Re: several problems after successful update, wine, texlive and selinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Antonio Olivares wrote:
> Dear all,
> 
> I have successfully updated the machine I asked help to update for which advice was quickly given and resolved.  However, after updating I find the following problems:
> 
> 1) wine does not work.  Is it because of selinux?  dmesg does not show this :(
> 
> [olivares@localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe &
> [1] 3004
> [olivares@localhost ~]$ bash: /usr/bin/wine: Permission denied
> 
> [1]+  Exit 126                wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe
> [olivares@localhost ~]$ wine --help
> bash: /usr/bin/wine: Permission denied
> [olivares@localhost ~]$ wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe &
> [1] 3007
> [olivares@localhost ~]$ bash: /usr/bin/wine: Permission denied
> 
> [1]+  Exit 126                wine ~/.wine/drive_c/Program\ Files/Orbis\ Software/Easy\ Grade\ Pro/Egp.exe
> [olivares@localhost ~]$ rpm -qa wine*
> wine-capi-0.9.43-2.fc8
> wine-twain-0.9.43-2.fc8
> wine-nas-0.9.43-2.fc8
> wine-jack-0.9.43-2.fc8
> wine-0.9.43-2.fc8
> wine-cms-0.9.43-2.fc8
> wine-tools-0.9.43-2.fc8
> wine-core-0.9.43-2.fc8
> wine-esd-0.9.43-2.fc8
> wine-ldap-0.9.43-2.fc8

does your audit running? if yes, all avc will be there, so are there
any messages when your wine denied, except "permission denied"

