Re: FC5: Problem with acroread and CISCO VPN

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Stephan Groß wrote:

On Thursday 27 April 2006 09:50, Paul Howarth wrote:


in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as
well as acroread:

[klaus.steinberger@noname ~]$ acroread
/usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
cannot restore segment prot after reloc: Permission denied
[klaus.steinberger@noname ~]$

after some googling I found following advice that worked for me to enable
acroread again:

1. Start "System" > "Administration" > "Security Level and Firewall"
2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
3. Tick the check box next to "Allow the use of shared libraries with
Text Relocation".

A better fix is to label the acroread files correctly, which only
"opens" the protection for acroread and not every process on the system:

I believe you need:
# chcon -t textrel_shlib_t \
	/usr/lib/acroread/Reader/intellinux/lib/*.so \
	/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
	/usr/lib/acroread/Reader/intellinux/plug_ins/*.api
I have checked that. As I am using the original RPM packets provided by Adobe the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a 

chcon -t textrel_shlib_t \
	/usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so
seems to be sufficient to run acroread and also use the plugin in Firefox. BTW, what are SPPlugins and plug_ins for?
Dunno; I don't use it myself (evince is fine for my needs) and I picked up the need to fix the two sets of plugins from various posts on fedora-list.
However, thank you Paul for providing this more customized solution. I assume, that I only have to change the type context of the libraries distributed with the Cisco VPN client accordingly to run it with a "fully" enabled selinux. 

Probably, yes.
If that works, please provide details of what needed to be changed so that it can make it into the Core policy. 

Paul.


--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux