FC5: Problem with acroread and CISCO VPN

Klaus Steinberger Klaus.Steinberger at physik.uni-muenchen.de
Thu Apr 27 05:39:27 UTC 2006 

Hello,

in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well as 
acroread:

[klaus.steinberger at noname ~]$ acroread
/usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading shared 
libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so: cannot restore 
segment prot after reloc: Permission denied
[klaus.steinberger at noname ~]$

type=AVC msg=audit(1146115808.601:23): avc:  denied  { execmod } for  pid=3366 
comm="acroread" name="libJP2K.so" dev=hda2 ino=2680495 
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 
tclass=file
type=SYSCALL msg=audit(1146115808.601:23): arch=40000003 syscall=125 
success=no exit=-13 a0=2d4000 a1=aa000 a2=5 a3=bfb2dfd0 items=0 pid=3366 
auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100 
sgid=100 fsgid=100 comm="acroread" 
exe="/usr/lib/acroread/Reader/intellinux/bin/acroread"
type=AVC_PATH msg=audit(1146115808.601:23):  
path="/usr/lib/acroread/Reader/intellinux/lib/libJP2K.so"



[klaus.steinberger at noname ~]$ vpnclient connect lrz
vpnclient: error while loading shared 
libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot 
after reloc: Permission denied
[klaus.steinberger at noname ~]$

type=AVC msg=audit(1146115819.449:24): avc:  denied  { execmod } for  pid=3437 
comm="vpnclient" name="libvpnapi.so" dev=hda2 ino=2676482 
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 
tclass=file
type=SYSCALL msg=audit(1146115819.449:24): arch=40000003 syscall=125 
success=no exit=-13 a0=5ce000 a1=43000 a2=5 a3=bfa87450 items=0 pid=3437 
auid=10022 uid=10022 gid=100 euid=10022 suid=10022 fsuid=10022 egid=100 
sgid=100 fsgid=100 comm="vpnclient" exe="/opt/cisco-vpnclient/bin/vpnclient"
type=AVC_PATH msg=audit(1146115819.449:24):  
path="/opt/cisco-vpnclient/lib/libvpnapi.so"


My system is up2date:
[klaus.steinberger at noname ~]$ rpm -q selinux-policy-targeted
selinux-policy-targeted-2.2.34-3.fc5
[klaus.steinberger at noname ~]$ rpm -q acroread
acroread-7.0.5-2.2
[klaus.steinberger at noname ~]$ 


I'm currently not to familiar with selinux, so the only workaround I know is 
to "setenforce 0". 

Sincerly,
Klaus

-- 
Klaus Steinberger         Maier-Leibnitz Labor
Phone: (+49 89)289 14287  Am Coulombwall 6, D-85748 Garching, Germany
FAX:   (+49 89)289 14280  EMail: Klaus.Steinberger at Physik.Uni-Muenchen.DE
URL: http://www.physik.uni-muenchen.de/~k2/

In a world without Walls and Fences, who needs Windows and Gates

More information about the fedora-selinux-list mailing list