From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4 Description of problem: This morning I ran "yum update", and picked up selinux-policy-targeted-1.17.30-3.2.noarch.rpm. After I rebooted, the "acroread" command no longer worked. Downloading and regressing to selinux-policy-targeted-1.17.30-2.96.noarch.rpm fixed the problem. This is running the acroread from AdobeReader_enu-7.0.0-2 distributed by Adobe. Version-Release number of selected component (if applicable): selinux-policy-targeted-1.17.30-3.2 How reproducible: Always Steps to Reproduce: 1. Install Adobe Acroread, from the AdobeReader_enu-7.0.0-2 rpm distributed by Adobe. 2. Run "acroread". Notice that it works fine. 3. Update your system to selinux-policy-targeted-1.17.30-3.2.noarch.rpm. Reboot. 4. Run "acroread". Notice that it fails, with a return code of "1". Actual Results: Acroread no longer works. Expected Results: It should have worked. Additional info:
Log: audit(1118486533.159:0): avc: denied { execmod } for pid=3809 comm=acroread path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api dev=dm-0 ino=1552467 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file audit(1118486533.195:0): avc: denied { execmod } for pid=3809 comm=acroread path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl dev=dm-0 ino=1402985 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file
My system behaves exactly the same as the one from Chris Colohan (see first comment). When lookink in my system-log I found the following entry: audit(1118685112.159:0): avc: denied { execmod } for pid=2506 comm=acroread path=/usr/local/Adobe/Acrobat7.0/Reader/intellinux/lib/libJP2K.so dev=dm-0 ino=203105 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file But there are other entries concerning the real player on my system. It seems that selinux-policy-targeted 1.17.30-3.2 breaks the real player too: audit(1118685711.911:0): avc: denied { execmod } for pid=2776 comm=realplay.bin path=/usr/local/RealPlayer/plugins/vidsite.so dev=dm-0 ino=410123 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file audit(1118685711.912:0): avc: denied { execmod } for pid=2776 comm=realplay.bin path=/usr/local/RealPlayer/plugins/vidsite.so dev=dm-0 ino=410123 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file audit(1118685713.064:0): avc: denied { execmod } for pid=2776 comm=realplay.bin path=/usr/local/RealPlayer/plugins/theorarend.so dev=dm-0 ino=410122 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file audit(1118685713.222:0): avc: denied { execmod } for pid=2776 comm=realplay.bin path=/usr/local/RealPlayer/plugins/vorbisrend.so dev=dm-0 ino=410124 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file audit(1118685713.675:0): avc: denied { execmod } for pid=2776 comm=realplay.bin path=/usr/local/RealPlayer/plugins/oggfformat.so dev=dm-0 ino=410098 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file audit(1118685713.914:0): avc: denied { execmod } for pid=2776 comm=realplay.bin path=/usr/local/RealPlayer/plugins/swfrender.so dev=dm-0 ino=410121 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file audit(1118685714.110:0): avc: denied { execmod } for pid=2776 comm=realplay.bin path=/usr/local/RealPlayer/plugins/vidsite.so dev=dm-0 ino=410123 scontext=user_u:system_r:unconfined_t tcontext=system_u:object_r:usr_t tclass=file
Breaks the Cisco VPN Client v4.6.02.0030 (latest) as well. [jroysdon@han ~]$ vpnclient connect PROFILE vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied [jroysdon@han ~]$ su - Password: [root@han ~]# vpnclient connect PROFILE vpnclient: error while loading shared libraries: /opt/cisco-vpnclient/lib/libvpnapi.so: cannot restore segment prot after reloc: Permission denied /var/log/messages Jun 14 14:10:38 han kernel: audit(1118783438.560:0): avc: denied { execmod } for pid=5379 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=dm-0 ino=3211355 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file Jun 14 14:10:48 han su(pam_unix)[5380]: authentication failure; logname=jroysdon uid=500 euid=0 tty= ruser=jroysdon rhost= user=root Jun 14 14:10:52 han su(pam_unix)[5381]: session opened for user root by jroysdon(uid=500) Jun 14 14:10:54 han kernel: audit(1118783454.168:0): avc: denied { execmod } for pid=5416 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=dm-0 ino=3211355 scontext=root:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file Jun 14 14:11:48 han net.agent[5471]: remove event not handled Jun 14 14:11:49 han net.agent[5489]: remove event not handled Jun 14 14:12:00 han ntpd[3347]: synchronized to 207.145.113.116, stratum 1 Jun 14 14:12:01 han kernel: Cisco Systems VPN Client Version 4.6.02 (0030) kernel module loaded Jun 14 14:12:05 han kernel: audit(1118783525.799:0): avc: denied { execmod } for pid=5627 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=dm-0 ino=3211355 scontext=root:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file Jun 14 14:13:23 han kernel: audit(1118783603.388:0): avc: granted { setenforce } for pid=5653 exe=/usr/sbin/setenforce scontext=root:system_r:unconfined_t tcontext=system_u:object_r:security_t tclass=security Jun 14 14:13:25 han kernel: audit(1118783605.624:0): avc: denied { execmod } for pid=5654 comm=vpnclient path=/opt/cisco-vpnclient/lib/libvpnapi.so dev=dm-0 ino=3211355 scontext=root:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file
After installing selinux-policy-targeted-1.17.30-3.2 on my FC3 system I could not open OpenOffice.org version 104. Even the root user could not. As soon as the enforce target was deselected then OpenOffice worked.
This is killing a lot of non-Fedora-packaged apps. Please see my duplicate bug 16033: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=16033 Please revert these changes to the policy files or provide clear direction on: a) What is actually happening to cause SELinux to fire the denial messages. What actually _is_ the "execmod" thing? Is there a list of these "things" somewhere with associated explanations? I'm still wading through piles of partially out-of-date docs on the NSA site and others.... b) How to add appropriate rules to the SELinux config files to stop these denials. This bug needs fixing fast as I -- and presumably everyone else who has suffered here -- have had to put my machine into permissive mode in a lame attempt to actually get on and do some work with the box. This fix does work of course, but I'm now not getting the full benefit of SELinux, and my machine is now less secure. I am partly to blame since I'm trusting a part of the system that, as I am now only too painfully aware, I don't understand. But learning SELinux has a steep learning curve and the supporting RH doc I'd expect just doesn't seem to be there. In summary, help!
I believe you're siting the wrong bug id (this is an old RH7 bug). You might roll-back to the prior SELinux policy (install the old RPM). For now, I'm running my server in permissive mode. My own laptop I run enabled, except I will switch to permissive mode just long enough to start and stop my vpn. Stock OOo 1.1.3 (openoffice.org-1.1.3-11.5.0.fc3) works fine, btw.
Fixed in selinux-policy-targeted-1.17.30-3.9
Getting: Jun 16 22:07:26 localhost kernel: audit(1118923646.312:0): avc: denied { write } for pid=9803 exe=/usr/sbin/httpd name=temp dev=dm-0 ino=1127632 scontext=root:system_r:httpd_t tcontext=user_u:object_r:httpd_sys_content_t tclass=dir When trying to write to a home directory public_html directory. Tried selinux-policy-targeted-1.17.30-3.9, but does not resolve error. Worked flawlessly prior to selinux-policy-targeted-1.17.30-3.2
selinux-policy-targeted-1.17.30-3.9.noarch.rpm resolved my Cisco VPN client issue.
Comment #8 Is httpd_builtin_scripting turned on? setsebool -P httpd_builtin_scripting=1
selinux-policy-targeted-1.17.30-3.9.noarch.rpm also resolved my issue with OpenOffice. Thanks for the fast work!