selinux-faq/en_US selinux-faq.xml,1.12,1.13

Fri Apr 28 17:36:47 UTC 2006

Author: csellers

Update of /cvs/docs/selinux-faq/en_US
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv9476

Modified Files:
	selinux-faq.xml 
Log Message:
modified memory protection FAQ to make clearer and address making permanent changes, addresses bz#190181


Index: selinux-faq.xml
===================================================================
RCS file: /cvs/docs/selinux-faq/en_US/selinux-faq.xml,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13

--- selinux-faq.xml	28 Apr 2006 16:57:25 -0000	1.12
+++ selinux-faq.xml	28 Apr 2006 17:36:44 -0000	1.13
@@ -2309,16 +2309,42 @@
 	      For more information on these restrictions, see <ulink
 	      url="http://people.redhat.com/drepper/selinux-mem.html"/>.
             </para>
+	    <para>
+	      These show up in
+	      <filename>/var/log/messages</filename> (or
+	      <filename>/var/log/audit/audit.log</filename> if using the audit
+	      daemon) as avc denials.
+	      These can also show up when running programs with errors like
+	    </para>
+<screen>
+<computeroutput>error while loading shared libraries: /usr/lib/libavutil.so.49:
+cannot restore segment prot after reloc: Permission denied</computeroutput>
+</screen>
+	    <para>
+	      which indicates that the library is trying to perform a text
+	      relocation and failing. Text relocations are bad,
+	      but can be allowed via the first hint below. Below are the
+	      &SEL; memory permissions that are denied, as well as hints at
+	      how to address these denials.
+	    </para>
 	    <variablelist>
 	      <varlistentry>
 		<term><computeroutput>execmod</computeroutput></term>
 		<listitem>
 		  <para>
-		    This is usually based on a library label. You can change
-		    the context on the library with the
-		    <command>chcon -t textrel_shlib_t
-		    <replaceable>LIBRARY</replaceable></command>. Now your
-		    application can run. Please report this as a bugzilla.
+		    This is usually based on a library label. You can
+		    permanently change the context on the library with the
+		    following commands
+		  </para>
+<screen>
+<computeroutput># /usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/lib/libavutil.so.49.0.0'
+# /sbin/restorecon -v /usr/lib/libavutil.so.49.0.0</computeroutput>
+</screen>
+		  <para>
+		    with the particular library at fault in place of
+		    <filename>/usr/lib/libavutil.so.49.0.0</filename>.
+		    Now your application should be able to run. Please
+		    report this as a bugzilla.
 		  </para>
 		</listitem>
 	      </varlistentry>


