I am running on FC4 and I installed Cisco VPN client software, however when I run vpnclient I am getting the error message :
"vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied"Friendly neighbourhood Paul Howarth correctly guessed it to be related to SELinux.
I am able to run the vpnclient by disabling the SELinux using
setenforce 0
The chcon command did not work (apparently it is not supposed to work in FC4)
I get a error message "type=AVC msg=audit(1147460693.437:11955217): avc: denied { execmod } "
if I disable selinux and run the vpnclient command.
> Paul Howarth wrote :
> > The memory checks are present in FC4 but disabled by default. It
> > appears
> > that they have somehow been enabled on your system. This should fix
it:
> > # setsebool -P allow_execmod 1
>
> I gave this command and it still does not work with
> SELinux. So digged a littlebit and gave the command
> # getsebool -a | less
> and I got a long output of which I took the ones that might
> make sense to you -
> allow_execmem --> active
> allow_execmod --> active
> allow_execstack --> active
> allow_kerberos --> active
> allow_write_xshm --> active
> allow_ypbind --> active
>> There's something very weird going on there. allow_execmod should do
>> what it says. I'd try asking about this on fedora-selinux-list,
setsebool with execmod is not working either.
I have attached the relevant files as well. Any ideas ?
This should give you an idea of the SELinux version
> selinux-doc-1.19.5-1.noarch.rpm
> selinux-policy-strict-1.23.16-6.noarch.rpm
> selinux-policy-targeted-1.23.16-6.noarch.rpm
Thanks
Newbie Yukku
New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
type=SYSCALL msg=audit(1147715609.949:3621791): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfc7b7b8 a2=1 a3=bfc7b7b8 items=0 pid=4330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="setenforce" exe="/usr/sbin/setenforce"
type=AVC msg=audit(1147715609.949:3621791): avc: granted { setenforce } for pid=4330 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
type=AVC_PATH msg=audit(1147715612.195:3634219): path="/opt/cisco-vpnclient/lib/libvpnapi.so"
type=SYSCALL msg=audit(1147715612.195:3634219): arch=40000003 syscall=125 per=400000 success=yes exit=0 a0=9be000 a1=41000 a2=5 a3=bfd74540 items=0 pid=4332 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient"
type=AVC msg=audit(1147715612.195:3634219): avc: denied { execmod } for pid=4332 comm="vpnclient" name=libvpnapi.so dev=hda3 ino=32474 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file
SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 19 Policy from config file: targeted Policy booleans: NetworkManager_disable_trans inactive allow_execmem active allow_execmod active allow_execstack active allow_kerberos active allow_write_xshm inactive allow_ypbind inactive apmd_disable_trans inactive arpwatch_disable_trans inactive auditd_disable_trans inactive bluetooth_disable_trans inactive canna_disable_trans inactive cardmgr_disable_trans inactive comsat_disable_trans inactive cupsd_config_disable_trans inactive cupsd_disable_trans inactive cvs_disable_trans inactive cyrus_disable_trans inactive dbskkd_disable_trans inactive dhcpc_disable_trans inactive dhcpd_disable_trans inactive dovecot_disable_trans inactive fingerd_disable_trans inactive ftp_home_dir active ftpd_disable_trans inactive ftpd_is_daemon active hald_disable_trans inactive hotplug_disable_trans inactive howl_disable_trans inactive httpd_builtin_scripting active httpd_can_network_connect inactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_suexec_disable_trans inactive httpd_tty_comm inactive httpd_unified active i18n_input_disable_trans inactive inetd_child_disable_trans inactive inetd_disable_trans inactive innd_disable_trans inactive kadmind_disable_trans inactive klogd_disable_trans inactive krb5kdc_disable_trans inactive ktalkd_disable_trans inactive lpd_disable_trans inactive mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zones inactive nfs_export_all_ro active nfs_export_all_rw active nmbd_disable_trans inactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_trans inactive pppd_disable_trans inactive pppd_for_user inactive privoxy_disable_trans inactive ptal_disable_trans inactive radiusd_disable_trans inactive radvd_disable_trans inactive read_default_t active rlogind_disable_trans inactive rsync_disable_trans inactive samba_enable_home_dirs inactive saslauthd_disable_trans inactive slapd_disable_trans inactive smbd_disable_trans inactive snmpd_disable_trans inactive squid_connect_any inactive squid_disable_trans inactive stunnel_disable_trans inactive stunnel_is_daemon inactive syslogd_disable_trans inactive system_dbusd_disable_trans inactive telnetd_disable_trans inactive tftpd_disable_trans inactive udev_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive uucpd_disable_trans inactive winbind_disable_trans inactive ypbind_disable_trans inactive ypserv_disable_trans inactive zebra_disable_trans inactive
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
