe Acrobat Reader comes with at least two libraries marked as
> stack executable.
>
> Here's how to find them:
>
> 1. Find where the files are
>
> rpm -q AdobeReader_enu-9.4.1-1.i486 --filesbypkg
>
> Your package is probably different since I run a 32 bit system, and
> you are running a 64 bit system.
[root at Orion ~]# rpm -qa | grep Reader
AdobeReader_enu-9.4.1-1.i486
Well it seems that we are using the same package . For some reason for
which
am not sure it seems that i keep getting 32 bit and 64 bit packages
> 2. cd to the directory (for me it's /opt/Adobe)
Same here
> 3. Run the following command (or something similar)
>
> find . -name \*.so -exec execstack -q {} \;
>
> This basically finds all the .so files (normally links to shared
> libraries), and queries the execstack state.
>
> The problem:
>
> You're looking for libraries that have execstack turned on. Here are
> some examples:
>
> X ./Reader9/Reader/intellinux/lib/libsccore.so X
> ./Reader9/Reader/intellinux/lib/libcrypto.so
Am trying to follow your example , i got two with X
and 1 with question mark "?"
> The fix:
>
> 1. Find the actual file that these (potential) soft links are linked
> to:
>
> cd /opt/Adobe/Reader9/Reader/intellinux/lib ls -l libsccore.so
> -rwxr-xr-x. 1 root root 722824 Nov 8 05:48 libsccore.so
> ls -l
> libcrypto.so lrwxrwxrwx. 1 root root 14 Nov 30 17:05 libcrypto.so ->
> libcrypto.so.0
>
> This turns out to be another link:
>
> ls -l libcrypto.so.0 lrwxrwxrwx. 1 root root 18 Nov 30 17:05
> libcrypto.so.0 -> libcrypto.so.0.9.8
>
> 2. Change to root, and create a diary entry. You do document changes
> to your system, right?
>
> 01/19/2011 20:40 cleared execstack
> /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so cleared
> execstack
> /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
>
> 3. clear the execstack with:
>
> execstack -c /opt/Adobe/Reader9/Reader/intellinux/lib/libsccore.so
> execstack -c
> /opt/Adobe/Reader9/Reader/intellinux/lib/libcrypto.so.0.9.8
>
> 4. Exit root
>
> Now test the results. If there's a problem, then you'll have to
> revert the changes.
Cleared the execstack as suggested and Adobe Reader runs fine
as it was before so no harm done here .
Thanks a lot for the detailed walkthrough .
> Report the Bug
Well i was reffered to a bugzilla report earlier on this thread , so
there seems
to be already a bug about the fact . As fact as i am concerned it seems
that
all i had to do was to upgrade to the latest selinux-policy . So it
would logical
to assume that it was the selinux policies messing things around and not
the other way around ( Selinux policies changed not Acrobat Reader )
More information about the users
mailing list