> 
> 
> 2) texlive install was almost successfull all the way except for tetex-xdvi no equivalent texlive package.  I am surprised that f8 test 1 still had tetex instead of texlive, but here I installed it using the instructions on the Wiki.
> 
> [root@localhost Downloads]# yum install texlive texlive-latex
> Setting up Install Process
> Parsing package install arguments
> development               100% |=========================| 2.1 kB    00:00     
> primary.sqlite.bz2        100% |=========================| 4.2 MB    00:03     
> texlive                   100% |=========================|  951 B    00:00     
> primary.xml.gz            100% |=========================| 7.2 kB    00:00     
> texlive   : ################################################## 23/23
> Resolving Dependencies
> --> Running transaction check
> ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
> --> Processing Dependency: texlive-texmf = 2007 for package: texlive
> --> Processing Dependency: libt1.so.5 for package: texlive
> --> Processing Dependency: libTECkit.so.0 for package: texlive
> --> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive-latex
> --> Processing Dependency: texlive-dvips = 2007 for package: texlive-latex
> --> Processing Dependency: texlive-texmf-latex = 2007 for package: texlive-latex
> --> Processing Dependency: texlive-texmf-errata = 2007 for package: texlive
> --> Processing Dependency: texlive-fonts = 2007-0.10.fc7 for package: texlive
> --> Processing Dependency: libkpathsea.so.4 for package: texlive
> --> Restarting Dependency Resolution with new changes.
> --> Running transaction check
> ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated
> ---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated
> ---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated
> --> Processing Dependency: texlive-texmf-fonts >= 2007 for package: texlive-fonts
> --> Processing Dependency: texlive-texmf-errata-latex = 2007 for package: texlive-texmf-latex
> --> Processing Dependency: texlive-texmf-common = 2007 for package: texlive-texmf-latex
> --> Processing Dependency: texlive-texmf-dvips = 2007 for package: texlive-dvips
> --> Restarting Dependency Resolution with new changes.
> --> Running transaction check
> ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
> --> Processing Dependency: texlive-texmf-errata-common = 2007-0.9.fc7 for package: texlive-texmf-errata-latex
> --> Processing Dependency: texlive-texmf-errata-fonts = 2007 for package: texlive-texmf-fonts
> --> Processing Dependency: texlive-texmf-errata-dvips = 2007 for package: texlive-texmf-dvips
> --> Restarting Dependency Resolution with new changes.
> --> Running transaction check
> ---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
> 
> Dependencies Resolved
> 
> =============================================================================
>  Package                 Arch       Version          Repository        Size 
> =============================================================================
> Installing:
>  texlive                 i386       2007-0.10.fc7    texlive           5.8 M
>  texlive-latex           i386       2007-0.10.fc7    texlive            74 k
> Installing for dependencies:
>  kpathsea                i386       2007-0.10.fc7    texlive           148 k
>  t1lib                   i386       5.1.1-1.fc8      development       316 k
>  teckit                  i386       2.2.1-1.fc8      development       322 k
>  texlive-dvips           i386       2007-0.10.fc7    texlive           176 k
>  texlive-fonts           i386       2007-0.10.fc7    texlive           509 k
>  texlive-texmf           noarch     2007-0.10.fc7    texlive           8.2 M
>  texlive-texmf-common    noarch     2007-0.10.fc7    texlive           7.4 k
>  texlive-texmf-dvips     noarch     2007-0.10.fc7    texlive           826 k
>  texlive-texmf-errata    noarch     2007-0.9.fc7     texlive           3.3 k
>  texlive-texmf-errata-common  noarch     2007-0.9.fc7     texlive           3.4 k
>  texlive-texmf-errata-dvips  noarch     2007-0.9.fc7     texlive           3.3 k
>  texlive-texmf-errata-fonts  noarch     2007-0.9.fc7     texlive           3.2 k
>  texlive-texmf-errata-latex  noarch     2007-0.9.fc7     texlive           3.3 k
>  texlive-texmf-fonts     noarch     2007-0.10.fc7    texlive            55 M
>  texlive-texmf-latex     noarch     2007-0.10.fc7    texlive           3.1 M
> 
> Transaction Summary
> =============================================================================
> Install     17 Package(s)         
> Update       0 Package(s)         
> Remove       0 Package(s)         
> 
> Total download size: 74 M
> Is this ok [y/N]: y
> Downloading Packages:
> (1/17): kpathsea-2007-0.1 100% |=========================| 148 kB    00:00     
> (2/17): teckit-2.2.1-1.fc 100% |=========================| 322 kB    00:00     
> (3/17): texlive-texmf-dvi 100% |=========================| 826 kB    00:00     
> (4/17): texlive-texmf-err 100% |=========================| 3.3 kB    00:00     
> (5/17): t1lib-5.1.1-1.fc8 100% |=========================| 316 kB    00:00     
> (6/17): texlive-texmf-com 100% |=========================| 7.4 kB    00:00     
> (7/17): texlive-texmf-200 100% |=========================| 8.2 MB    00:05     
> (8/17): texlive-texmf-err 100% |=========================| 3.3 kB    00:00     
> (9/17): texlive-texmf-err 100% |=========================| 3.3 kB    00:00     
> (10/17): texlive-latex-20 100% |=========================|  74 kB    00:00     
> (11/17): texlive-texmf-fo 100% |=========================|  55 MB    00:37     
> (12/17): texlive-texmf-er 100% |=========================| 3.2 kB    00:00     
> (13/17): texlive-2007-0.1 100% |=========================| 5.8 MB    00:04     
> (14/17): texlive-dvips-20 100% |=========================| 176 kB    00:00     
> (15/17): texlive-fonts-20 100% |=========================| 509 kB    00:00     
> (16/17): texlive-texmf-er 100% |=========================| 3.4 kB    00:00     
> (17/17): texlive-texmf-la 100% |=========================| 3.1 MB    00:02     
> Running rpm_check_debug
> --> Populating transaction set with selected packages. Please wait.
> ---> Package texlive-texmf-latex.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata-common.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-fonts.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-dvips.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata-fonts.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-fonts.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-latex.i386 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-errata.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-errata-latex.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package texlive-texmf-common.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package t1lib.i386 0:5.1.1-1.fc8 set to be updated
> ---> Package texlive-texmf-errata-dvips.noarch 0:2007-0.9.fc7 set to be updated
> ---> Package texlive-texmf-dvips.noarch 0:2007-0.10.fc7 set to be updated
> ---> Package teckit.i386 0:2.2.1-1.fc8 set to be updated
> ---> Package kpathsea.i386 0:2007-0.10.fc7 set to be updated
> ERROR with rpm_check_debug vs depsolve:
> Package tetex-xdvi needs tetex-dvips = 3.0, this is not available.
> Complete!
> 
> 
> and selinux is causing too much trouble.  Here's an example:  Sorry for all the text in the selinux alert.  
> 
> Summary
>     SELinux is preventing /usr/lib/firefox-2.0.0.6/firefox-bin from making the
>     program stack executable.
> 
> Detailed Description
>     The /usr/lib/firefox-2.0.0.6/firefox-bin application attempted to make the
>     its stack executable.  This is a potential security problem.  This should
>     never ever be necessary. stack memory is not executable on most OSes these
>     days and this will not change. Executable stack memory is one of the biggest
>     security problems. An execstack error might in fact be most likely raised by
>     malicious code. Applications are sometimes coded incorrectly and request
>     this permission.  The http://people.redhat.com/drepper/selinux-mem.html web
>     page explains how to remove this requirement.  If /usr/lib/firefox-2.0.0.6
>     /firefox-bin does not work and you need it to work, you can configure
>     SELinux temporarily to allow this access until the application is fixed.
>     Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
>     package.
> 
> Allowing Access
>     Sometimes a library is accidentally marked with the execstack flag, if you
>     find a library with this flag you can clear it with the execstack -c
>     LIBRARY_PATH.  Then retry your application.  If the app continues to not
>     work, you can turn the flack back on with execstac -s LIBRARY_PATH.
>     Otherwise, if you trust /usr/lib/firefox-2.0.0.6/firefox-bin to run
>     correctly, you can change the context of the executable to
>     unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
>     /usr/lib/firefox-2.0.0.6/firefox-bin" You must also change the default file
>     context files on the system in order to preserve them even on a full
>     relabel.  "semanage fcontext -a -t unconfined_execmem_exec_t
>     /usr/lib/firefox-2.0.0.6/firefox-bin"
> 
>     The following command will allow this access:
>     chcon -t unconfined_execmem_exec_t /usr/lib/firefox-2.0.0.6/firefox-bin
> 
> Additional Information        
> 
> Source Context                system_u:system_r:unconfined_t
> Target Context                system_u:system_r:unconfined_t
> Target Objects                None [ process ]
> Affected RPM Packages         firefox-2.0.0.6-3.fc8 [application]
> Policy RPM                    selinux-policy-3.0.5-8.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.allow_execstack
> Host Name                     localhost
> Platform                      Linux localhost 2.6.23-0.115.rc3.git1.fc8 #1 SMP
>                               Fri Aug 17 20:58:14 EDT 2007 i686 athlon
> Alert Count                   6
> First Seen                    Tue 21 Aug 2007 04:17:07 PM CDT
> Last Seen                     Tue 21 Aug 2007 04:54:17 PM CDT
> Local ID                      bbd222d8-abbe-4dd8-b54b-46c7d29b434c
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { execstack } for comm="firefox-bin" egid=500 euid=500
> exe="/usr/lib/firefox-2.0.0.6/firefox-bin" exit=-13 fsgid=500 fsuid=500 gid=500
> items=0 pid=3011 scontext=system_u:system_r:unconfined_t:s0 sgid=500
> subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
> tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500

