Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 234332 - F-Secure Policy Manager doesn't run in a SELinux environment
Summary: F-Secure Policy Manager doesn't run in a SELinux environment
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 6
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL: http://www.f-secure.com
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-03-28 15:33 UTC by Răzvan Sandu
Modified: 2007-11-30 22:12 UTC (History)
0 users

Fixed In Version: 2.5.11-4.fc7
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-07-17 22:26:45 UTC


Attachments (Terms of Use)

Description Răzvan Sandu 2007-03-28 15:33:59 UTC
Description of problem:

Some components of the F-Secure antivirus suite (Policy Manager and Management
Console) doesn't run with the default SELinux targeted policy.

Version-Release number of selected component (if applicable):

f-secure-automatic-update-agent-2.1.1489-1.i386.rpm
f-secure-policy-manager-console-7.00.4220-1.i386.rpm
f-secure-policy-manager-server-7.00.7040-1.i386.rpm
f-secure-policy-manager-web-reporting-7.00.235-1.i386.rpm


How reproducible:
Always.

Steps to Reproduce:
1. Install a clean FC6 + updates (28.03.2007), with SELinux targeted policy,
enforcing mode.
2. Install the above RPMs, available from http;//www.f-secure.com
3. Try to start installed services (Policy Manager). Service doesn't start.
4. Disable SELinux and retry to start services. Services now start.

  
Actual results:
Program does not perform as specified in a SELinux environment.

Expected results:
Program should perform as specified when SELinux is enabled.

Additional info:
Red Hat Enterprise Linux is mentioned as a supported OS by F-Secure.

Comment 1 Daniel Walsh 2007-03-28 20:17:57 UTC
What avc messages are you seeing in your log files?

/var/log/audit/audit.log


Comment 2 Răzvan Sandu 2007-04-02 06:39:44 UTC
Hello,

I can't respond to the above question right now (I don't have the testing
machine at hand).

However, this is the official answer I've got from F-Secure developer in Finland:

-------------------------------------------------------------------------------


Confirmed while testing on FC6 with selinux configured to enforcing + targeted

 

/etc/selinux/config

...

SELINUX=enforcing

...

SELINUXTYPE=targeted

 

Executing "/etc/init.d/fspms start" generated folllowing error:

 

"Cannot load /opt/f-secure/fspms/libexec/libfsmsh.so into server:
/opt/f-secure/fspms/libexec/librapi.so.0: cannot restore segment prot after
reloc: Permission denied"

 

/var/log/messages:

... avc: denied { execmod } for pid=2879 comm="fspms" name="librapi.so.0.0.0" ....

 

Checked http://docs.fedoraproject.org/selinux-faq-fc5/#faq-entry-unconfined_t

and per instructions, executed the following:

 

# /usr/sbin/semanage fcontext -a -t textrel_shlib_t
'/opt/f-secure/fspms/libexec/librapi.so.0.0.0'

# /sbin/restorecon -v /opt/f-secure/fspms/libexec/librapi.so.0.0.0

 

Now, when I stopped and started fspms, no problems noted and no avc errors in
syslog. Accessing both admin and host-port via localhost 80 and 8080 worked, too.
----------------------------------------------------------------------------


Regards,
Răzvan


Comment 3 Răzvan Sandu 2007-04-04 11:49:33 UTC
A bug regarding this was also created on F-Secure's website:

Number: 1-101072186
Created: 4.4.2007 14:38:24
Subject: F-Secure Policy Manager doesn't run in the default SELinux environment


Regards,
Răzvan



Comment 4 Daniel Walsh 2007-04-05 14:45:43 UTC
Fixed in selinux-policy-2.5.11-4.fc7


Note You need to log in before you can comment on or make changes to this bug.