Bug 160331
Summary: | update to selinux-policy-targeted breaks 3rd party apps (like wine + Lotus Notes, IBM db2, etc) | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | James Hunt <jamesodhunt> |
Component: | selinux-policy-targeted | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED CURRENTRELEASE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 3 | CC: | dwm, jose.p.oliveira.oss, mail |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.25.2-4 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2005-07-21 19:16:10 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
James Hunt
2005-06-14 14:55:38 UTC
Related ticket * selinux-policy-targeted 1.17.30-3.2 breaks Adobe AcroRead 7.0.0-2 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=160106 Also breaks the cisco vpnclient package: Jun 14 16:12:20 localhost kernel: audit(1118761940.276:0): avc: denied { execmod } for pid=5447 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=hda9 ino=827502 scontext=root:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file fixed in selinux-policy-targeted 1.17.30-3.9 Daniel, Unfortunately, it is not fixed in 1.17.30-3.9; I get exactly the same errors, and have had to revert to permissive mode again. Regards, James. James, Do you have allow_execmod set? setsebool -P allow_execmod=1 Dan Hi Da, I believe so... cat /selinux/booleans/allow_execmod 1 1 Here's the output of "sestatus -v": SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_execmem active allow_execmod active allow_execstack active allow_kerberos active allow_ypbind active dhcpd_disable_trans inactive httpd_builtin_scripting inactive httpd_can_network_connectinactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive snmpd_disable_trans inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive use_syslogng inactive winbind_disable_trans inactive ypbind_disable_trans inactive Process contexts: Current context: root:system_r:unconfined_t Init context: user_u:system_r:unconfined_t /sbin/mingetty user_u:system_r:unconfined_t /usr/sbin/sshd user_u:system_r:unconfined_t File contexts: Controlling term: root:object_r:devpts_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:bin_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:sbin_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:sbin_t /usr/sbin/sshd system_u:object_r:sbin_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t Here's one of the many errors I get in dmesg when I attempt to start Notes under Wine: audit(1119011237.629:0): avc: denied { execmod } for pid=26379 comm=wine-preloader path=/usr/ibm/c4eb/nul6/program/Lotus/Notes/nnotesws.dll dev=dm-5 ino=672253 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file (In reply to comment #3) > fixed in selinux-policy-targeted 1.17.30-3.9 Works For Me (tm) with crossover office 4.2. I now have a problem with the current Java SDK from Sun. With selinux-policy-targeted-1.17.30-3.9 everything was working fine. But then I updated to 1.17.30-3.13 and get errors when executing java or javac. Even the Java installer doesn't work. When executing jdk-1_5_0_04-linux-amd64.bin (the installer's binary) I get the following error: ./install.sfx.19637: error while loading shared libraries: /lib64/tls/libc.so.6: cannot apply additional memory protection after relocation: Permission denied /var/var/messages says: kernel: audit(1120039055.765:0): avc: denied { execmod } for pid=19648 comm=install.sfx.196 path=/lib64/tls/libc-2.3.5.so dev=dm-0 ino=24281097 scontext=root:system_r:unconfined_t tcontext=system_u:object_r:lib_t tclass=file The output of "sestatus -v" is: SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 18 Policy from config file:targeted Policy booleans: allow_execmem active allow_execmod active allow_execstack active allow_kerberos active allow_ypbind active dhcpd_disable_trans inactive httpd_builtin_scripting inactive httpd_can_network_connectinactive httpd_disable_trans inactive httpd_enable_cgi active httpd_enable_homedirs active httpd_ssi_exec active httpd_tty_comm inactive httpd_unified active mysqld_disable_trans inactive named_disable_trans inactive named_write_master_zonesinactive nscd_disable_trans inactive ntpd_disable_trans inactive portmap_disable_trans inactive postgresql_disable_transinactive read_default_t active snmpd_disable_trans inactive squid_connect_any inactive squid_disable_trans inactive syslogd_disable_trans inactive use_nfs_home_dirs inactive use_samba_home_dirs inactive winbind_disable_trans inactive ypbind_disable_trans inactive Process contexts: Current context: root:system_r:unconfined_t Init context: user_u:system_r:unconfined_t /sbin/mingetty user_u:system_r:unconfined_t /usr/sbin/sshd root:system_r:unconfined_t File contexts: Controlling term: root:object_r:devpts_t /etc/passwd system_u:object_r:etc_t /etc/shadow system_u:object_r:shadow_t /bin/bash system_u:object_r:shell_exec_t /bin/login system_u:object_r:bin_t /bin/sh system_u:object_r:bin_t -> system_u:object_r:shell_exec_t /sbin/agetty system_u:object_r:sbin_t /sbin/init system_u:object_r:init_exec_t /sbin/mingetty system_u:object_r:sbin_t /usr/sbin/sshd system_u:object_r:sbin_t /lib/libc.so.6 system_u:object_r:lib_t -> system_u:object_r:shlib_t /lib/ld-linux.so.2 system_u:object_r:lib_t -> system_u:object_r:ld_so_t Addition to comment #8: If I set "setenforce 0" everything is working as expected, but I think this is a workaround and not a solution. Sorry - forgot to update bug. I'm now running with selinux-policy-targeted-1.25.2-4, and it is also fixed for me; I'm now running back in enforcing mode. |