this is not the problem of selinux, but the problem of firefox.

as you see, firefox need stack executable, if you trust firefox,
you can enable firefox following the guide of sealert.


> 
> SELinux is preventing /usr/sbin/hald (hald_t) "read" to reload (var_lib_t).
> SELinux prevented /usr/sbin/ntpd from using the terminal 0

selinux by default prevents confined daemon from talking to the
terminal. This is actually considered a security feature.

you would not want to compromised daemon to prompt you for a
login/passwd.

Most daemon that are coded correctly will shortly after startup,
close the open file descriptors before going into daemon mode.
So in this case, SELinux is a second line of defense.

if you trust all your confined daemons, you can use following
com to enable your daemon to talk to the tty:

setsebool -P allow_daemons_use_tty=1

BTW, for http, there is specific boolean:

httpd_tty_comm


> 
> avc: denied { read, write } for comm="ntpd" dev=devpts egid=0 euid=0 exe="/usr/sbin/ntpd" exit=0 fsgid=0 fsuid=0 gid=0 items=0 name="0" pid=17348 scontext=user_u:system_r:ntpd_t:s0 sgid=0 subj=user_u:system_r:ntpd_t:s0 suid=0 tclass=chr_file tcontext=user_u:object_r:devpts_t:s0 tty=(none) uid=0 
> 
> 
> SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "create" to (unlabeled_t).
> SELinux is preventing /usr/sbin/cupsd (unlabeled_t) "append" to /var/log/cups/error_log (cupsd_log_t).
> SELinux prevented /sbin/rpc.statd from using the terminal /dev/pts/0.
> ......, there are a bunch of them.  sorry for not posting them.  
> 
> dmesg does not show any of these when running dmesg from the terminal.
> see 
> http://www.geocities.com/olivares14031//20070821164505-dmesg.htm
> for details.  Will do an
> 
> # touch /.autorelabel
> # reboot
> 
> and hope that it cures many of these issues. 
> 
> Regards,
> 
> Antonio 
> 
> 
> 
> 
>       ____________________________________________________________________________________
> Shape Yahoo! in your own image.  Join our Network Research Panel today!   http://surveylink.yahoo.com/gmrs/yahoo_panel_invite.asp?a=7 
> 
> 
> 
> --
> fedora-selinux-list mailing list
> fedora-selinux-list@xxxxxxxxxx
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
> 

--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux