SELINUX UPDATE PROBLEMS

Boris Glawe boris at boris-glawe.de
Tue Jun 14 20:34:40 UTC 2005


Hi,

According to some bugreports and some postings here, there is an issue 
with the latest selinux-policy update.

In my case I cannot run OpenOffice (both 1.1.4 and 1.9.104). I am using 
the version from openoffice.org, installed in /opt. syslog:

Jun 13 11:21:52 mymachine kernel: audit(1118654512.067:0): avc:  denied  {
execmod } for  pid=6188 comm=soffice.bin
path=/opt/openoffice.org1.9.104/program/libicudata.so.26.0.1 dev=hda6 ino=54865
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file


Jun 13 11:22:53 mymachine kernel: audit(1118654573.135:0): avc:  denied  {
execmod } for  pid=6215 comm=soffice.bin
path=/opt/OpenOffice.org/program/libicudata.so.22.0 dev=hda6 ino=51385
scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file


In addition I cannot load my self written shared libraries in my 
homedirectory:

# ./testprog
./testprog: error while loading shared libraries: 
/home/user/workspace/prog/libprog.so: cannot restore segment prot after 
reloc: Permission denied

syslog:

Jun 13 11:17:03 mymachine kernel: audit(1118654223.196:0): avc:  denied  {
execmod } for  pid=6155 comm=testprog path=/home/user/workspace/prog/libprog.so
dev=hda5 ino=1458690 scontext=user_u:system_r:unconfined_t tcontext=user_u:object_r:user_home_t tclass=file

And last but not least, the flashplayer causes thousands of messages of the from

Jun 13 11:13:59 mymachine kernel: audit(1118654039.474:0): avc:  denied  {
execmod } for  pid=4663 comm=firefox-bin
path=/home/user/.mozilla/plugins/libflashplayer.so dev=hda5 ino=1409670
scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:user_home_t
tclass=file



Users that do also have problems:

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160363
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160331
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160238
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160147
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160106

Is this new behaviour a feature or a bug? I am wondering, why fedora 
switched from a working to a non-working selinux configuration without 
fixing it immediately.

greets Boris




More information about the fedora-list mailing list