[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: FC5: Problem with acroread and CISCO VPN

From: Paul Howarth <paul city-fan org>
To: Tom Diehl <tdiehl rogueind com>
Cc: fedora-selinux-list redhat com, Klaus Steinberger <Klaus Steinberger physik uni-muenchen de>
Subject: Re: FC5: Problem with acroread and CISCO VPN
Date: Thu, 27 Apr 2006 15:43:15 +0100

Tom Diehl wrote:

On Thu, 27 Apr 2006, Paul Howarth wrote:

On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:

On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:

Hi,

in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well
as acroread:

[klaus steinberger noname ~]$ acroread
/usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
cannot restore segment prot after reloc: Permission denied
[klaus steinberger noname ~]$

after some googling I found following advice that worked for me to enableacroread again:


1. Start "System" > "Administration" > "Security Level and Firewall"
2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"

3. Tick the check box next to "Allow the use of shared libraries with TextRelocation".

A better fix is to label the acroread files correctly, which only
"opens" the protection for acroread and not every process on the system:

I believe you need:
# chcon -t textrel_shlib_t \
	/usr/lib/acroread/Reader/intellinux/lib/*.so \
	/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
	/usr/lib/acroread/Reader/intellinux/plug_ins/*.api


If I relabel as suggested above, what happens the next time the filesystem
is relabeled. If as I suspect they get relabeled back to the previous settings,
what is the correct way to make the changes permanent?

It can be done using semanage to add new file context objects. However,I believe the required entries are *supposed* to be in the main policypackage:


# semanage fcontext -l | grep -Ei 'adobe|intellinux'

/usr/(local/)?Adobe/.*\.api regular filesystem_u:object_r:texrel_shlib_t:s0/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular filesystem_u:object_r:texrel_shlib_t:s0/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular filesystem_u:object_r:textrel_shlib_t:s0/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular filesystem_u:object_r:texrel_shlib_t:s0

# rpm -q selinux-policy
selinux-policy-2.2.34-3.fc5

If you have the latest policy and "restorecon -vR /path/to/acroread"doesn't set the right context, raise it here and mention which filesaren't getting set to textrel_shlib_t. Hopefully it will get fixed sothat this issue stops cropping up on fedora-list every day like it seemsto at the moment.


Paul.

Follow-Ups:
- Re: FC5: Problem with acroread and CISCO VPN
  - From: Stephan Groß

References:
- FC5: Problem with acroread and CISCO VPN
  - From: Klaus Steinberger
- Re: FC5: Problem with acroread and CISCO VPN
  - From: Stephan Groß
- Re: FC5: Problem with acroread and CISCO VPN
  - From: Paul Howarth
- Re: FC5: Problem with acroread and CISCO VPN
  - From: Tom Diehl

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]