[Ifeffit] Fwd: Horae-70 installation problem
Bruce Ravel
bravel at bnl.gov
Tue Jan 18 07:35:41 CST 2011
Hi all,
Has anyone here ever used security enhanced linux? I got the
following bug report from an SELinux user which includes an error
message from one of SELinux security systems.
Never having used SELinux myself, I don't quite understand the problem
Dr. Pan is observing once he uses chcon to change the security state
of the ifeffit library. And I don't have a machine on which to
explore this problem. I am hoping someone here might be more
knowledgable than I.
If anyone can offer any assistance to Dr. Pan, that would be great.
Thanks,
B
---------- Forwarded Message ----------
Subject: Horae-70 installation problem
Date: Saturday, January 15, 2011, 01:34:29 am
From: Guoqiang PAN <gqpan at ustc.edu.cn>
To: Bruce Ravel <bravel at bnl.gov>
Dear Dr. Ravel
Hi, thank you very much for the horae-70 for artemis, athema and
hephaestus XAFS software. Due to the detail for the installation,
I have installed in my PC linux of Fedora Core 10.
When artemis has been installed, it was failed to run correctly. There
is a detailed explanation of it in the attachment. I fixed it using
chcon -t textrel_shlib_t
'/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so'
Afterwards, it seems work, but the data in the interface panel could not
be changed,please refer to the attached snapshot pictures.
My system information as follows:
[gqpan at localhost horae-070]$ uname -a
Linux localhost.localdomain 2.6.27.5-117.fc10.i686 #1 SMP Tue Nov 18
12:19:59 EST 2008 i686 i686 i386 GNU/Linux
Thank you for your help!
Best regards!
Guoqiang PAN
National synchrotron Radiation Laboratory
University of Science & Technology of China
-----------------------------------------
--
Bruce Ravel ------------------------------------ bravel at bnl.gov
National Institute of Standards and Technology
Synchrotron Methods Group at NSLS --- Beamlines U7A, X24A, X23A2
Building 535A
Upton NY, 11973
My homepage: http://xafs.org/BruceRavel
EXAFS software: http://cars9.uchicago.edu/~ravel/software/exafs/
-------------- next part --------------
Summary:
SELinux is preventing artemis from loading
/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so which
requires text relocation.
Detailed Description:
The artemis application attempted to load
/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so to use
relocation as a workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust
/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so to run
correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
'/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so'" You
must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so'"
Fix Command:
chcon -t textrel_shlib_t
'/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so'
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0
Target Context unconfined_u:object_r:lib_t:s0
Target Objects /usr/local/lib/perl5/site_perl/5.10.1/i686-linux/a
uto/Ifeffit/Ifeffit.so [ file ]
Source artemis
Source Path /usr/local/bin/perl
Port <Unknown>
Host localhost.localdomain
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.5.13-18.fc10
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmod
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.27.5-117.fc10.i686
#1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686
Alert Count 7
First Seen Sat 15 Jan 2011 10:42:37 AM CST
Last Seen Sat 15 Jan 2011 12:59:32 PM CST
Local ID 3d363441-10c1-43ce-b71a-092d207ca8e9
Line Numbers
Raw Audit Messages
node=localhost.localdomain type=AVC msg=audit(1295067572.730:78): avc: denied { execmod } for pid=24182 comm="artemis" path="/usr/local/lib/perl5/site_perl/5.10.1/i686-linux/auto/Ifeffit/Ifeffit.so" dev=sdb3 ino=1627281 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file
node=localhost.localdomain type=SYSCALL msg=audit(1295067572.730:78): arch=40000003 syscall=125 success=no exit=-13 a0=acaee000 a1=b0000 a2=5 a3=bfb5ff30 items=0 ppid=9285 pid=24182 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=2 comm="artemis" exe="/usr/local/bin/perl" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: artemis.bmp
Type: image/bmp
Size: 4410054 bytes
Desc: not available
URL: <http://millenia.cars.aps.anl.gov/pipermail/ifeffit/attachments/20110118/7cdad80c/attachment.bmp>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: artemis_Cu.bmp
Type: image/bmp
Size: 4410054 bytes
Desc: not available
URL: <http://millenia.cars.aps.anl.gov/pipermail/ifeffit/attachments/20110118/7cdad80c/attachment-0001.bmp>
More information about the Ifeffit
mailing list