Bug 477103 - Addition to online release notes: re rhel4ws -> rhel5AS oo.o upgrade
Summary: Addition to online release notes: re rhel4ws -> rhel5AS oo.o upgrade
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-policy
Version: 5.3
Hardware: All
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-12-19 03:50 UTC by Wade Mealing
Modified: 2018-11-14 18:33 UTC (History)
9 users (show)

Fixed In Version: selinux-policy-2.4.6-298.el5
Doc Type: Bug Fix
Doc Text:
When a user upgraded from Red Hat Enterprise Linux 4 Workstation to 5 Server, the OpenOffice.org suite no longer worked correctly with SELinux. This was because the Red Hat Enterprise Linux version of OpenOffice.org is built using an incorrect library, and as a result, SELinux prevented it from accessing any shared libraries, thus causing it to fail. With this update, the SELinux context has been updated to address this issue, and OpenOffice.org no longer fails.
Clone Of:
Environment:
Last Closed: 2011-01-13 22:11:36 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2011:0026 0 normal SHIPPED_LIVE selinux-policy bug fix and enhancement update 2011-01-12 16:11:15 UTC

Description Wade Mealing 2008-12-19 03:50:56 UTC
Description of problem:

After upgrade from RHEL4 to RHEL5 Server openoffice remains installed, but will not work correctly to to selinux.  Instructions to fix are here http://kbase.redhat.com/faq/docs/DOC-15362 
 
Version-Release number of selected component (if applicable):

Any version of 4.X that included OO.o to any version of 5 (Server , AP) that does not include OO.o by default  

Can we have 5.3 online release notes updated ?

Comment 1 Daniel Walsh 2008-12-23 16:12:27 UTC
I can not read the kbase article, and is this true with the 5.3 policy?

Comment 3 Daniel Walsh 2009-01-06 18:19:44 UTC
I have no idea what this is and I can not read the kbase article.

Comment 10 Suzanne Logcher 2009-01-08 16:38:45 UTC
Release note added. If any revisions are required, please set the 
"requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

New Contents:
OpenOffice breaks after upgrade from RHEL4 to RHEL5 Server

Upon upgrading RHEL4 to RHEL5 server, OpenOffice 1.1.x is retained from RHEL4
install. The same fails to run on RHEL5, if selinux is enabled on the system.

Note:
OpenOffice not provided with RHEL5 Server by default, and OpenOffice 2.3.x can
be installed from "RHEL Optional Productivity App"

The libraries used in the Red Hat Enterprise Linux Version of Open Office were
built incorrectly.  When running this version of OpenOffice on a SELinux
enabled machine, the application will break, because SELinux is not allowing it
to use it shared libraries.  These libraries are indicating to SELinux a
potential vulnerability.  You can label the libraries with textrel_shlib_t,
which tells SELinux that we know these libraries were built incorrectly, but
let them be used.

Solution:
OpenOffice is not provided with RHEL5 Server release, and consequently has
incorrect SELinux file labeling. To fix the context run the command below:

# semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
# restorecon -Rv /usr/lib/ooo-1.19
# restorecon -Rv /usr/lib64/ooo-1.19

Alternatively, you can upgrade to OpenOffice provided with RHEL5 by subscribing
to "Productivity App" child channel and running:

$ yum install
openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
,math,pyuno,writer,xsltfilter}

Comment 11 Wade Mealing 2009-01-09 01:27:56 UTC
Sounds good to me Suzanne.

Comment 12 Don Domingo 2009-01-14 02:58:37 UTC
Release note updated. If any revisions are required, please set the 
"requires_release_notes"  flag to "?" and edit the "Release Notes" field accordingly.
All revisions will be proofread by the Engineering Content Services team.

Diffed Contents:
@@ -1,31 +1,13 @@
-OpenOffice breaks after upgrade from RHEL4 to RHEL5 Server
+When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice will no longer work correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux will prevent OpenOffice from accessing any shared libraries, causing OpenOffice to fail.
 
