[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Cisco VPNClient does not work with SELinux enabled in FC4



I tried that command and it came out with an error -
>[root host ~]# chcon -t textrel_shlib_t /opt/cisco-vpnclient/lib/libvpnapi.so
> chcon: failed to change context of >/opt/cisco-vpnclient/lib/libvpnapi.so to root:object_r:textrel_shlib_t: Invalid argument
and later agian on Pauls adivice I aso ran the command
# setsebool -P allow_execmod 1
which did not work either.

Thanks
shyam

Daniel J Walsh <dwalsh redhat com> wrote:
yukku yukkoooooo wrote:
> Hi,
> I am running on FC4 and I installed Cisco VPN client software,
> however when I run vpnclient I am getting the error message :
> "vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied"
This is strange.

Have you tried

chcon -t textrel_shlib_t /opt/cisco-vpnclient/lib/libvpnapi.so
> Friendly neighbourhood Paul Howarth correctly guessed it to be related
> to SELinux.
> I am able to run the vpnclient by disabling the SELinux using
> setenforce 0
> The chcon command did not work (apparently it is not supposed to work
> in FC4)
> I get a error message "type=AVC msg=audit(1147460693.437:11955217):
> avc: denied { execmod } "
> if I disable selinux and run the vpnclient command.
> > Paul Howarth wrote :
> > > The memory checks are present in FC4 but disabled by default. It
> > > appears
> > > that they have somehow been enabled on your system.
> This should fix
> it:
> > > # setsebool -P allow_execmod 1
> >
> > I gave this command and it still does not work with
> > SELinux. So digged a littlebit and gave the command
> > # getsebool -a | less
> > and I got a long output of which I took the ones that might
> > make sense to you -
> > allow_execmem --> active
> > allow_execmod --> active
> > allow_execstack --> active
> > allow_kerberos --> active
> > allow_write_xshm --> active
> > allow_ypbind --> active
> >> There's something very weird going on there. allow_execmod should do
> >> what it says. I'd try asking about this on fedora-selinux-list,
>
> setsebool with execmod is not working either.
> I have attached the relevant files as well. Any ideas ?
> This should give you an idea of the SELinux version
> > selinux-doc-1.19.5-1.noarch.rpm
> >
> selinux-policy-strict-1.23.16-6.noarch.rpm
> > selinux-policy-targeted-1.23.16-6.noarch.rpm
>
> Thanks
> Newbie Yukku
>
>
>
> ------------------------------------------------------------------------
> New Yahoo! Messenger with Voice. Call regular phones from your PC
>
> and save big.
> ------------------------------------------------------------------------
>
> type=SYSCALL msg=audit(1147715609.949:3621791): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfc7b7b8 a2=1 a3=bfc7b7b8 items=0 pid=4330 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm="setenforce" exe="/usr/sbin/setenforce"
> type=AVC msg=audit(1147715609.949:3621791): avc: granted { setenforce } for pid=4330 comm="setenforce" scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security
> type=AVC_PATH msg=audit(1147715612.195:3634219): path="/opt/cisco-vpnclient/lib/libvpnapi.so"
> type=SYSCALL msg=audit(1147715612.195:3634219): arch=40000003 syscall=125 per=400000 success=yes exit=0 a0=9be000 a1=41000 a2=5 a3=bfd74540 items=0 pid=4332 auid=4294967295 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient"
> type=AVC msg=audit(1147715612.195:3634219): avc: denied { execmod } for pid=4332 comm="vpnclient" name=libvpnapi.so dev=hda3 ino=32474 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file
>
> ------------------------------------------------------------------------
>
> SELinux status: enabled
> SELinuxfs mount: /selinux
> Current mode: enforcing
> Mode from config file: enforcing
> Policy version: 19
> Policy from config file: targeted
>
> Policy booleans:
> NetworkManager_disable_trans inactive
> allow_execmem active
> allow_execmod active
> allow_execstack active
> allow_kerberos active
> allow_write_xshm inactive
> allow_ypbind inactive
> apmd_disable_trans inactive
> arpwatch_disable_trans inactive
> auditd_disable_trans inactive
> bluetooth_disable_trans inactive
> canna_disable_trans inactive
> cardmgr_disable_trans inactive
> comsat_disable_trans inactive
> cupsd_config_disable_trans inactive
> cupsd_disable_trans inactive
> cvs_disable_trans inactive
> cyrus_disable_trans inactive
> dbskkd_disable_trans inactive
> dhcpc_disable_trans inactive
> dhcpd_disable_trans inactive
> dovecot_disable_trans inactive
> fingerd_disable_trans inactive
> ftp_home_dir active
> ftpd_disable_trans inactive
> ftpd_is_daemon active
> hald_disable_trans inactive
> hotplug_disable_trans inactive
> howl_disable_trans inactive
> httpd_builtin_scripting active
> httpd_can_network_connect inactive
> httpd_disable_trans inactive
> httpd_enable_cgi active
> httpd_enable_homedirs active
> httpd_ssi_exec active
> httpd_suexec_disable_trans inactive
> httpd_tty_comm inactive
> httpd_unified active
> i18n_input_disable_trans inactive
> inetd_child_disable_trans inactive
> inetd_disable_trans inactive
> innd_disable_trans inactive
> kadmind_disable_trans inactive
> klogd_disable_trans inactive
> krb5kdc_disable_trans inactive
> ktalkd_disable_trans inactive
> lpd_disable_trans inactive
> mysqld_disable_trans inactive
> named_disable_trans inactive
> named_write_master_zones inactive
> nfs_export_all_ro active
> nfs_export_all_rw active
> nmbd_disable_trans inactive
> nscd_disable_trans inactive
> ntpd_disable_trans inactive
> portmap_disable_trans inactive
> postgresql_disable_trans inactive
> pppd_disable_trans inactive
> pppd_for_user inactive
> privoxy_disable_trans inactive
> ptal_disable_trans inactive
> radiusd_disable_trans inactive
> radvd_disable_trans inactive
> read_default_t active
> rlogind_disable_trans inactive
> rsync_disable_trans inactive
> samba_enable_home_dirs inactive
> saslauthd_disable_trans inactive
> slapd_disable_trans inactive
> smbd_disable_trans inactive
> snmpd_disable_trans inactive
> squid_connect_any inactive
> squid_disable_trans inactive
> stunnel_disable_trans inactive
> stunnel_is_daemon inactive
> syslogd_disable_trans inactive
> system_dbusd_disable_trans inactive
> telnetd_disable_trans inactive
> tftpd_disable_trans inactive
> udev_disable_trans inactive
> use_nfs_home_dirs inactive
> use_samba_home_dirs inactive
> uucpd_disable_trans inactive
> winbind_disable_trans inactive
> ypbind_disable_trans inactive
> ypserv_disable_trans inactive
> zebra_disable_trans inactive
>
> ------------------------------------------------------------------------
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list redhat com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list



Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2ยข/min with Yahoo! Messenger with Voice.
[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]