FC5: Problem with acroread and CISCO VPN

Paul Howarth paul at city-fan.org
Thu Apr 27 14:43:15 UTC 2006

Tom Diehl wrote:
> On Thu, 27 Apr 2006, Paul Howarth wrote:
>> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
>>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
>>> Hi,
>>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well
>>>> as acroread:
>>>> [klaus.steinberger at noname ~]$ acroread
>>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
>>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
>>>> cannot restore segment prot after reloc: Permission denied
>>>> [klaus.steinberger at noname ~]$
>>> after some googling I found following advice that worked for me to enable 
>>> acroread again:
>>> 1. Start "System" > "Administration" > "Security Level and Firewall"
>>> 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
>>> 3. Tick the check box next to "Allow the use of shared libraries with Text 
>>>    Relocation".
>> A better fix is to label the acroread files correctly, which only
>> "opens" the protection for acroread and not every process on the system:
>> I believe you need:
>> # chcon -t textrel_shlib_t \
>> 	/usr/lib/acroread/Reader/intellinux/lib/*.so \
>> 	/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
>> 	/usr/lib/acroread/Reader/intellinux/plug_ins/*.api
> If I relabel as suggested above, what happens the next time the filesystem
> is relabeled. If as I suspect they get relabeled back to the previous settings,
> what is the correct way to make the changes permanent?

It can be done using semanage to add new file context objects. However, 
I believe the required entries are *supposed* to be in the main policy 

# semanage fcontext -l | grep -Ei 'adobe|intellinux'
/usr/(local/)?Adobe/.*\.api                        regular file 
/usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)*  regular file 
/usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl     regular file 
/usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so     regular file 
# rpm -q selinux-policy

If you have the latest policy and "restorecon -vR /path/to/acroread" 
doesn't set the right context, raise it here and mention which files 
aren't getting set to textrel_shlib_t. Hopefully it will get fixed so 
that this issue stops cropping up on fedora-list every day like it seems 
to at the moment.


More information about the fedora-selinux-list mailing list