FC5: Problem with acroread and CISCO VPN

Tom Diehl tdiehl at rogueind.com
Thu Apr 27 12:13:03 UTC 2006


On Thu, 27 Apr 2006, Paul Howarth wrote:

> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
> > On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
> > 
> > Hi,
> > 
> > > in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as well
> > > as acroread:
> > >
> > > [klaus.steinberger at noname ~]$ acroread
> > > /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
> > > shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
> > > cannot restore segment prot after reloc: Permission denied
> > > [klaus.steinberger at noname ~]$
> > 
> > after some googling I found following advice that worked for me to enable 
> > acroread again:
> > 
> > 1. Start "System" > "Administration" > "Security Level and Firewall"
> > 2. On the "SELinux" tab click on "Modify SELinux Policy > Compatibility"
> > 3. Tick the check box next to "Allow the use of shared libraries with Text 
> >    Relocation".
> 
> A better fix is to label the acroread files correctly, which only
> "opens" the protection for acroread and not every process on the system:
> 
> I believe you need:
> # chcon -t textrel_shlib_t \
> 	/usr/lib/acroread/Reader/intellinux/lib/*.so \
> 	/usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
> 	/usr/lib/acroread/Reader/intellinux/plug_ins/*.api

If I relabel as suggested above, what happens the next time the filesystem
is relabeled. If as I suspect they get relabeled back to the previous settings,
what is the correct way to make the changes permanent?

Regards,

Tom Diehl		tdiehl at rogueind.com		Spamtrap address mtd123 at rogueind.com




More information about the fedora-selinux-list mailing list