--------------------------------------------------------------------- Fedora Test Update Notification FEDORA-2005-486 2005-06-27 ---------------------------------------------------------------------
Product : Fedora Core 3 Name : selinux-policy-targeted Version : 1.17.30 Release : 3.15 Summary : SELinux targeted policy configuration Description : Security-enhanced Linux is a patch of the Linux® kernel and a number of utilities with enhanced security functionality designed to add mandatory access controls to Linux. The Security-enhanced Linux kernel contains new architectural components originally developed to improve the security of the Flask operating system. These architectural components provide general support for the enforcement of many kinds of mandatory access control policies, including those based on the concepts of Type Enforcement®, Role-based Access Control, and Multi-level Security.
This package contains the SELinux example policy configuration along with the Flask configuration information and the application configuration files.
---------------------------------------------------------------------
* Sat Jun 25 2005 Dan Walsh dwalsh@redhat.com 1.17.30-3.15
- Fix /opt definition
--------------------------------------------------------------------- This update can be downloaded from: http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/3/
6812e04c2221c8a76876fefcbcbd9809 SRPMS/selinux-policy-targeted-1.17.30-3.15.src.rpm 8b131adb7b427cd35334e8d952cab32c x86_64/selinux-policy-targeted-1.17.30-3.15.noarch.rpm 74d22d88880572b1753b465e87b66bcb x86_64/selinux-policy-targeted-sources-1.17.30-3.15.noarch.rpm 8b131adb7b427cd35334e8d952cab32c i386/selinux-policy-targeted-1.17.30-3.15.noarch.rpm 74d22d88880572b1753b465e87b66bcb i386/selinux-policy-targeted-sources-1.17.30-3.15.noarch.rpm
This update can also be installed with the Update Agent; you can launch the Update Agent with the 'up2date' command. You may need to edit your up2date channels configuration. Within /etc/sysconfig/rhn/sources enable the following line: yum updates-testing http://download.fedora.redhat.com/pub/fedora/linux/core/updates/testing/3/$A... ---------------------------------------------------------------------
Acrobat Reader 7 (non-RPM install) is still broken:
Jun 27 18:04:00 home kernel: audit(1119913440.472:0): avc: denied { execmod } for pid=5877 comm=acroread path=/opt/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api dev=md1 ino=578545 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file Jun 27 18:04:00 home kernel: audit(1119913440.495:0): avc: denied { execmod } for pid=5877 comm=acroread path=/opt/Adobe/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl dev=md1 ino=578612 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file
Ian Pilcher wrote:
Acrobat Reader 7 (non-RPM install) is still broken:
Jun 27 18:04:00 home kernel: audit(1119913440.472:0): avc: denied { execmod } for pid=5877 comm=acroread path=/opt/Adobe/Acrobat7.0/Reader/intellinux/plug_ins/AcroForm.api dev=md1 ino=578545 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file Jun 27 18:04:00 home kernel: audit(1119913440.495:0): avc: denied { execmod } for pid=5877 comm=acroread path=/opt/Adobe/Acrobat7.0/Reader/intellinux/SPPlugins/ADMPlugin.apl dev=md1 ino=578612 scontext=user_u:system_r:unconfined_t tcontext=root:object_r:usr_t tclass=file
OK, I've got Acrobat Reader 7 working with this policy. It turns out that it includes a number of shared library files with names that don't end in .so. The following got it working for me:
cd /opt/Adobe/Acrobat7.0/Reader/intellinux chcon -t shlib_t SPPlugins/ADMPlugin.apl plug_ins/*.api
restorecon did not recognize that these files were mislabeled. In fact, it thinks that they should be changed back to usr_t. Presumably, it should be enhanced to look at things other than file name.
-
Daniel J Walsh -
Ian Pilcher