FC5: Problem with acroread and CISCO VPN

Paul Howarth paul at city-fan.org
Thu Apr 27 14:43:15 UTC 2006


Tom Diehl wrote:
> On Thu, 27 Apr 2006, Paul Howarth wrote:
> 
>> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
>>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
>>>
>>> Hi,
>>>
>>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well
>>>> as acroread:
>>>>
>>>> [klaus.steinberger at noname ~]$ acroread
>>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
>>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
>>>> cannot restore segment prot after reloc: Permission denied
>>>> [klaus.steinberger at noname ~]$
>>> after some googling I found following advice that worked for me to enable 
>>> acroread again:
>>>
>>> 1. Start "System" > "Administration" > "Security Level and Firewall"
>>> 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
>>> 3. Tick the check box next to "Allow the use of shared libraries with Text 
>>>    Relocation".
>> A better fix is to label the acroread files correctly, which only
>> "opens" the protection for acroread and not every process on the system:
>>
>> I believe you need:
>> # chcon -t textrel_shlib_t \
>> 	/usr/lib/acroread/Reader/intellinux/lib/*.so \
>> 	/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
>> 	/usr/lib/acroread/Reader/intellinux/plug_ins/*.api
> 
> If I relabel as suggested above, what happens the next time the filesystem
> is relabeled. If as I suspect they get relabeled back to the previous settings,
> what is the correct way to make the changes permanent?

It can be done using semanage to add new file context objects. However, 
I believe the required entries are *supposed* to be in the main policy 
package:

# semanage fcontext -l | grep -Ei 'adobe|intellinux'
/usr/(local/)?Adobe/.*\.api                        regular file 
system_u:object_r:texrel_shlib_t:s0
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)*  regular file 
system_u:object_r:texrel_shlib_t:s0
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl     regular file 
system_u:object_r:textrel_shlib_t:s0
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so     regular file 
system_u:object_r:texrel_shlib_t:s0
# rpm -q selinux-policy
selinux-policy-2.2.34-3.fc5

If you have the latest policy and "restorecon -vR /path/to/acroread" 
doesn't set the right context, raise it here and mention which files 
aren't getting set to textrel_shlib_t. Hopefully it will get fixed so 
that this issue stops cropping up on fedora-list every day like it seems 
to at the moment.

Paul.




More information about the fedora-selinux-list mailing list