Re: Citrix ICA Client vs. SELinux

[Eric Brunson <brunson@xxxxxxxxxxx>]

Daniel J Walsh wrote:
> Eric Brunson wrote:
> > Eric Brunson wrote:
> > > With the latest upgrade of the kernel (2.6.16-1.2080_FC5) my Citrix 
> > > client stopped working.  Booting into the previous kernel 
> > > (2.6.15-1.2054_FC5) will allow me to run it, but in the current 
> > > kernel on two machines it segfaults, on the machine I'm on now it 
> > > gives this error:
> > >
> > >    clotho(~)$ /usr/lib/ICAClient/wfica -icaroot /usr/lib/ICAClient 
> > > -nosplash -desc hemo1
> > >
> > >    Error: 75 (E_DYNLOAD_FAILED)
> > >
> > >    Please refer to the documentation.
> > >
> > >    Error loading dynamic module:
> > >
> > >     "/usr/lib/ICAClient/CHARICONV.DLL"
> > >
> > >    /usr/lib/ICAClient/CHARICONV.DLL: cannot restore segment prot 
> > > after reloc: Permission denied
> > >
> > >
> > > The "Permission denied" led me to try disabling selinux enforcement, 
> > > which allowed it to run again.  Is there enough information in the 
> > > message above for someone to speculate on a policy change that will 
> > > allow that dll to load?
> > chcon -t texrel_shlib_t /usr/lib/ICAClient/CHARICONV.DLL did the 
> > trick on that library, but now I get a popup that it can't find 
> > libctxssl.so, which is in the same directory, /usr/lib/ICACLIENT.  I 
> > tried adding "/usr/lib/ICAClient/" to the ld.so.conf and running 
> > ldconfig, but it still claims to be unable to find the .so file.  
> > Again, setenforce 0 allows the application to run properly, but 
> > setenforce 1 causes the failure, even though libctxssl.so shows up in 
> > ldconfig -p.
> > Is there something in SELinux policies that interferes with ld.so 
> > searching?  Google hasn't turned anything up yet, but I'm still looking.
> >
> > Thanks,
> > e.
> Look for avc messages in /var/log/messages or 
> /var/log/audit/audit.log.  You might need to change textrel_shlib_t on 
> this file also.

Daniel, U da Man.  It's running perfectly now.

Though the message:

clotho kernel: audit(1144088654.838:25): avc:  denied  { execmod } for  
pid=3107 comm="wfica" name="libctxssl.so" dev=dm-0 ino=1053673 
scontext=user_u:system_r:unconfined_t:s0 
tcontext=system_u:object_r:lib_t:s0 tclass=file

leaves something to be desired, having no reference to texrel_shlib_t in 
it to dial you into what permission was denied.  :-)  Of course, that's 
to an untrained eye, those clueful in the ways of selinux may be able to 
get more out if it than I could.

You kick ass.

Thanks.
e.