Valdis.Kletnieks at Valdis.Kletnieks at
Fri May 13 08:46:03 UTC 2005

On Fri, 13 May 2005 09:25:50 +0200, Aurelien Bompard said:
> Hi,
> Just so that you know, the OpenOffice 1.9.100 rpms from
> won't run on FC3 because of SELinux:
> audit(1115968252.998:0): avc:  denied  { execmod } for  pid=9833
> comm=soffice.bin
> path=/opt/openoffice.org1.9.100/program/ dev=sda2
> ino=308509 scontext=user_u:system_r:unconfined_t
> tcontext=system_u:object_r:usr_t tclass=file

This of course fails in the same basic manner under 'strict', except it's no
longer an unconfined_t....

> What should we tell the upstream rpm maintainters so that their packages
> work on FC3 ? The packages used to work in an earlier version (1.9.73 I
> think). It's also possible that a policy update caused it, I'm not sure, I
> didn't use them very often.
> Is there something we can do to fix it, or is it only in the hands of the
> upstream maintainers ?

What you can do short-term:

If you have selinux-policy-<foo>-sources installed, you can try this:

cat << EOF >> /etc/selinux/strict/src/policy/file_contexts/misc/local.fc
# Places the OpenOffice stuff puts stuff
/usr/local/OpenOffice.org1.1.4/program/.*\.so(\.[^/]*)*    --      system_u:object_r:shlib_t
/opt/[^/]*/program/.*\.so(\.[^/]*)*    --      system_u:object_r:shlib_t
/opt/[^/]*/program/soffice.bin --	system_u:object_r:bin_t

That seemed to shut the vast majority of the whinging when I tried it
with strict/permissive.  You might have to tag something with texrel_shlib_t
as well.  I don't think there's any new policy needed, just file contexts
to get the *.so's as shlib_t and the binaries as bin_t

(it's 4:37AM and one of my cats just finished dropping a litter of kittens
under my bed about a half hour, so you'll have to flush out the rest of the
answer for yourself :)

Long-term answer: when Fedora ships their official openofficeorg-*-2.0 RPMs,
we'll make sure The Right Thing happens.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
URL: <>

More information about the fedora-selinux-list mailing list