Citrix ICA Client vs. SELinux
Daniel J Walsh
dwalsh at redhat.com
Mon Apr 3 18:33:08 UTC 2006
Eric Brunson wrote:
> Eric Brunson wrote:
>> With the latest upgrade of the kernel (2.6.16-1.2080_FC5) my Citrix
>> client stopped working. Booting into the previous kernel
>> (2.6.15-1.2054_FC5) will allow me to run it, but in the current
>> kernel on two machines it segfaults, on the machine I'm on now it
>> gives this error:
>>
>> clotho(~)$ /usr/lib/ICAClient/wfica -icaroot /usr/lib/ICAClient
>> -nosplash -desc hemo1
>>
>> Error: 75 (E_DYNLOAD_FAILED)
>>
>> Please refer to the documentation.
>>
>> Error loading dynamic module:
>>
>> "/usr/lib/ICAClient/CHARICONV.DLL"
>>
>> /usr/lib/ICAClient/CHARICONV.DLL: cannot restore segment prot
>> after reloc: Permission denied
>>
>>
>> The "Permission denied" led me to try disabling selinux enforcement,
>> which allowed it to run again. Is there enough information in the
>> message above for someone to speculate on a policy change that will
>> allow that dll to load?
>>
> chcon -t texrel_shlib_t /usr/lib/ICAClient/CHARICONV.DLL did the trick
> on that library, but now I get a popup that it can't find
> libctxssl.so, which is in the same directory, /usr/lib/ICACLIENT. I
> tried adding "/usr/lib/ICAClient/" to the ld.so.conf and running
> ldconfig, but it still claims to be unable to find the .so file.
> Again, setenforce 0 allows the application to run properly, but
> setenforce 1 causes the failure, even though libctxssl.so shows up in
> ldconfig -p.
> Is there something in SELinux policies that interferes with ld.so
> searching? Google hasn't turned anything up yet, but I'm still looking.
>
> Thanks,
> e.
>
Look for avc messages in /var/log/messages or /var/log/audit/audit.log.
You might need to change textrel_shlib_t on this file also.
More information about the fedora-list
mailing list