Bug 234332 - F-Secure Policy Manager doesn't run in a SELinux environment
F-Secure Policy Manager doesn't run in a SELinux environment
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
http://www.f-secure.com
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-28 11:33 EDT by Răzvan Sandu
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: 2.5.11-4.fc7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-17 18:26:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Răzvan Sandu 2007-03-28 11:33:59 EDT
Description of problem:

Some components of the F-Secure antivirus suite (Policy Manager and Management
Console) doesn't run with the default SELinux targeted policy.

Version-Release number of selected component (if applicable):

f-secure-automatic-update-agent-2.1.1489-1.i386.rpm
f-secure-policy-manager-console-7.00.4220-1.i386.rpm
f-secure-policy-manager-server-7.00.7040-1.i386.rpm
f-secure-policy-manager-web-reporting-7.00.235-1.i386.rpm


How reproducible:
Always.

Steps to Reproduce:
1. Install a clean FC6 + updates (28.03.2007), with SELinux targeted policy,
enforcing mode.
2. Install the above RPMs, available from http;//www.f-secure.com
3. Try to start installed services (Policy Manager). Service doesn't start.
4. Disable SELinux and retry to start services. Services now start.

  
Actual results:
Program does not perform as specified in a SELinux environment.

Expected results:
Program should perform as specified when SELinux is enabled.

Additional info:
Red Hat Enterprise Linux is mentioned as a supported OS by F-Secure.
Comment 1 Daniel Walsh 2007-03-28 16:17:57 EDT
What avc messages are you seeing in your log files?

/var/log/audit/audit.log
Comment 2 Răzvan Sandu 2007-04-02 02:39:44 EDT
Hello,

I can't respond to the above question right now (I don't have the testing
machine at hand).

However, this is the official answer I've got from F-Secure developer in Finland:

-------------------------------------------------------------------------------


Confirmed while testing on FC6 with selinux configured to enforcing + targeted

 

/etc/selinux/config

...

SELINUX=enforcing

...

SELINUXTYPE=targeted

 

Executing "/etc/init.d/fspms start" generated folllowing error:

 

"Cannot load /opt/f-secure/fspms/libexec/libfsmsh.so into server:
/opt/f-secure/fspms/libexec/librapi.so.0: cannot restore segment prot after
reloc: Permission denied"

 

/var/log/messages:

... avc: denied { execmod } for pid=2879 comm="fspms" name="librapi.so.0.0.0" ....

 

Checked http://docs.fedoraproject.org/selinux-faq-fc5/#faq-entry-unconfined_t

and per instructions, executed the following:

 

# /usr/sbin/semanage fcontext -a -t textrel_shlib_t
'/opt/f-secure/fspms/libexec/librapi.so.0.0.0'

# /sbin/restorecon -v /opt/f-secure/fspms/libexec/librapi.so.0.0.0

 

Now, when I stopped and started fspms, no problems noted and no avc errors in
syslog. Accessing both admin and host-port via localhost 80 and 8080 worked, too.
----------------------------------------------------------------------------


Regards,
Răzvan
Comment 3 Răzvan Sandu 2007-04-04 07:49:33 EDT
A bug regarding this was also created on F-Secure's website:

Number: 1-101072186
Created: 4.4.2007 14:38:24
Subject: F-Secure Policy Manager doesn't run in the default SELinux environment


Regards,
Răzvan

Comment 4 Daniel Walsh 2007-04-05 10:45:43 EDT
Fixed in selinux-policy-2.5.11-4.fc7

Note You need to log in before you can comment on or make changes to this bug.