-Upon upgrading RHEL4 to RHEL5 server, OpenOffice 1.1.x is retained from RHEL4
-install. The same fails to run on RHEL5, if selinux is enabled on the system.
+To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands:
 
-Note:
-OpenOffice not provided with RHEL5 Server by default, and OpenOffice 2.3.x can
-be installed from "RHEL Optional Productivity App"
-
-The libraries used in the Red Hat Enterprise Linux Version of Open Office were
-built incorrectly.  When running this version of OpenOffice on a SELinux
-enabled machine, the application will break, because SELinux is not allowing it
-to use it shared libraries.  These libraries are indicating to SELinux a
-potential vulnerability.  You can label the libraries with textrel_shlib_t,
-which tells SELinux that we know these libraries were built incorrectly, but
-let them be used.
-
-Solution:
-OpenOffice is not provided with RHEL5 Server release, and consequently has
-incorrect SELinux file labeling. To fix the context run the command below:
-
 # semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
 # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
 # restorecon -Rv /usr/lib/ooo-1.19
 # restorecon -Rv /usr/lib64/ooo-1.19
 
-Alternatively, you can upgrade to OpenOffice provided with RHEL5 by subscribing
-to "Productivity App" child channel and running:
+Alternatively, you can also upgrade your OpenOffice to a correct version compatible with SELinux in Red Hat Enterprise Linux 5. You can do this by subscribing to the "Productivity App" child channel in Red Hat Network and running:
 
 $ yum install
 openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter

Comment 13 Sam Knuth 2009-01-30 12:54:12 UTC
kbase article has been published based on the comments in the BZ.

http://kbase.redhat.com/faq/docs/DOC-15411

Thanks
Sam

Comment 14 Daniel Walsh 2009-02-07 12:10:59 UTC
I am closing this since we shipped the U3 policy.

Comment 16 Wade Mealing 2009-03-05 04:26:48 UTC
Can we please add the comment in the online release notes to add the command to remove the previous el4 packages, as shown in the kbase.  This should be added just before the yum command.  As I do not believe that running yum will remove the previous version of openoffice.

Something like this

rpm -e `rpm -qa | grep openoffice'

For reference of the kbase article see:

http://kbase.redhat.com/faq/docs/DOC-15411

Comment 17 Don Domingo 2009-03-05 05:24:46 UTC
adding rlerch, who is now in charge of release notes.

Comment 18 Don Domingo 2009-03-05 05:25:31 UTC
Ryan, please revise release notes accordingly. thanks!

Comment 23 Miroslav Grepl 2010-12-07 12:18:49 UTC
The bug was fixed during RHEL5.6 development. Easy to test:

# matchpathcon /usr/lib64/ooo-1.1/
/usr/lib64/ooo-1.1	system_u:object_r:textrel_shlib_t

#matchpathcon /usr/lib64/ooo-1.1
/usr/lib64/ooo-1.1	system_u:object_r:textrel_shlib_t

Fixed in selinux-policy-2.4.6-298.el5.

Comment 25 Karel Srot 2010-12-07 13:14:35 UTC
Regular expression '/usr/lib/ooo-1.1(/.*)?' does not include '/usr/lib/ooo-1.19'.
The policy should be updated and the Technical/Release notes updated accordingly.
Thank you.

[root@rhel5b ~]# matchpathcon /usr/lib/ooo-1.1
/usr/lib/ooo-1.1	system_u:object_r:textrel_shlib_t
[root@rhel5b ~]# matchpathcon /usr/lib/ooo-1.19
/usr/lib/ooo-1.19	system_u:object_r:lib_t

Comment 26 Karel Srot 2010-12-07 13:31:05 UTC
There is a /usr/lib/ooo-1.1/ directory in openoffice.org-1.1.5-10.6.0.7.EL4 from RHEL4.8. Therefore /usr/lib/ooo-1.19 seems to be a typo to me.

Comment 27 Miroslav Grepl 2010-12-07 13:40:11 UTC
Moving back to ON_QA.

