SELINUX UPDATE PROBLEMS

Craig cs007fc at wowway.com
Wed Jun 15 04:23:45 UTC 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Boris Glawe wrote:
| Hi,
|
| According to some bugreports and some postings here, there is an issue
| with the latest selinux-policy update.
|
| In my case I cannot run OpenOffice (both 1.1.4 and 1.9.104). I am using
| the version from openoffice.org, installed in /opt. syslog:
|
| Jun 13 11:21:52 mymachine kernel: audit(1118654512.067:0): avc:  denied  {
| execmod } for  pid=6188 comm=soffice.bin
| path=/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 dev=hda6
| ino=54865
| scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t
| tclass=file
|
|
| Jun 13 11:22:53 mymachine kernel: audit(1118654573.135:0): avc:  denied  {
| execmod } for  pid=6215 comm=soffice.bin
| path=/opt/OpenOffice.org/program/libicudata.so.22.0 dev=hda6 ino=51385
| scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t
| tclass=file
|
|
| In addition I cannot load my self written shared libraries in my
| homedirectory:
|
| # ./testprog
| ./testprog: error while loading shared libraries:
| /home/user/workspace/prog/libprog.so: cannot restore segment prot after
| reloc: Permission denied
|
| syslog:
|
| Jun 13 11:17:03 mymachine kernel: audit(1118654223.196:0): avc:  denied  {
| execmod } for  pid=6155 comm=testprog
| path=/home/user/workspace/prog/libprog.so
| dev=hda5 ino=1458690 scontext=user_u:system_r:unconfined_t
| tcontext=user_u:object_r:user_home_t tclass=file
|
| And last but not least, the flashplayer causes thousands of messages of
| the from
|
| Jun 13 11:13:59 mymachine kernel: audit(1118654039.474:0): avc:  denied  {
| execmod } for  pid=4663 comm=firefox-bin
| path=/home/user/.mozilla/plugins/libflashplayer.so dev=hda5 ino=1409670
| scontext=user_u:system_r:unconfined_t
| tcontext=system_u:object_r:user_home_t
| tclass=file
|
|
|
| Users that do also have problems:
|
| https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160363
| https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160331
| https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160238
| https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160147
| https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160106
|
| Is this new behaviour a feature or a bug? I am wondering, why fedora
| switched from a working to a non-working selinux configuration without
| fixing it immediately.
|
| greets Boris
|
Without question, this is a flaw in the newest implementation of selinux policy.
More importantly, though, this problem should be discussed on the selinux
mailing list simply because new policy should not break the functionality of
core apps and imho previously installed rpm apps. SE Linux is NOT a detective
security.

Craig

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (GNU/Linux)

iD8DBQFCr61R6XcoldzZ4rgRAvYMAJwKJZ2GJyDOLj54kyKgAMRqD5ZvWACeLX3t
W0PP1zkjYZEa78i95nNZocE=
=a4OC
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: cs007fc.vcf
Type: text/x-vcard
Size: 2146 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20050615/0102676a/attachment-0001.vcf>

More information about the fedora-list mailing list