On Mon, 2006-04-24 at 14:32 -0400, Gene Heskett wrote: > On Monday 24 April 2006 13:48, Paul Howarth wrote: > >On Mon, 2006-04-24 at 13:38 -0400, Gene Heskett wrote: > >> From previous remarks made in this and similar threads, I'm > >> wondering about the java J2SE I'm currently downloading to that FC5 > >> lappy. > >> > >> In that event, is the correct chcon command: > >> chcon -t > >> texrel_shlib_t > >> /path/to/directory_of_library_being_complained_about/*.so > > > >Sometimes the directory is shared with other things so that might not > > be advisable. > > > >Try something more along the lines of: > > > >while app-fails-to-run > >do > > note failing library filename > > chcon -t textrel_shlib_t /path/to/libXYZ.so.number > >done > > Where does one find this info since java normally runs silently? I have > copied the java ns7 plugin to the firefox plugins dir, but its still > not found, and running firefox from the shell and doing an > about:plugins leaves a blank shell when firefox is then quit. You might find selinux denial messages in /var/log/messages - search for the string "avc: denied" (note the two spaces after the colon). You can also check to make sure it's an SELinux problem by doing "setenforce 0" and see if there's still a problem. You might also try my Java HOWTO: http://www.city-fan.org/tips/JpackageJava > >As a matter of interest, a lot of libraries need this treatment; you > > can see the ones SELinux already knows about as follows: > > > ># semanage fcontext -l | grep textrel > > here, thats VERY limited > > [root@diablo ~]# semanage fcontext -l |grep texrel > /usr(/.*)?/intellinux/plug_ins/.*\.api regular file > system_u:object_r:texrel_shlib_t:s0 > /usr(/.*)?/intellinux/nppdf\.so regular file > system_u:object_r:texrel_shlib_t:s0 > /usr/lib(64)?/libsipphoneapi\.so.* regular file > system_u:object_r:texrel_shlib_t:s0 > /usr(/.*)?/intellinux/lib/\.so regular file > system_u:object_r:texrel_shlib_t:s0 You'll get a much bigger list using "textrel" instead of "texrel". > Looking in the firefox plugins dir after installing j2se-1.5.0.6 and > copying the ns7 version of the libhavaplugins.so > to /usr/lib/firefox-version/plugins I see: > > [root@diablo plugins]# ls -lZ > -rwxr-xr-x root root root:object_r:lib_t > libjavaplugin_oji.so > -rwxr-xr-x root root system_u:object_r:textrel_shlib_t > libnullplugin.so > -rwxr-xr-x root root system_u:object_r:textrel_shlib_t > libunixprintplugin.so > -rwxr-xr-x root root system_u:object_r:textrel_shlib_t nppdf.so > > Now, maybe I'm slow this morning, but my reading of the semanage manpage > makes no mention of setting a 'default' that a relabel will leave > alone. Using semanage you can change policy for file contexts amongst other things. This affects the contexts applied to files using restorecon etc. > I've used chcon to set libjavaplugin_oji.so to textrel_shlib_t, > > root@diablo plugins]# ls -lZ > -rwxr-xr-x root root root:object_r:textrel_shlib_t > libjavaplugin_oji.so > -rwxr-xr-x root root system_u:object_r:textrel_shlib_t > libnullplugin.so > -rwxr-xr-x root root system_u:object_r:textrel_shlib_t > libunixprintplugin.so > -rwxr-xr-x root root system_u:object_r:textrel_shlib_t nppdf.so > > but how do I change it from root: to system_u:? (I'm assuming that will > allow all users as opposed to just root to use it) The "root" doesn't matter. In targeted policy you only need worry about the type, not the user. If you really want to change it though, try: # chcon system_u:object_r:textrel_shlib_t libjavaplugin_oji.so > And FWIW, This change did not enable java in the firefox plugins > listings. > > And how do we make it permanent in the face of another relabel? Something like this should work: # semanage fcontext -a -f -- -t textrel_shlib_t \ '/usr/lib(64)?/firefox.*/plugins/.*\.so' Paul.