Bug 234332

Summary: F-Secure Policy Manager doesn't run in a SELinux environment
Product: [Fedora] Fedora Reporter: Răzvan Sandu <rsandu2004>
Component: selinux-policy-targetedAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: 6   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://www.f-secure.com
Whiteboard:
Fixed In Version: 2.5.11-4.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-17 22:26:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Răzvan Sandu 2007-03-28 15:33:59 UTC 
Description of problem:

Some components of the F-Secure antivirus suite (Policy Manager and Management
Console) doesn't run with the default SELinux targeted policy.

Version-Release number of selected component (if applicable):

f-secure-automatic-update-agent-2.1.1489-1.i386.rpm
f-secure-policy-manager-console-7.00.4220-1.i386.rpm
f-secure-policy-manager-server-7.00.7040-1.i386.rpm
f-secure-policy-manager-web-reporting-7.00.235-1.i386.rpm


How reproducible:
Always.

Steps to Reproduce:
1. Install a clean FC6 + updates (28.03.2007), with SELinux targeted policy,
enforcing mode.
2. Install the above RPMs, available from http;//www.f-secure.com
3. Try to start installed services (Policy Manager). Service doesn't start.
4. Disable SELinux and retry to start services. Services now start.

  
Actual results:
Program does not perform as specified in a SELinux environment.

Expected results:
Program should perform as specified when SELinux is enabled.

Additional info:
Red Hat Enterprise Linux is mentioned as a supported OS by F-Secure.
Comment 1 Daniel Walsh 2007-03-28 20:17:57 UTC 
What avc messages are you seeing in your log files?

/var/log/audit/audit.log
Comment 2 Răzvan Sandu 2007-04-02 06:39:44 UTC 
Hello,

I can't respond to the above question right now (I don't have the testing
machine at hand).

However, this is the official answer I've got from F-Secure developer in Finland:

-------------------------------------------------------------------------------


Confirmed while testing on FC6 with selinux configured to enforcing + targeted

 

/etc/selinux/config

...

SELINUX=enforcing

...

SELINUXTYPE=targeted

 

Executing "/etc/init.d/fspms start" generated folllowing error:

 

"Cannot load /opt/f-secure/fspms/libexec/libfsmsh.so into server:
/opt/f-secure/fspms/libexec/librapi.so.0: cannot restore segment prot after
reloc: Permission denied"

 

/var/log/messages:

... avc: denied { execmod } for pid=2879 comm="fspms" name="librapi.so.0.0.0" ....

 

Checked http://docs.fedoraproject.org/selinux-faq-fc5/#faq-entry-unconfined_t

and per instructions, executed the following:

 

# /usr/sbin/semanage fcontext -a -t textrel_shlib_t
'/opt/f-secure/fspms/libexec/librapi.so.0.0.0'

# /sbin/restorecon -v /opt/f-secure/fspms/libexec/librapi.so.0.0.0

 

Now, when I stopped and started fspms, no problems noted and no avc errors in
syslog. Accessing both admin and host-port via localhost 80 and 8080 worked, too.
----------------------------------------------------------------------------


Regards,
Răzvan
Comment 3 Răzvan Sandu 2007-04-04 11:49:33 UTC 
A bug regarding this was also created on F-Secure's website:

Number: 1-101072186
Created: 4.4.2007 14:38:24
Subject: F-Secure Policy Manager doesn't run in the default SELinux environment


Regards,
Răzvan
Comment 4 Daniel Walsh 2007-04-05 14:45:43 UTC 
Fixed in selinux-policy-2.5.11-4.fc7