Re: Citrix ICA Client vs. SELinux

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Daniel J Walsh wrote:
Eric Brunson wrote:
Eric Brunson wrote:
With the latest upgrade of the kernel (2.6.16-1.2080_FC5) my Citrix client stopped working. Booting into the previous kernel (2.6.15-1.2054_FC5) will allow me to run it, but in the current kernel on two machines it segfaults, on the machine I'm on now it gives this error:

clotho(~)$ /usr/lib/ICAClient/wfica -icaroot /usr/lib/ICAClient -nosplash -desc hemo1

   Error: 75 (E_DYNLOAD_FAILED)

   Please refer to the documentation.

   Error loading dynamic module:

    "/usr/lib/ICAClient/CHARICONV.DLL"

/usr/lib/ICAClient/CHARICONV.DLL: cannot restore segment prot after reloc: Permission denied


The "Permission denied" led me to try disabling selinux enforcement, which allowed it to run again. Is there enough information in the message above for someone to speculate on a policy change that will allow that dll to load?

chcon -t texrel_shlib_t /usr/lib/ICAClient/CHARICONV.DLL did the trick on that library, but now I get a popup that it can't find libctxssl.so, which is in the same directory, /usr/lib/ICACLIENT. I tried adding "/usr/lib/ICAClient/" to the ld.so.conf and running ldconfig, but it still claims to be unable to find the .so file. Again, setenforce 0 allows the application to run properly, but setenforce 1 causes the failure, even though libctxssl.so shows up in ldconfig -p. Is there something in SELinux policies that interferes with ld.so searching? Google hasn't turned anything up yet, but I'm still looking.

Thanks,
e.

Look for avc messages in /var/log/messages or /var/log/audit/audit.log. You might need to change textrel_shlib_t on this file also.


Daniel, U da Man.  It's running perfectly now.

Though the message:

clotho kernel: audit(1144088654.838:25): avc: denied { execmod } for pid=3107 comm="wfica" name="libctxssl.so" dev=dm-0 ino=1053673 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

leaves something to be desired, having no reference to texrel_shlib_t in it to dial you into what permission was denied. :-) Of course, that's to an untrained eye, those clueful in the ways of selinux may be able to get more out if it than I could.

You kick ass.

Thanks.
e.


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux