SELinux Issue with bioapi stuff on FC6

[Will Woods]

On Fri, 2006-12-01 at 10:32 -0500, Ryan Skadberg wrote:
> So, I recently got an IBM Thinkpad T43 which has a fingerprint
> scanner.  I went here:
> 
> http://www.thinkwiki.org/wiki/Script_for_enabling_the_fingerprint_reader
> 
> And ran the script (knowing it said it would not work on FC6).
> Looking at /var/log/messages, I see the reason things don't work is
> because of SELinux.
> 
> I turned on the setroubleshoot daemon and it tells me in the Allowing
> Access section:
> 
> --
> If you trust /opt/bioapi/lib/libtfmessbsp.so to run correctly, you can
> change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
> /opt/bioapi/lib/libtfmessbsp.so"
> 
> The following command will allow this access:
> chcon -t textrel_shlib_t /opt/bioapi/lib/libtfmessbsp.so
> --
> 
> After doing this, I ran the script again and got the same error again
> :(  What am I missing?

Lucky for you, I have the same laptop, so I'm trying it out right now.
Here's my guess:

That script builds and installs libtfmessbsp.so for you, so when you run
the script again, it recreates the file. 

Remember that 'chcon' just changes the SELinux context for a file, like
chmod does for permissions. So if you reinstall the file, you lose your
permission changes.

This should be fixed by either:
1) rewriting the library to not require text relocations (hard)
2) packaging the libraries properly and including the right SELinux
contexts in the RPM (better)
3) changing the script to do the 'chcon' after building and installing
the libraries (easiest)

Hope that helps, 

-w

p.s. Good work using setroubleshoot to track this down - it makes
everyone's life much easier!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20061201/828ec726/attachment.sig>