Re: FC5: Problem with acroread and CISCO VPN

[Tom Diehl <tdiehl rogueind com>]

On Thu, 27 Apr 2006, Paul Howarth wrote:

> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
> > On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
> > 
> > Hi,
> > 
> > > in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well
> > > as acroread:
> > >
> > > [klaus steinberger noname ~]$ acroread
> > > /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
> > > shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
> > > cannot restore segment prot after reloc: Permission denied
> > > [klaus steinberger noname ~]$
> > 
> > after some googling I found following advice that worked for me to enable 
> > acroread again:
> > 
> > 1. Start "System" > "Administration" > "Security Level and Firewall"
> > 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
> > 3. Tick the check box next to "Allow the use of shared libraries with Text 
> >    Relocation".
> 
> A better fix is to label the acroread files correctly, which only
> "opens" the protection for acroread and not every process on the system:
> 
> I believe you need:
> # chcon -t textrel_shlib_t \
> 	/usr/lib/acroread/Reader/intellinux/lib/*.so \
> 	/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
> 	/usr/lib/acroread/Reader/intellinux/plug_ins/*.api

If I relabel as suggested above, what happens the next time the filesystem
is relabeled. If as I suspect they get relabeled back to the previous settings,
what is the correct way to make the changes permanent?

Regards,

Tom Diehl		tdiehl rogueind com		Spamtrap address mtd123 rogueind com