Description of problem: The Seamonkey application, successor to the Mozilla application suite, provided in an rpm package in Fedora Extras, does not start up on Fedora Core 5 in enforcing mode. It seems an exception has been made already, to allow all other Mozilla based apps (Firefox, Thunderbird, Mozilla, Sunbird) to run with textrel_shlib_t. I propose the same rule gets applied to the Seamonkey application, too. Version-Release number of selected component (if applicable): selinux-policy-2.3.3-8.fc5 (and seamonkey-1.0.4-0.5.1.fc5) How reproducible: Install seamonkey and try to start, while enforcing mode is enabled. Steps to Reproduce: - yum install semonkey - setenforce 1 - ./seamonkey Actual results: Does not start, error shown in audit.log Expected results: App should start Additional info: See also the original request to fix this in bug 201648, where this was identified as the cause.
https://www.redhat.com/archives/fedora-list/2006-August/msg01448.html has information regarding the problem and also comments regarding text relocation not being advisable. If possible, a fix for the mozilla and its offshoots of the original mozilla should be fixed so they do not need test relocation. I use seamonkey and was putting SELinux in permissive instead of enforcing because of the limiting factor test relocation denials were causing with seamonkey. I am using comment #8 suggestion in bug 201648 which allows SELinux to be used for the rest of the system. libxpcom_core.so seemed to have the most avc denied messages in the /var/log/audit/audit.log file on my system. # ls -lZ /usr/lib/firefox-1.5.0.6/libxpcom_core.so -rwxr-xr-x root root system_u:object_r:textrel_shlib_t # ls -lZ /usr/lib/seamonkey-1.0.4/libxpcom_core.so -rwxr-xr-x root root system_u:object_r:lib_t # ls -lZ /usr/lib/thunderbird-1.5.0.5/libxpcom_core.so -rwxr-xr-x root root system_u:object_r:textrel_shlib_t adding to CC:
Also RealPlayer's realplay application doesn't work with the new SELinux policy. I had to switch mode to permissive for it to work. It should be added in too.
Please attach avc messages from /var/log/messages.
Created attachment 134436 [details] There are messages in /var/log/audit/audit.log No AVC messages in /var/log/messages. The messages are in /var/log/audit/audit.log
Fixed in selinux-policy-2.3.7-2.fc5
Change to modified
I installed selinux-policy-2.3.7-2.fc5 and then relabeled the system afterwards to ensure that the system contained intended contents since I used the temporary fix from the previous bug report. Seamonkey starts fine in enforcing mode after the relabeling with touch /.autorelabel followed by a reboot. The installation of the rpm had a long delay during install on the last entry and a process related to selinux was using a substantial amount of CPU time. I don't recall the exact process.
Yes this is because the rpm package is updating the files it has changed. It is using restorecon and sometimes can take a while.
Thanks for clarifying. I suspected that it was locked up but allowed some more time. I checked the processes with top and recognized the program consuming 90 plus percentage of the cpu was an selinux program. (Read the man pages to be sure) Anyway, I figured I'd mention it in case it was out of the expected behavior scope.