Bug 477103
| Summary: | Addition to online release notes: re rhel4ws -> rhel5AS oo.o upgrade | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 5 | Reporter: | Wade Mealing <wmealing> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED ERRATA | QA Contact: | BaseOS QE <qe-baseos-auto> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 5.3 | CC: | ddomingo, dwalsh, ksrot, mgrepl, mhideo, rlerch, sfolkwil, syeghiay, tao |
| Target Milestone: | rc | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | selinux-policy-2.4.6-298.el5 | Doc Type: | Bug Fix |
| Doc Text: |
When a user upgraded from Red Hat Enterprise Linux 4 Workstation to 5 Server, the OpenOffice.org suite no longer worked correctly with SELinux. This was because the Red Hat Enterprise Linux version of OpenOffice.org is built using an incorrect library, and as a result, SELinux prevented it from accessing any shared libraries, thus causing it to fail. With this update, the SELinux context has been updated to address this issue, and OpenOffice.org no longer fails.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2011-01-13 22:11:36 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Wade Mealing
2008-12-19 03:50:56 UTC
I can not read the kbase article, and is this true with the 5.3 policy? I have no idea what this is and I can not read the kbase article.
Release note added. If any revisions are required, please set the
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.
New Contents:
OpenOffice breaks after upgrade from RHEL4 to RHEL5 Server
Upon upgrading RHEL4 to RHEL5 server, OpenOffice 1.1.x is retained from RHEL4
install. The same fails to run on RHEL5, if selinux is enabled on the system.
Note:
OpenOffice not provided with RHEL5 Server by default, and OpenOffice 2.3.x can
be installed from "RHEL Optional Productivity App"
The libraries used in the Red Hat Enterprise Linux Version of Open Office were
built incorrectly. When running this version of OpenOffice on a SELinux
enabled machine, the application will break, because SELinux is not allowing it
to use it shared libraries. These libraries are indicating to SELinux a
potential vulnerability. You can label the libraries with textrel_shlib_t,
which tells SELinux that we know these libraries were built incorrectly, but
let them be used.
Solution:
OpenOffice is not provided with RHEL5 Server release, and consequently has
incorrect SELinux file labeling. To fix the context run the command below:
# semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
# restorecon -Rv /usr/lib/ooo-1.19
# restorecon -Rv /usr/lib64/ooo-1.19
Alternatively, you can upgrade to OpenOffice provided with RHEL5 by subscribing
to "Productivity App" child channel and running:
$ yum install
openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
,math,pyuno,writer,xsltfilter}
Sounds good to me Suzanne.
Release note updated. If any revisions are required, please set the
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,31 +1,13 @@
-OpenOffice breaks after upgrade from RHEL4 to RHEL5 Server
+When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice will no longer work correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux will prevent OpenOffice from accessing any shared libraries, causing OpenOffice to fail.
-Upon upgrading RHEL4 to RHEL5 server, OpenOffice 1.1.x is retained from RHEL4
-install. The same fails to run on RHEL5, if selinux is enabled on the system.
+To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands:
-Note:
-OpenOffice not provided with RHEL5 Server by default, and OpenOffice 2.3.x can
-be installed from "RHEL Optional Productivity App"
-
-The libraries used in the Red Hat Enterprise Linux Version of Open Office were
-built incorrectly. When running this version of OpenOffice on a SELinux
-enabled machine, the application will break, because SELinux is not allowing it
-to use it shared libraries. These libraries are indicating to SELinux a
-potential vulnerability. You can label the libraries with textrel_shlib_t,
-which tells SELinux that we know these libraries were built incorrectly, but
-let them be used.
