Bug 452784
| Summary: | SELinux is preventing /opt/openoffice.org2.4/program/soffice.bin from loading /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 which requires text relocation. | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | soma sekhar saraswatula <somasekhar.saraswatula> | ||||
| Component: | selinux-doc | Assignee: | Miroslav Grepl <mgrepl> | ||||
| Status: | CLOSED WONTFIX | QA Contact: | |||||
| Severity: | high | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 5.0 | CC: | rvokal | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | i686 | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-01-08 10:21:36 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
Created attachment 310209 [details]
secuity alert file generated by selinux when installing OOo_2.4.1_LinuxIntel_install_wJRE_en-US.tar
User jkubin's account has been closed This should be reported as a bug to the maintainers. They should fix the library. Execute: # semanage fcontext -a -t textrel_shlib_t '/opt/openoffice.org2.4/program/lib.*' # restorecon -R -v /opt/openoffice.org2.4/program/ Should fix it. |
Description of problem: The /opt/openoffice.org2.4/program/soffice.bin application attempted to load /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 to use relocation as a workaround, until the library is fixed. Version-Release number of selected component (if applicable): Source Context: root:system_r:unconfined_t:SystemLow-SystemHighTarget Context: system_u:object_r:usr_tTarget Objects: /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 [ file ]Affected RPM Packages: openoffice.org-core02-2.4.1-9310 [application]openoffice.org-core04u-2.4.1-9310 [target]Policy RPM: selinux-policy-2.4.6-30.el5Selinux Enabled: TruePolicy Type: targetedMLS Enabled: TrueEnforcing Mode: EnforcingPlugin Name: plugins.allow_execmodHost Name: linuxmmi01Platform: Linux linuxmmi01 2.6.18-8.el5 #1 SMP Fri Jan 26 14:15:21 EST 2007 i686 i686Alert Count: 4Line Numbers: How reproducible: installing OOH680_m17_native_packed-1_en-US.9310 Steps to Reproduce: 1. download OOo_2.4.1_LinuxIntel_install_wJRE_en-US.tar 2. Unzip and run script setup 3. Actual results: Raw Audit Messages :avc: denied { execmod } for comm="soffice.bin" dev=dm-0 egid=0 euid=0 exe="/opt/openoffice.org2.4/program/soffice.bin" exit=-13 fsgid=0 fsuid=0 gid=0 items=0 name="libvclplug_gen680li.so.1.1" path="/opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1" pid=13193 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0 Expected results: Successfull running of OOfice without changing security bit changes Additional info: If you trust /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1"The following command will allow this access:chcon -t textrel_shlib_t /opt/openoffice.org2.4/program/libvclplug_gen680li