Hide Forgot
When a user upgraded from Red Hat Enterprise Linux 4 Workstation to 5 Server, the OpenOffice.org suite no longer worked correctly with SELinux. This was because the Red Hat Enterprise Linux version of OpenOffice.org is built using an incorrect library, and as a result, SELinux prevented it from accessing any shared libraries, thus causing it to fail. With this update, the SELinux context has been updated to address this issue, and OpenOffice.org no longer fails.
Description of problem: After upgrade from RHEL4 to RHEL5 Server openoffice remains installed, but will not work correctly to to selinux. Instructions to fix are here http://kbase.redhat.com/faq/docs/DOC-15362 Version-Release number of selected component (if applicable): Any version of 4.X that included OO.o to any version of 5 (Server , AP) that does not include OO.o by default Can we have 5.3 online release notes updated ?
I can not read the kbase article, and is this true with the 5.3 policy?
I have no idea what this is and I can not read the kbase article.
Release note added. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. New Contents: OpenOffice breaks after upgrade from RHEL4 to RHEL5 Server Upon upgrading RHEL4 to RHEL5 server, OpenOffice 1.1.x is retained from RHEL4 install. The same fails to run on RHEL5, if selinux is enabled on the system. Note: OpenOffice not provided with RHEL5 Server by default, and OpenOffice 2.3.x can be installed from "RHEL Optional Productivity App" The libraries used in the Red Hat Enterprise Linux Version of Open Office were built incorrectly. When running this version of OpenOffice on a SELinux enabled machine, the application will break, because SELinux is not allowing it to use it shared libraries. These libraries are indicating to SELinux a potential vulnerability. You can label the libraries with textrel_shlib_t, which tells SELinux that we know these libraries were built incorrectly, but let them be used. Solution: OpenOffice is not provided with RHEL5 Server release, and consequently has incorrect SELinux file labeling. To fix the context run the command below: # semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?' # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?' # restorecon -Rv /usr/lib/ooo-1.19 # restorecon -Rv /usr/lib64/ooo-1.19 Alternatively, you can upgrade to OpenOffice provided with RHEL5 by subscribing to "Productivity App" child channel and running: $ yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter ,math,pyuno,writer,xsltfilter}
Sounds good to me Suzanne.
Release note updated. If any revisions are required, please set the "requires_release_notes" flag to "?" and edit the "Release Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,31 +1,13 @@ -OpenOffice breaks after upgrade from RHEL4 to RHEL5 Server +When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice will no longer work correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux will prevent OpenOffice from accessing any shared libraries, causing OpenOffice to fail. -Upon upgrading RHEL4 to RHEL5 server, OpenOffice 1.1.x is retained from RHEL4 -install. The same fails to run on RHEL5, if selinux is enabled on the system. +To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands: -Note: -OpenOffice not provided with RHEL5 Server by default, and OpenOffice 2.3.x can -be installed from "RHEL Optional Productivity App" - -The libraries used in the Red Hat Enterprise Linux Version of Open Office were -built incorrectly. When running this version of OpenOffice on a SELinux -enabled machine, the application will break, because SELinux is not allowing it -to use it shared libraries. These libraries are indicating to SELinux a -potential vulnerability. You can label the libraries with textrel_shlib_t, -which tells SELinux that we know these libraries were built incorrectly, but -let them be used. - -Solution: -OpenOffice is not provided with RHEL5 Server release, and consequently has -incorrect SELinux file labeling. To fix the context run the command below: - # semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?' # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?' # restorecon -Rv /usr/lib/ooo-1.19 # restorecon -Rv /usr/lib64/ooo-1.19 -Alternatively, you can upgrade to OpenOffice provided with RHEL5 by subscribing -to "Productivity App" child channel and running: +Alternatively, you can also upgrade your OpenOffice to a correct version compatible with SELinux in Red Hat Enterprise Linux 5. You can do this by subscribing to the "Productivity App" child channel in Red Hat Network and running: $ yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter
kbase article has been published based on the comments in the BZ. http://kbase.redhat.com/faq/docs/DOC-15411 Thanks Sam
I am closing this since we shipped the U3 policy.
Can we please add the comment in the online release notes to add the command to remove the previous el4 packages, as shown in the kbase. This should be added just before the yum command. As I do not believe that running yum will remove the previous version of openoffice. Something like this rpm -e `rpm -qa | grep openoffice' For reference of the kbase article see: http://kbase.redhat.com/faq/docs/DOC-15411
adding rlerch@redhat.com, who is now in charge of release notes.
Ryan, please revise release notes accordingly. thanks!
The bug was fixed during RHEL5.6 development. Easy to test: # matchpathcon /usr/lib64/ooo-1.1/ /usr/lib64/ooo-1.1 system_u:object_r:textrel_shlib_t #matchpathcon /usr/lib64/ooo-1.1 /usr/lib64/ooo-1.1 system_u:object_r:textrel_shlib_t Fixed in selinux-policy-2.4.6-298.el5.