Comment 28 Karel Srot 2010-12-07 15:06:46 UTC
The bug is not resolved. To make ooo work one have to change the context for
/usr/lib/ooo-1.1/program/ directory. 

chcon -R -t textrel_shlib_t /usr/lib/ooo-1.1/program/

At the moment, this directory has a special rule in selinux-policy:

# matchpathcon /usr/lib/ooo-1.1/program/
/usr/lib/ooo-1.1/program	system_u:object_r:bin_t

That results into following AVC when executing oowriter:

type=AVC msg=audit(1291733856.584:24): avc:  denied  { execmod } for  pid=2618 comm="soffice.bin" path="/usr/lib/ooo-1.1/program/libvclplug_gen645li.so" dev=vda1 ino=194932 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file
type=SYSCALL msg=audit(1291733856.584:24): arch=40000003 syscall=125 success=yes exit=0 a0=59f4000 a1=86000 a2=5 a3=bf920300 items=0 ppid=2516 pid=2618 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="soffice.bin" exe="/usr/lib/ooo-1.1/program/soffice.bin" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 29 Douglas Silas 2010-12-07 15:21:06 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,14 +1,13 @@
-When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice will no longer work correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux will prevent OpenOffice from accessing any shared libraries, causing OpenOffice to fail.
+When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice no longer works correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux prevents OpenOffice from accessing any shared libraries, thus causing OpenOffice to fail.
 
-To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands:
+To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands as root:
 
-# semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
-# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
-# restorecon -Rv /usr/lib/ooo-1.19
-# restorecon -Rv /usr/lib64/ooo-1.19
+	# semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
+	# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
+	# restorecon -Rv /usr/lib/ooo-1.19
+	# restorecon -Rv /usr/lib64/ooo-1.19
 
-Alternatively, you can also upgrade your OpenOffice to a correct version compatible with SELinux in Red Hat Enterprise Linux 5. You can do this by subscribing to the "Productivity App" child channel in Red Hat Network and running:
+Alternatively, you can upgrade your OpenOffice to a version that is compatible with SELinux in Red Hat Enterprise Linux 5. To do so, subscribe to the "Productivity App" child channel in Red Hat Network, and then run the following command as root:
 
-$ yum install
-openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
+	# yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
 ,math,pyuno,writer,xsltfilter}

Comment 32 Miroslav Grepl 2010-12-08 10:51:49 UTC
Technical notes will be no longer necessary. 

I am fixing label for *.so libs and since these libs are owned by openoffice.org-libs-*, the security context will be setup correctly for these libraries.

Comment 33 Miroslav Grepl 2010-12-08 11:50:18 UTC
Fixed in selinux-policy-2.4.6-299.el5

Comment 35 Jaromir Hradilek 2011-01-05 15:35:08 UTC
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,13 +1 @@
-When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice no longer works correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux prevents OpenOffice from accessing any shared libraries, thus causing OpenOffice to fail.
+When a user upgraded from Red Hat Enterprise Linux 4 Workstation to 5 Server, the OpenOffice.org suite no longer worked correctly with SELinux. This was because the Red Hat Enterprise Linux version of OpenOffice.org is built using an incorrect library, and as a result, SELinux prevented it from accessing any shared libraries, thus causing it to fail. With this update, the SELinux context has been updated to address this issue, and OpenOffice.org no longer fails.-
-To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands as root:
-
-	# semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?'
-	# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?'
-	# restorecon -Rv /usr/lib/ooo-1.19
-	# restorecon -Rv /usr/lib64/ooo-1.19
-
-Alternatively, you can upgrade your OpenOffice to a version that is compatible with SELinux in Red Hat Enterprise Linux 5. To do so, subscribe to the "Productivity App" child channel in Red Hat Network, and then run the following command as root:
-
-	# yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
-,math,pyuno,writer,xsltfilter}

Comment 37 errata-xmlrpc 2011-01-13 22:11:36 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2011-0026.html


Note You need to log in before you can comment on or make changes to this bug.