Tom Diehl wrote:
On Thu, 27 Apr 2006, Paul Howarth wrote:
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well
as acroread:
[klaus.steinberger@noname ~]$ acroread
/usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
cannot restore segment prot after reloc: Permission denied
[klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to enable
acroread again:
1. Start "System" > "Administration" > "Security Level and Firewall"
2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
3. Tick the check box next to "Allow the use of shared libraries with Text
Relocation".
A better fix is to label the acroread files correctly, which only
"opens" the protection for acroread and not every process on the system:
I believe you need:
# chcon -t textrel_shlib_t \
/usr/lib/acroread/Reader/intellinux/lib/*.so \
/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
/usr/lib/acroread/Reader/intellinux/plug_ins/*.api
If I relabel as suggested above, what happens the next time the filesystem
is relabeled. If as I suspect they get relabeled back to the previous settings,
what is the correct way to make the changes permanent?
It can be done using semanage to add new file context objects. However,
I believe the required entries are *supposed* to be in the main policy
package:
# semanage fcontext -l | grep -Ei 'adobe|intellinux'
/usr/(local/)?Adobe/.*\.api regular file
system_u:object_r:texrel_shlib_t:s0
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file
system_u:object_r:texrel_shlib_t:s0
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file
system_u:object_r:textrel_shlib_t:s0
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file
system_u:object_r:texrel_shlib_t:s0
# rpm -q selinux-policy
selinux-policy-2.2.34-3.fc5
If you have the latest policy and "restorecon -vR /path/to/acroread"
doesn't set the right context, raise it here and mention which files
aren't getting set to textrel_shlib_t. Hopefully it will get fixed so
that this issue stops cropping up on fedora-list every day like it seems
to at the moment.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
