FC5: Problem with acroread and CISCO VPN

Paul Howarth paul at city-fan.org
Thu Apr 27 14:54:46 UTC 2006 

Stephan Groß wrote:
> On Thursday 27 April 2006 09:50, Paul Howarth wrote:
> 
>>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as
>>>> well as acroread:
>>>>
>>>> [klaus.steinberger at noname ~]$ acroread
>>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
>>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
>>>> cannot restore segment prot after reloc: Permission denied
>>>> [klaus.steinberger at noname ~]$
>>> after some googling I found following advice that worked for me to enable
>>> acroread again:
>>>
>>> 1. Start "System" > "Administration" > "Security Level and Firewall"
>>> 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
>>> 3. Tick the check box next to "Allow the use of shared libraries with
>>> Text Relocation".
>> A better fix is to label the acroread files correctly, which only
>> "opens" the protection for acroread and not every process on the system:
>>
>> I believe you need:
>> # chcon -t textrel_shlib_t \
>> 	/usr/lib/acroread/Reader/intellinux/lib/*.so \
>> 	/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
>> 	/usr/lib/acroread/Reader/intellinux/plug_ins/*.api
> 
> I have checked that. As I am using the original RPM packets provided by Adobe 
> the files are located in /usr/local/Adobe/Acrobat7.0/Reader/intellinux and a
> 
> chcon -t textrel_shlib_t \
> 	/usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/*.so
> 
> seems to be sufficient to run acroread and also use the plugin in Firefox. 
> BTW, what are SPPlugins and plug_ins for?

Dunno; I don't use it myself (evince is fine for my needs) and I picked 
up the need to fix the two sets of plugins from various posts on 
fedora-list.

> However, thank you Paul for providing this more customized solution. I assume, 
> that I only have to change the type context of the libraries distributed with 
> the Cisco VPN client accordingly to run it with a "fully" enabled selinux.

Probably, yes.

If that works, please provide details of what needed to be changed so 
that it can make it into the Core policy.

Paul.

More information about the fedora-selinux-list mailing list