On Monday 24 April 2006 16:27, Paul Howarth wrote:
[...]
>> >
>> >while app-fails-to-run
>> >do
>> > note failing library filename
>> > chcon -t textrel_shlib_t /path/to/libXYZ.so.number
>> >done
>>
>> Where does one find this info since java normally runs silently? I
>> have copied the java ns7 plugin to the firefox plugins dir, but its
>> still not found, and running firefox from the shell and doing an
>> about:plugins leaves a blank shell when firefox is then quit.
>
>You might find selinux denial messages in /var/log/messages - search
> for the string "avc: denied" (note the two spaces after the colon).
> You can also check to make sure it's an SELinux problem by doing
> "setenforce 0" and see if there's still a problem.
Yeee Gods, the log is drowning in them, and whats more, logrotate isn't
rotating the logs. I thought anacron was supposed to take care of
that?
Anyway, heres the last few minutes of the log:
Apr 24 18:06:00 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 18:11:30 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 18:24:12 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 18:30:27 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 18:34:06 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 18:34:43 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 18:41:45 diablo kernel: audit(1145918505.112:334): avc: denied
{ execmod } for pid=4250 comm="java" name="libawt.so"
dev=hda5 ino=9561458 scontext=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=root:object_r:tmp_t:s0 tclass=file
Apr 24 18:44:24 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 18:50:45 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 18:57:43 diablo kernel: hdc: cdrom_pc_intr: The drive appears
confused (ireason = 0x01)
Apr 24 19:01:01 diablo kernel: audit(1145919661.432:335): avc: granted
{ setenforce } for pid=4383 comm="setenforce" scontex
t=root:system_r:unconfined_t:s0-s0:c0.c255
tcontext=system_u:object_r:security_t:s0 tclass=security
Apr 24 19:01:29 diablo gconfd (root-4406): starting (version 2.14.0),
pid 4406 user 'root'
Apr 24 19:01:29 diablo gconfd (root-4406): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.mandatory" to a read-only config
uration source at position 0
Apr 24 19:01:29 diablo gconfd (root-4406): Resolved address
"xml:readwrite:/root/.gconf" to a writable configuration source at
position 1
Apr 24 19:01:29 diablo gconfd (root-4406): Resolved address
"xml:readonly:/etc/gconf/gconf.xml.defaults" to a read-only configu
ration source at position 2
Apr 24 19:02:29 diablo gconfd (root-4406): GConf server is not in use,
shutting down.
Apr 24 19:02:29 diablo gconfd (root-4406): Exiting
>You might also try my Java HOWTO:
>http://www.city-fan.org/tips/JpackageJava
I'll take a look at that. But first I've got to get logrotate to rotate
the friggin log, it must be a megabyte or more. No, actually its
rapidly approaching 4 megs, dateing back to when I installed FC5 I
think. 4/16
WTF is this?
[root@diablo etc]# cron.daily/logrotate
error: freshclam:8 unknown user 'clamav'
and it dies instantly. This is getting frustrating. According to that
log I had yum install clamav on the 20th. If clamav needs a user
clamav, why the heck didn't make one? In any event, a yum remove
clamav fixed that, and logrotate ran normally this time.
Back to a printout of the above link. I expect to be back.
>
>> >As a matter of interest, a lot of libraries need this treatment;
>> > you can see the ones SELinux already knows about as follows:
>> >
>> ># semanage fcontext -l | grep textrel
>>
>> here, thats VERY limited
>>
>> [root@diablo ~]# semanage fcontext -l |grep texrel
>> /usr(/.*)?/intellinux/plug_ins/.*\.api regular file
>> system_u:object_r:texrel_shlib_t:s0
>> /usr(/.*)?/intellinux/nppdf\.so regular file
>> system_u:object_r:texrel_shlib_t:s0
>> /usr/lib(64)?/libsipphoneapi\.so.* regular file
>> system_u:object_r:texrel_shlib_t:s0
>> /usr(/.*)?/intellinux/lib/\.so regular file
>> system_u:object_r:texrel_shlib_t:s0
>
>You'll get a much bigger list using "textrel" instead of "texrel".
>
Correct, very voluminous now.
>> Looking in the firefox plugins dir after installing j2se-1.5.0.6 and
>> copying the ns7 version of the libhavaplugins.so
>> to /usr/lib/firefox-version/plugins I see:
>>
>> [root@diablo plugins]# ls -lZ
>> -rwxr-xr-x root root root:object_r:lib_t
>> libjavaplugin_oji.so
>> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
>> libnullplugin.so
>> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
>> libunixprintplugin.so
>> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
>> nppdf.so
>>
>> Now, maybe I'm slow this morning, but my reading of the semanage
>> manpage makes no mention of setting a 'default' that a relabel will
>> leave alone.
>
>Using semanage you can change policy for file contexts amongst other
>things. This affects the contexts applied to files using restorecon
> etc.
>
>> I've used chcon to set libjavaplugin_oji.so to textrel_shlib_t,
>>
>> root@diablo plugins]# ls -lZ
>> -rwxr-xr-x root root root:object_r:textrel_shlib_t
>> libjavaplugin_oji.so
>> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
>> libnullplugin.so
>> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
>> libunixprintplugin.so
>> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
>> nppdf.so
>>
>> but how do I change it from root: to system_u:? (I'm assuming that
>> will allow all users as opposed to just root to use it)
>
>The "root" doesn't matter. In targeted policy you only need worry
> about the type, not the user.
>
>If you really want to change it though, try:
>
># chcon system_u:object_r:textrel_shlib_t libjavaplugin_oji.so
>
>> And FWIW, This change did not enable java in the firefox plugins
>> listings.
>>
>> And how do we make it permanent in the face of another relabel?
>
>Something like this should work:
>
># semanage fcontext -a -f -- -t textrel_shlib_t \
> '/usr/lib(64)?/firefox.*/plugins/.*\.so'
[root@diablo etc]# semanage fcontext -a -f -- -t textrel_shlib_t \
'/usr/lib(64)?/firefox.*/plugins/.*\.so'
-bash: /usr/lib(64)?/firefox.*/plugins/.*\.so: No such file or directory
So I went directly to the /usr/lib/firefox-1.5.0.2/plugins dir, stripped
the path off that command and reran it, and it did change the perms but
didn't make firefox show me any java stuff in about:plugins. And it
logged nothing when I ran firefox.
Thats a real copy of that library, not a link, should that effect it?
And a setenforce 0 was in effect too. Just to test I reset setenforce
to 1, and did a reload on the about:plugins, nothing in the log.
So this would not appear to be just yet, an selinux issue. So I'll
chase on down through your tutorial, playing this tune one note at a
time.
>Paul.
--
Cheers, Gene
People having trouble with vz bouncing email to me should add the word
'online' between the 'verizon', and the dot which bypasses vz's
stupid bounce rules. I do use spamassassin too. :-)
Yahoo.com and AOL/TW attorneys please note, additions to the above
message by Gene Heskett are:
Copyright 2006 by Maurice Eugene Heskett, all rights reserved.
