Citrix ICA Client vs. SELinux
Eric Brunson
brunson at brunson.com
Mon Apr 3 18:29:02 UTC 2006
Eric Brunson wrote:
> With the latest upgrade of the kernel (2.6.16-1.2080_FC5) my Citrix
> client stopped working. Booting into the previous kernel
> (2.6.15-1.2054_FC5) will allow me to run it, but in the current kernel
> on two machines it segfaults, on the machine I'm on now it gives this
> error:
>
> clotho(~)$ /usr/lib/ICAClient/wfica -icaroot /usr/lib/ICAClient
> -nosplash -desc hemo1
>
> Error: 75 (E_DYNLOAD_FAILED)
>
> Please refer to the documentation.
>
> Error loading dynamic module:
>
> "/usr/lib/ICAClient/CHARICONV.DLL"
>
> /usr/lib/ICAClient/CHARICONV.DLL: cannot restore segment prot after
> reloc: Permission denied
>
>
> The "Permission denied" led me to try disabling selinux enforcement,
> which allowed it to run again. Is there enough information in the
> message above for someone to speculate on a policy change that will
> allow that dll to load?
>
chcon -t texrel_shlib_t /usr/lib/ICAClient/CHARICONV.DLL did the trick
on that library, but now I get a popup that it can't find libctxssl.so,
which is in the same directory, /usr/lib/ICACLIENT. I tried adding
"/usr/lib/ICAClient/" to the ld.so.conf and running ldconfig, but it
still claims to be unable to find the .so file. Again, setenforce 0
allows the application to run properly, but setenforce 1 causes the
failure, even though libctxssl.so shows up in ldconfig -p.
Is there something in SELinux policies that interferes with ld.so
searching? Google hasn't turned anything up yet, but I'm still looking.
Thanks,
e.
More information about the fedora-list
mailing list