On Sun, 2006-05-28 at 07:15 -0400, Daniel J Walsh wrote: > Jurgen Kramer wrote: > > On Sun, 2006-05-28 at 11:01 +0100, Paul Howarth wrote: > > > >> On Sun, 2006-05-28 at 11:57 +0200, Jurgen Kramer wrote: > >> > >>> On Sat, 2006-05-27 at 21:40 +0100, Paul Howarth wrote: > >>> > >>>> On Sat, 2006-05-27 at 18:54 +0200, Jurgen Kramer wrote: > >>>> > >>>>> I am trying to add a custom PAM module (pam_poldi.so) to my FC5 system > >>>>> to be able to login using a OpenPGP smartcard. I already changed the > >>>>> security context of /lib/security/pam_poldi.so to match the other pam > >>>>> modules (system_u:object_r:lib_t) but it seems that is not enough. In > >>>>> syslog I still see: > >>>>> > >>>>> su: PAM unable to dlopen(/lib/security/pam_poldi.so) > >>>>> su: PAM [error: /lib/security/pam_poldi.so: cannot restore segment prot > >>>>> after reloc: Permission denied] > >>>>> > >>>>> This can propably be fixed with a chcon -t > >>>>> texrel_shlib_t /lib/security/pam_poldi.so > >>>>> > >>>>> This will probably not survice an selinux update or relabel session. > >>>>> What is the proper way to add the module so it will survice relabels and > >>>>> selinux updates? > >>>>> > >>>> This should do it: > >>>> > >>>> # semanage fcontext -a -t textrel_shlib_t -f > >>>> -- /lib/security/pam_poldi.so > >>>> > >>>> (that's all one long line) > >>>> > >>>> You could test it by changing the context back to lib_t and then doing: > >>>> > >>>> # restorecon -v /lib/security/pam_poldi.so > >>>> > >>>> which should set it back to textrel_shlib_t. > >>>> > >>> Unfortunately that did not do it :( > >>> > >>> I still get: > >>> > >>> su: PAM unable to dlopen(/lib/security/pam_poldi.so) > >>> su: PAM [error: /lib/security/pam_poldi.so: cannot restore segment prot > >>> after reloc: Permission denied] > >>> su: PAM adding faulty module: /lib/security/pam_poldi.so > >>> > >>> Any ideas? > >>> > >> 1. Is the context type of /lib/security/pam_poldi.so currently set to > >> textrel_shlib_t? > >> > > > > [root@paragon ~]# ls -Z /lib/security/pam_poldi.so > > -rwxr-xr-x root root > > system_u:object_r:lib_t /lib/security/pam_poldi.so > > > chcon -t textrel_shlib_t /lib/security/pam_poldi.so I tried that first time round, unfortunately it didn't work. Normally it would do the job. > Also report this as a bug to the shippers of /lib/security/pam_poldi.so > they probably have a build problem. > > Reference > > SELinux Memory Protection Tests > <http://people.redhat.com/%7Edrepper/selinux-mem.html> Thanks, I will report this to the maker of pam_poldi. Jurgen
