Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452784 - SELinux is preventing /opt/openoffice.org2.4/program/soffice.bin from loading /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 which requires text relocation.
Summary: SELinux is preventing /opt/openoffice.org2.4/program/soffice.bin from loading...
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: selinux-doc
Version: 5.0
Hardware: i686
OS: Linux
low
high
Target Milestone: rc
: ---
Assignee: Miroslav Grepl
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-25 05:12 UTC by soma sekhar saraswatula
Modified: 2009-01-08 10:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-01-08 10:21:36 UTC
Target Upstream Version:


Attachments (Terms of Use)
secuity alert file generated by selinux when installing OOo_2.4.1_LinuxIntel_install_wJRE_en-US.tar (deleted)
2008-06-25 05:12 UTC, soma sekhar saraswatula
no flags Details

Description soma sekhar saraswatula 2008-06-25 05:12:55 UTC
Description of problem:
The /opt/openoffice.org2.4/program/soffice.bin application attempted to load
/opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests web page explains how to remove
this requirement. You can configure SELinux temporarily to allow
/opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 to use relocation as a
workaround, until the library is fixed. 

Version-Release number of selected component (if applicable):
Source Context:  root:system_r:unconfined_t:SystemLow-SystemHighTarget
Context:  system_u:object_r:usr_tTarget
Objects:  /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 [ file
]Affected RPM Packages:  openoffice.org-core02-2.4.1-9310
[application]openoffice.org-core04u-2.4.1-9310 [target]Policy
RPM:  selinux-policy-2.4.6-30.el5Selinux Enabled:  TruePolicy Type:  targetedMLS
Enabled:  TrueEnforcing Mode:  EnforcingPlugin Name:  plugins.allow_execmodHost
Name:  linuxmmi01Platform:  Linux linuxmmi01 2.6.18-8.el5 #1 SMP Fri Jan 26
14:15:21 EST 2007 i686 i686Alert Count:  4Line Numbers:  


How reproducible:
installing OOH680_m17_native_packed-1_en-US.9310

Steps to Reproduce:
1. download OOo_2.4.1_LinuxIntel_install_wJRE_en-US.tar
2. Unzip and run script setup
3. 
  
Actual results:
Raw Audit Messages :avc: denied { execmod } for comm="soffice.bin" dev=dm-0
egid=0 euid=0 exe="/opt/openoffice.org2.4/program/soffice.bin" exit=-13 fsgid=0
fsuid=0 gid=0 items=0 name="libvclplug_gen680li.so.1.1"
path="/opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1" pid=13193
scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 sgid=0
subj=root:system_r:unconfined_t:s0-s0:c0.c1023 suid=0 tclass=file
tcontext=system_u:object_r:usr_t:s0 tty=(none) uid=0 

Expected results:
Successfull running of OOfice without changing security bit changes

Additional info:
If you trust /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1 to run
correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t /opt/openoffice.org2.4/program/libvclplug_gen680li.so.1.1"The
following command will allow this access:chcon -t textrel_shlib_t
/opt/openoffice.org2.4/program/libvclplug_gen680li

Comment 1 soma sekhar saraswatula 2008-06-25 05:12:55 UTC
Created attachment 310209 [details]
secuity alert file generated by selinux when installing OOo_2.4.1_LinuxIntel_install_wJRE_en-US.tar

Comment 2 Tony Fu 2008-10-06 01:27:24 UTC
User jkubin@redhat.com's account has been closed

Comment 3 Miroslav Grepl 2009-01-08 10:21:36 UTC
This should be reported as a bug to the maintainers. They should fix the library. 

Execute:

# semanage fcontext -a -t textrel_shlib_t  '/opt/openoffice.org2.4/program/lib.*'
# restorecon -R -v /opt/openoffice.org2.4/program/

Should fix it.


Note You need to log in before you can comment on or make changes to this bug.