Regular expression '/usr/lib/ooo-1.1(/.*)?' does not include '/usr/lib/ooo-1.19'. The policy should be updated and the Technical/Release notes updated accordingly. Thank you. [root@rhel5b ~]# matchpathcon /usr/lib/ooo-1.1 /usr/lib/ooo-1.1 system_u:object_r:textrel_shlib_t [root@rhel5b ~]# matchpathcon /usr/lib/ooo-1.19 /usr/lib/ooo-1.19 system_u:object_r:lib_t
There is a /usr/lib/ooo-1.1/ directory in openoffice.org-1.1.5-10.6.0.7.EL4 from RHEL4.8. Therefore /usr/lib/ooo-1.19 seems to be a typo to me.
Moving back to ON_QA.
The bug is not resolved. To make ooo work one have to change the context for /usr/lib/ooo-1.1/program/ directory. chcon -R -t textrel_shlib_t /usr/lib/ooo-1.1/program/ At the moment, this directory has a special rule in selinux-policy: # matchpathcon /usr/lib/ooo-1.1/program/ /usr/lib/ooo-1.1/program system_u:object_r:bin_t That results into following AVC when executing oowriter: type=AVC msg=audit(1291733856.584:24): avc: denied { execmod } for pid=2618 comm="soffice.bin" path="/usr/lib/ooo-1.1/program/libvclplug_gen645li.so" dev=vda1 ino=194932 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:bin_t:s0 tclass=file type=SYSCALL msg=audit(1291733856.584:24): arch=40000003 syscall=125 success=yes exit=0 a0=59f4000 a1=86000 a2=5 a3=bf920300 items=0 ppid=2516 pid=2618 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="soffice.bin" exe="/usr/lib/ooo-1.1/program/soffice.bin" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,14 +1,13 @@ -When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice will no longer work correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux will prevent OpenOffice from accessing any shared libraries, causing OpenOffice to fail. +When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice no longer works correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux prevents OpenOffice from accessing any shared libraries, thus causing OpenOffice to fail. -To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands: +To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands as root: -# semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?' -# semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?' -# restorecon -Rv /usr/lib/ooo-1.19 -# restorecon -Rv /usr/lib64/ooo-1.19 + # semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?' + # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?' + # restorecon -Rv /usr/lib/ooo-1.19 + # restorecon -Rv /usr/lib64/ooo-1.19 -Alternatively, you can also upgrade your OpenOffice to a correct version compatible with SELinux in Red Hat Enterprise Linux 5. You can do this by subscribing to the "Productivity App" child channel in Red Hat Network and running: +Alternatively, you can upgrade your OpenOffice to a version that is compatible with SELinux in Red Hat Enterprise Linux 5. To do so, subscribe to the "Productivity App" child channel in Red Hat Network, and then run the following command as root: -$ yum install -openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter + # yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter ,math,pyuno,writer,xsltfilter}
Technical notes will be no longer necessary. I am fixing label for *.so libs and since these libs are owned by openoffice.org-libs-*, the security context will be setup correctly for these libraries.
Fixed in selinux-policy-2.4.6-299.el5
Technical note updated. If any revisions are required, please edit the "Technical Notes" field accordingly. All revisions will be proofread by the Engineering Content Services team. Diffed Contents: @@ -1,13 +1 @@ -When upgrading from Red Hat Enterprise Linux 4 Workstation to 5 Server, OpenOffice no longer works correctly with SELinux. This is because the Red Hat Enterprise Linux version of OpenOffice is built using an incorrect library. As a result, SELinux prevents OpenOffice from accessing any shared libraries, thus causing OpenOffice to fail. +When a user upgraded from Red Hat Enterprise Linux 4 Workstation to 5 Server, the OpenOffice.org suite no longer worked correctly with SELinux. This was because the Red Hat Enterprise Linux version of OpenOffice.org is built using an incorrect library, and as a result, SELinux prevented it from accessing any shared libraries, thus causing it to fail. With this update, the SELinux context has been updated to address this issue, and OpenOffice.org no longer fails.- -To work around this, update the SELinux context to allow OpenOffice to access shared libraries. To do so, run the following commands as root: - - # semanage fcontext -a -t textrel_shlib_t '/usr/lib/ooo-1.1(/.*)?' - # semanage fcontext -a -t textrel_shlib_t '/usr/lib64/ooo-1.1(/.*)?' - # restorecon -Rv /usr/lib/ooo-1.19 - # restorecon -Rv /usr/lib64/ooo-1.19 - -Alternatively, you can upgrade your OpenOffice to a version that is compatible with SELinux in Red Hat Enterprise Linux 5. To do so, subscribe to the "Productivity App" child channel in Red Hat Network, and then run the following command as root: - - # yum install openoffice-{base,calc,draw,emailmerge,graphicfilter,headless,impress,javafilter -,math,pyuno,writer,xsltfilter}
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0026.html