Citrix ICA Client vs. SELinux

[Daniel J Walsh]

Eric Brunson wrote:
> Eric Brunson wrote:
>> With the latest upgrade of the kernel (2.6.16-1.2080_FC5) my Citrix 
>> client stopped working.  Booting into the previous kernel 
>> (2.6.15-1.2054_FC5) will allow me to run it, but in the current 
>> kernel on two machines it segfaults, on the machine I'm on now it 
>> gives this error:
>>
>>    clotho(~)$ /usr/lib/ICAClient/wfica -icaroot /usr/lib/ICAClient 
>> -nosplash -desc hemo1
>>
>>    Error: 75 (E_DYNLOAD_FAILED)
>>
>>    Please refer to the documentation.
>>
>>    Error loading dynamic module:
>>
>>     "/usr/lib/ICAClient/CHARICONV.DLL"
>>
>>    /usr/lib/ICAClient/CHARICONV.DLL: cannot restore segment prot 
>> after reloc: Permission denied
>>
>>
>> The "Permission denied" led me to try disabling selinux enforcement, 
>> which allowed it to run again.  Is there enough information in the 
>> message above for someone to speculate on a policy change that will 
>> allow that dll to load?
>>
> chcon -t texrel_shlib_t /usr/lib/ICAClient/CHARICONV.DLL did the trick 
> on that library, but now I get a popup that it can't find 
> libctxssl.so, which is in the same directory, /usr/lib/ICACLIENT.  I 
> tried adding "/usr/lib/ICAClient/" to the ld.so.conf and running 
> ldconfig, but it still claims to be unable to find the .so file.  
> Again, setenforce 0 allows the application to run properly, but 
> setenforce 1 causes the failure, even though libctxssl.so shows up in 
> ldconfig -p.
> Is there something in SELinux policies that interferes with ld.so 
> searching?  Google hasn't turned anything up yet, but I'm still looking.
>
> Thanks,
> e.
>
Look for avc messages in /var/log/messages or /var/log/audit/audit.log.  
You might need to change textrel_shlib_t on this file also.