Stephan Groß wrote:
On Friday 28 April 2006 08:36, Paul Howarth wrote:
On Thu, 2006-04-27 at 20:43 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 16:43, Paul Howarth wrote:
Tom Diehl wrote:
On Thu, 27 Apr 2006, Paul Howarth wrote:
On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
Hi,
in Fedora Core 5 selinux blocks execution of the CISCO vpnclient,
as well as acroread:
[klaus.steinberger@noname ~]$ acroread
/usr/lib/acroread/Reader/intellinux/bin/acroread: error while
loading shared libraries:
/usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore
segment prot after reloc: Permission denied
[klaus.steinberger@noname ~]$
after some googling I found following advice that worked for me to
enable acroread again:
1. Start "System" > "Administration" > "Security Level and
Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy >
Compatibility" 3. Tick the check box next to "Allow the use of
shared libraries with Text Relocation".
A better fix is to label the acroread files correctly, which only
"opens" the protection for acroread and not every process on the
system:
I believe you need:
# chcon -t textrel_shlib_t \
/usr/lib/acroread/Reader/intellinux/lib/*.so \
/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
/usr/lib/acroread/Reader/intellinux/plug_ins/*.api
If I relabel as suggested above, what happens the next time the
filesystem is relabeled. If as I suspect they get relabeled back to
the previous settings, what is the correct way to make the changes
permanent?
It can be done using semanage to add new file context objects. However,
I believe the required entries are *supposed* to be in the main policy
package:
# semanage fcontext -l | grep -Ei 'adobe|intellinux'
/usr/(local/)?Adobe/.*\.api regular file
system_u:object_r:texrel_shlib_t:s0
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file
system_u:object_r:texrel_shlib_t:s0
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file
system_u:object_r:textrel_shlib_t:s0
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file
system_u:object_r:texrel_shlib_t:s0
# rpm -q selinux-policy
selinux-policy-2.2.34-3.fc5
If you have the latest policy and "restorecon -vR /path/to/acroread"
doesn't set the right context, raise it here and mention which files
aren't getting set to textrel_shlib_t. Hopefully it will get fixed so
that this issue stops cropping up on fedora-list every day like it
seems to at the moment.
I have the above mentioned selinux-policy-2.2.34-3.fc5 installed.
However, a "restorecon -vR /usr/local/Adobe" results in
"/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /opt (system_u:object_r:home_root_t and
system_u:object_r:usr_t).
/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
specifications for /opt (system_u:object_r:home_root_t and
system_u:object_r:usr_t)."
Have you moved root's home directory from /root to somewhere under /opt?
No, its still in /root. I only have the Brockhaus Multimedia Encyclopedia (the
german answer to MS Encarte) installed that registers a user bmm having its
home directory in /opt/bmm. However, I just checked that /opt is of type
home_root_t and all of its subdirectories are of type user_home_dir_t. Should
I change any of these settings?
Moving its home directory to somewhere under /home might help.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