-
-Solution:
-OpenOffice is not provided with RHEL5 Server release, and consequently has
-incorrect SELinux file labeling. To fix the context run the command below:
-
# semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
# restorecon -Rv /usr/lib/ooo-1.19
# restorecon -Rv /usr/lib64/ooo-1.19
-Alternatively, you can upgrade to OpenOffice provided with RHEL5 by subscribing
-to "Productivity App" child channel and running:
+Alternatively, you can also upgrade your OpenOffice to a correct version compatible with SELinux in Red Hat Enterprise Linux 5. You can do this by subscribing to the "Productivity App" child channel in Red Hat Network and running:
$ yum install
openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
kbase article has been published based on the comments in the BZ. http://kbase.redhat.com/faq/docs/DOC-15411 Thanks Sam I am closing this since we shipped the U3 policy. Can we please add the comment in the online release notes to add the command to remove the previous el4 packages, as shown in the kbase. This should be added just before the yum command. As I do not believe that running yum will remove the previous version of openoffice. Something like this rpm -e `rpm -qa | grep openoffice' For reference of the kbase article see: http://kbase.redhat.com/faq/docs/DOC-15411 adding rlerch, who is now in charge of release notes. Ryan, please revise release notes accordingly. thanks! The bug was fixed during RHEL5.6 development. Easy to test: # matchpathcon /usr/lib64/ooo-1.1/ /usr/lib64/ooo-1.1 system_u:object_r:textrel_shlib_t #matchpathcon /usr/lib64/ooo-1.1 /usr/lib64/ooo-1.1 system_u:object_r:textrel_shlib_t Fixed in selinux-policy-2.4.6-298.el5. Regular expression '/usr/lib/ooo-1.1(/.*)?' does not include '/usr/lib/ooo-1.19'. The policy should be updated and the Technical/Release notes updated accordingly. Thank you. [root@rhel5b ~]# matchpathcon /usr/lib/ooo-1.1 /usr/lib/ooo-1.1 system_u:object_r:textrel_shlib_t [root@rhel5b ~]# matchpathcon /usr/lib/ooo-1.19 /usr/lib/ooo-1.19 system_u:object_r:lib_t There is a /usr/lib/ooo-1.1/ directory in openoffice.org-1.1.5-10.6.0.7.EL4 from RHEL4.8. Therefore /usr/lib/ooo-1.19 seems to be a typo to me. Moving back to ON_QA. The bug is not resolved. To make ooo work one have to change the context for
/usr/lib/ooo-1.1/program/ directory.
chcon -R -t textrel_shlib_t /usr/lib/ooo-1.1/program/
At the moment, this directory has a special rule in selinux-policy:
# matchpathcon /usr/lib/ooo-1.1/program/
/usr/lib/ooo-1.1/program system_u:object_r:bin_t
That results into following AVC when executing oowriter:
type=AVC msg=audit(1291733856.584:24): avc: denied { execmod } for pid=2618 comm="soffice.bin" path="/usr/lib/ooo-1.1/program/libvclplug_gen645li.so" dev=vda1 ino=194932 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1291733856.584:24): arch=40000003 syscall=125 success=yes exit=0 a0=59f4000 a1=86000 a2=5 a3=bf920300 items=0 ppid=2516 pid=2618 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="soffice.bin" exe="/usr/lib/ooo-1.1/program/soffice.bin" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,14 +1,13 @@
-When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice will no longer work correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux will prevent OpenOffice from accessing any shared libraries, causing OpenOffice to fail.
+When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice no longer works correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux prevents OpenOffice from accessing any shared libraries, thus causing OpenOffice to fail.
-To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands:
+To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands as root:
-# semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
-# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
-# restorecon -Rv /usr/lib/ooo-1.19
-# restorecon -Rv /usr/lib64/ooo-1.19
+ # semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
+ # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
+ # restorecon -Rv /usr/lib/ooo-1.19
+ # restorecon -Rv /usr/lib64/ooo-1.19
-Alternatively, you can also upgrade your OpenOffice to a correct version compatible with SELinux in Red Hat Enterprise Linux 5. You can do this by subscribing to the "Productivity App" child channel in Red Hat Network and running:
+Alternatively, you can upgrade your OpenOffice to a version that is compatible with SELinux in Red Hat Enterprise Linux 5. To do so, subscribe to the "Productivity App" child channel in Red Hat Network, and then run the following command as root:
-$ yum install
-openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
+ # yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
,math,pyuno,writer,xsltfilter}
Technical notes will be no longer necessary. I am fixing label for *.so libs and since these libs are owned by openoffice.org-libs-*, the security context will be setup correctly for these libraries. Fixed in selinux-policy-2.4.6-299.el5
Technical note updated. If any revisions are required, please edit the "Technical Notes" field
accordingly. All revisions will be proofread by the Engineering Content Services team.
Diffed Contents:
@@ -1,13 +1 @@
-When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice no longer works correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux prevents OpenOffice from accessing any shared libraries, thus causing OpenOffice to fail.
+When a user upgraded from Red Hat Enterprise Linux 4 Workstation to 5 Server, the OpenOffice.org suite no longer worked correctly with SELinux. This was because the Red Hat Enterprise Linux version of OpenOffice.org is built using an incorrect library, and as a result, SELinux prevented it from accessing any shared libraries, thus causing it to fail. With this update, the SELinux context has been updated to address this issue, and OpenOffice.org no longer fails.-
-To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands as root:
-
- # semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
- # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
- # restorecon -Rv /usr/lib/ooo-1.19
- # restorecon -Rv /usr/lib64/ooo-1.19
-
-Alternatively, you can upgrade your OpenOffice to a version that is compatible with SELinux in Red Hat Enterprise Linux 5. To do so, subscribe to the "Productivity App" child channel in Red Hat Network, and then run the following command as root:
-
- # yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
-,math,pyuno,writer,xsltfilter}
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html |