FC5: Problem with acroread and CISCO VPN
Paul Howarth
paul at city-fan.org
Fri Apr 28 06:36:52 UTC 2006
On Thu, 2006-04-27 at 20:43 +0200, Stephan Groß wrote:
> On Thursday 27 April 2006 16:43, Paul Howarth wrote:
> > Tom Diehl wrote:
> > > On Thu, 27 Apr 2006, Paul Howarth wrote:
> > >> On Thu, 2006-04-27 at 08:58 +0200, Stephan Groß wrote:
> > >>> On Thursday 27 April 2006 07:39, Klaus Steinberger wrote:
> > >>>
> > >>> Hi,
> > >>>
> > >>>> in Fedora Core 5 selinux blocks execution of the CISCO vpnclient, as
> > >>>> well as acroread:
> > >>>>
> > >>>> [klaus.steinberger at noname ~]$ acroread
> > >>>> /usr/lib/acroread/Reader/intellinux/bin/acroread: error while loading
> > >>>> shared libraries: /usr/lib/acroread/Reader/intellinux/lib/libJP2K.so:
> > >>>> cannot restore segment prot after reloc: Permission denied
> > >>>> [klaus.steinberger at noname ~]$
> > >>>
> > >>> after some googling I found following advice that worked for me to
> > >>> enable acroread again:
> > >>>
> > >>> 1. Start "System" > "Administration" > "Security Level and Firewall"
> > >>> 2. On the "SELinux" tab click on "Modify SELinux Policy >
> > >>> Compatibility" 3. Tick the check box next to "Allow the use of shared
> > >>> libraries with Text Relocation".
> > >>
> > >> A better fix is to label the acroread files correctly, which only
> > >> "opens" the protection for acroread and not every process on the system:
> > >>
> > >> I believe you need:
> > >> # chcon -t textrel_shlib_t \
> > >> /usr/lib/acroread/Reader/intellinux/lib/*.so \
> > >> /usr/lib/acroread/Reader/intellinux/SPPlugins/*.apl \
> > >> /usr/lib/acroread/Reader/intellinux/plug_ins/*.api
> > >
> > > If I relabel as suggested above, what happens the next time the
> > > filesystem is relabeled. If as I suspect they get relabeled back to the
> > > previous settings, what is the correct way to make the changes permanent?
> >
> > It can be done using semanage to add new file context objects. However,
> > I believe the required entries are *supposed* to be in the main policy
> > package:
> >
> > # semanage fcontext -l | grep -Ei 'adobe|intellinux'
> > /usr/(local/)?Adobe/.*\.api regular file
> > system_u:object_r:texrel_shlib_t:s0
> > /usr/(local/)?Adobe/(.*/)?lib/[^/]*\.so(\.[^/]*)* regular file
> > system_u:object_r:texrel_shlib_t:s0
> > /usr/(.*/)?intellinux/SPPlugins/ADMPlugin\.apl regular file
> > system_u:object_r:textrel_shlib_t:s0
> > /usr/(local/)?Adobe/(.*/)?intellinux/nppdf\.so regular file
> > system_u:object_r:texrel_shlib_t:s0
> > # rpm -q selinux-policy
> > selinux-policy-2.2.34-3.fc5
> >
> > If you have the latest policy and "restorecon -vR /path/to/acroread"
> > doesn't set the right context, raise it here and mention which files
> > aren't getting set to textrel_shlib_t. Hopefully it will get fixed so
> > that this issue stops cropping up on fedora-list every day like it seems
> > to at the moment.
>
> I have the above mentioned selinux-policy-2.2.34-3.fc5 installed. However, a
> "restorecon -vR /usr/local/Adobe" results in
>
> "/etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /opt (system_u:object_r:home_root_t and
> system_u:object_r:usr_t).
> /etc/selinux/targeted/contexts/files/file_contexts: Multiple different
> specifications for /opt (system_u:object_r:home_root_t and
> system_u:object_r:usr_t)."
Have you moved root's home directory from /root to somewhere under /opt?
> and no file contexts changed. I am clueless about the details of selinux. Is
> this a bug in the policy script or might this be a failure in my
> installation. Don't know if it matters but I upgraded from FC4.
I've upgraded too; it shouldn't matter.
Paul.
More information about the fedora-selinux-list
mailing list