On Thu, 2006-04-27 at 20:43 +0200, Stephan Groß wrote: > On Thursday 27 April 2006 16:43, Paul Howarth wrote: > > Tom Diehl wrote: > > > On Thu, 27 Apr 2006, Paul Howarth wrote: > > >> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote: > > >>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote: > > >>> > > >>> Hi, > > >>> > > >>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as > > >>>> well as acroread: > > >>>> > > >>>> [klaus.steinberger@noname ~]$ acroread > > >>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading > > >>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: > > >>>> cannot restore segment prot after reloc: Permission denied > > >>>> [klaus.steinberger@noname ~]$ > > >>> > > >>> after some googling I found following advice that worked for me to > > >>> enable acroread again: > > >>> > > >>> 1. Start "System" > "Administration" > "Security Level and Firewall" > > >>> 2. On the "SELinux" tab click on "Modify SELinux Policy > > > >>> Compatibility" 3. Tick the check box next to "Allow the use of shared > > >>> libraries with Text Relocation". > > >> > > >> A better fix is to label the acroread files correctly, which only > > >> "opens" the protection for acroread and not every process on the system: > > >> > > >> I believe you need: > > >> # chcon -t textrel_shlib_t \ > > >> /usr/lib/acroread/Reader/intellinux/lib/*.so \ > > >> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \ > > >> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api > > > > > > If I relabel as suggested above, what happens the next time the > > > filesystem is relabeled. If as I suspect they get relabeled back to the > > > previous settings, what is the correct way to make the changes permanent? > > > > It can be done using semanage to add new file context objects. However, > > I believe the required entries are *supposed* to be in the main policy > > package: > > > > # semanage fcontext -l | grep -Ei 'adobe|intellinux' > > /usr/(local/)?Adobe/.*\.api regular file > > system_u:object_r:texrel_shlib_t:s0 > > /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file > > system_u:object_r:texrel_shlib_t:s0 > > /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file > > system_u:object_r:textrel_shlib_t:s0 > > /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file > > system_u:object_r:texrel_shlib_t:s0 > > # rpm -q selinux-policy > > selinux-policy-2.2.34-3.fc5 > > > > If you have the latest policy and "restorecon -vR /path/to/acroread" > > doesn't set the right context, raise it here and mention which files > > aren't getting set to textrel_shlib_t. Hopefully it will get fixed so > > that this issue stops cropping up on fedora-list every day like it seems > > to at the moment. > > I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a > "restorecon -vR /usr/local/Adobe" results in > > "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different > specifications for /opt (system_u:object_r:home_root_t and > system_u:object_r:usr_t). > /etc/selinux/targeted/contexts/files/file_contexts: Multiple different > specifications for /opt (system_u:object_r:home_root_t and > system_u:object_r:usr_t)." Have you moved root's home directory from /root to somewhere under /opt? > and no file contexts changed. I am clueless about the details of selinux. Is > this a bug in the policy script or might this be a failure in my > installation. Don't know if it matters but I upgraded from FC4. I've upgraded too; it shouldn't matter. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
