Bug 157133
Summary: | I'm not able to run Mozilla after selinux-policy-targeted update | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Dawid Gajownik <gajownik> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | djuran, fountainspirit |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-06-13 16:55:29 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Dawid Gajownik
2005-05-07 10:46:32 UTC
chcon -t texrel_shlib_t /usr/local/mozilla/libxpcom_core.so setsebool -P allow_execmod=1 Thanks for the quick response. Your advice was really helpful -- now I can run Mozilla with 'setenforce 1' :) After entering those commands and launching mozilla, new avc message appeared: audit(1115467542.721:0): avc: denied { execmod } for pid=7056 comm=mozilla-bin path=/usr/local/mozilla/components/libqfaservices.so dev=hda5 ino=457824 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file I run: chcon -t texrel_shlib_t /usr/local/mozilla/components/libqfaservices.so and everything works fine B) Just FYI (I know that proprietary programs are not supported): audit(1115473906.013:0): avc: denied { execmod } for pid=8270 comm=mozilla-bin path=/usr/local/mozilla/plugins/libflashplayer.so dev=hda5 ino=457814 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file Another one: audit(1115482727.732:0): avc: denied { execmod } for pid=28821 comm=soffice.bin path=/opt/openoffice.org1.9.100/program/libicudata.so.26.0.1 dev=hda5 ino=3543 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file (sorry for bothering you) I also noticed, that my test forum stoped working (everything was fine with the selinux-policy-targeted-1.17.30-2.96): audit(1115548693.535:0): avc: denied { write } for pid=4431 exe=/usr/sbin/httpd name=ip.log dev=hda6 ino=237641 scontext=root:system_r:httpd_t tcontext=system_u:object_r:httpd_sys_content_t tclass=file audit(1115548693.736:0): avc: denied { append } for pid=4431 exe=/usr/sbin/httpd name=board-2005-05-08.logdev=hda6 ino=237745 scontext=root:system_r:httpd_t tcontext=root:object_r:httpd_sys_content_t tclass=file [y4kk0@X unb_log]$ ls -Z -rw-r--r-- apache apache root:object_r:httpd_sys_content_t board-2005-05-04.log -rw-r--r-- apache apache root:object_r:httpd_sys_content_t board-2005-05-05.log -rw-r--r-- apache apache root:object_r:httpd_sys_content_t board-2005-05-06.log -rw-r--r-- apache apache root:object_r:httpd_sys_content_t board-2005-05-07.log -rw-r--r-- apache apache root:object_r:httpd_sys_content_t board-2005-05-08.log -rw-r--r-- apache apache root:object_r:httpd_sys_content_t error-2005-05.log -rw-r--r-- apache apache system_u:object_r:httpd_user_content_t ip.log [y4kk0@X unb_log]$ Maybe it should be documented that there can be such a problems (and of course how to fix them) if you want to make such a big changes in the selinux-policy-targeted package. This is probably a boolean problem. Can you show me your getsebool -a | grep http These are test releases which I am looking for problems with. I am trying to see if we can update FC3/RHEL4 targets to match Rawhide. Dan Of course I can :] [root@X ~]# getsebool -a | grep http httpd_builtin_scripting --> inactive httpd_can_network_connect --> inactive httpd_disable_trans --> inactive httpd_enable_cgi --> active httpd_enable_homedirs --> active httpd_ssi_exec --> active httpd_tty_comm --> inactive httpd_unified --> active [root@X ~]# Try setsebool -P httpd_builtin_scripting=1 And see if this solves your problem. I think I need to default this to on, so I don't break anything. Dan Changing this boolean to true resolves the problem. Thanks! BTW how can I revert all the changes to the default values after updating selinux-policy-targeted package, so that I could be able to test this package properly? In Rawhide (FC4) we added the concept of booleans.local to allow users to customize the policy on the fly and still allow us to update the booleans file. So you could remove booleans.local and you would get the default configuration. In order to get the same behaviour in FC3/RHEL4 currently you gould remove the booleans file before updating policy and then you would get the default booleans file in the policy file. I hope to update RHEL4 with the booleans.local changes in U2. Dan Well, I have removed /etc/selinux/targeted/booleans and downgraded selinux-policy-targeted to 1.17.30-2.96. My next step was "touch /.autorelabel && reboot". After all I upgraded selinux-policy-targeted to 1.17.30-3.2. Mozilla+Flash and my forum work OK. Only OOo 1.9.104 from openoffice.org still crashes: [y4kk0@X ~]$ soffice /etc/openoffice.org-1.9/program/soffice.bin: error while loading shared libraries: /opt/openoffice.org1.9.104/program/libicudata.so.26: cannot restore segment prot after reloc: Permission denied [y4kk0@X ~]$ I'm closing this bug, because I'm switching to FC4 and I won't be able to test next packages. Feel free to open it if you like :) Thanks for fixing the problem with Mozilla! (In reply to comment #11) > Well, I have removed /etc/selinux/targeted/booleans and downgraded > selinux-policy-targeted to 1.17.30-2.96. My next step was "touch /.autorelabel > && reboot". After all I upgraded selinux-policy-targeted to 1.17.30-3.2. How do you downgrade selinux-policy-targeted? I just updated selinux yesterday, and then suddenly Matlab couldn't launch. Originally, I thought the problem was with Matlab, so I uninstalled Matlab and tried to (re)install it. However, I can't install it anymore. when I try to install, it gives me the following errors, which I now believe is due to the selinux update. ================================================================================ [root@localhost matlab704]# /root/Desktop/HenryStuff/Downloads/Matlab701SP2/Matlab_R14_SP2/cd1/CD1/install ------------------------------------------------------------------- An error status was returned by the program 'xsetup', the X Window System version of 'install'. The following messages were written to standard error: /tmp/6261tmwinstall/update/bin/glnx86/xsetup: error while loading shared libraries: /tmp/6261tmwinstall/update/bin/glnx86/libmwins.so: cannot restore segment prot after reloc: Permission denied Attempt to fix the problem and try again. If X is not available or 'xsetup' cannot be made to work then try the terminal version of 'install' using the command: install* -t or INSTALL* -t ------------------------------------------------------------------- /tmp/6261tmwinstall/update/install/abort.sh: line 15: /tmp/6261tmwinstall/update/install/cleanup.sh: No such file or directory [root@localhost matlab704]# Thank you for your feedback! Henry ================================================================================ rpm -Uvh selinux-policy-targeted-some_numbers.rpm --oldpackage If you have problems with installing Matlab, you can always switch SELinux to permissive mode just for installation time: setenforce 0 After all, switch it to enforcing mode: setenforce 1 BTW there is a new package in updates-testing รข http://www.redhat.com/archives/fedora-test-list/2005-June/msg00555.html Maybe this one will resolve your problem: yum --enablerepo=updates-testing update selinux-policy-targeted Hope that helps. |