FC5: Problem with acroread and CISCO VPN
Paul Howarth
paul at city-fan.org
Fri Apr 28 10:22:32 UTC 2006
Stephan Groß wrote:
> On Friday 28 April 2006 08:36, Paul Howarth wrote:
>> On Thu, 2006-04-27 at 20:43 +0200, Stephan Groß wrote:
>>> On Thursday 27 April 2006 16:43, Paul Howarth wrote:
>>>> Tom Diehl wrote:
>>>>> On Thu, 27 Apr 2006, Paul Howarth wrote:
>>>>>> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
>>>>>>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient,
>>>>>>>> as well as acroread:
>>>>>>>>
>>>>>>>> [klaus.steinberger at noname ~]$ acroread
>>>>>>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while
>>>>>>>> loading shared libraries:
>>>>>>>> /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore
>>>>>>>> segment prot after reloc: Permission denied
>>>>>>>> [klaus.steinberger at noname ~]$
>>>>>>> after some googling I found following advice that worked for me to
>>>>>>> enable acroread again:
>>>>>>>
>>>>>>> 1. Start "System" > "Administration" > "Security Level and
>>>>>>> Firewall" 2. On the "SELinux" tab click on "Modify SELinux Policy >
>>>>>>> Compatibility" 3. Tick the check box next to "Allow the use of
>>>>>>> shared libraries with Text Relocation".
>>>>>> A better fix is to label the acroread files correctly, which only
>>>>>> "opens" the protection for acroread and not every process on the
>>>>>> system:
>>>>>>
>>>>>> I believe you need:
>>>>>> # chcon -t textrel_shlib_t \
>>>>>> /usr/lib/acroread/Reader/intellinux/lib/*.so \
>>>>>> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
>>>>>> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
>>>>> If I relabel as suggested above, what happens the next time the
>>>>> filesystem is relabeled. If as I suspect they get relabeled back to
>>>>> the previous settings, what is the correct way to make the changes
>>>>> permanent?
>>>> It can be done using semanage to add new file context objects. However,
>>>> I believe the required entries are *supposed* to be in the main policy
>>>> package:
>>>>
>>>> # semanage fcontext -l | grep -Ei 'adobe|intellinux'
>>>> /usr/(local/)?Adobe/.*\.api regular file
>>>> system_u:object_r:texrel_shlib_t:s0
>>>> /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file
>>>> system_u:object_r:texrel_shlib_t:s0
>>>> /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file
>>>> system_u:object_r:textrel_shlib_t:s0
>>>> /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file
>>>> system_u:object_r:texrel_shlib_t:s0
>>>> # rpm -q selinux-policy
>>>> selinux-policy-2.2.34-3.fc5
>>>>
>>>> If you have the latest policy and "restorecon -vR /path/to/acroread"
>>>> doesn't set the right context, raise it here and mention which files
>>>> aren't getting set to textrel_shlib_t. Hopefully it will get fixed so
>>>> that this issue stops cropping up on fedora-list every day like it
>>>> seems to at the moment.
>>> I have the above mentioned selinux-policy-2.2.34-3.fc5 installed.
>>> However, a "restorecon -vR /usr/local/Adobe" results in
>>>
>>> "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
>>> specifications for /opt (system_u:object_r:home_root_t and
>>> system_u:object_r:usr_t).
>>> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
>>> specifications for /opt (system_u:object_r:home_root_t and
>>> system_u:object_r:usr_t)."
>> Have you moved root's home directory from /root to somewhere under /opt?
>
> No, its still in /root. I only have the Brockhaus Multimedia Encyclopedia (the
> german answer to MS Encarte) installed that registers a user bmm having its
> home directory in /opt/bmm. However, I just checked that /opt is of type
> home_root_t and all of its subdirectories are of type user_home_dir_t. Should
> I change any of these settings?
Moving its home directory to somewhere under /home might help.
Paul.
More information about the fedora-selinux-list
mailing list