Re: [Amsn-devel] SELinux nightmares

Wed, 17 May 2006 10:40:07 -0700 

Hi,
texrel_shlib_t means the library can do text relocation if I remember well...
In fact the trouble comes from the fact you link statically... The libc needs 
texrel... When you link against the so, the so already has the good 
context...
So, you must link dynamically...
Phil
PS About Fedora packaging, we will need to provide the package with TkCxImage 
not linked statically because it brought many troubles.... (look at forums)

Le Mercredi 17 Mai 2006 17:54, GrdScarabe a écrit :
> Hi,
>
> I've worked a bit with SELinux, the problem is from the policy, it is
> necessary to insert libtls-1.50.so to the type texrel_shlib_t it seems...
> The problem is that this type is not part of the standard policy. What
> distribution do you use ? Can you send the file defining this type
> (should be in /etc/security somewhere) ?
>
> So the way to force anyone to do it depends ... on the distribution. I
> guess Fedora has a way to add new entries to the policy with rpms...I
> don't know more about though.
>
> Moreover, adding entries to the policy is not really easy and needs to
> have all the policy sources and recompile everything and reload it
> (special role). The developers are working on a more modular way to do
> it but I think it is not ready yet :(
>
> GrdScarabe
>
> Jonne Zutt wrote:
> > And I made my version now work by running
> >   chcon -c -v -u system_u -r object_r -t texrel_shlib_t
> > /path/to/libtls-1.50.so
> >
> > as user, not as root ...
> >
> > Maybe someone who understands selinux can shed his/her light on this.
> > What does texrel_shlib_t mean?
> >
> > Jonne.
> >
> >> Well, so I decided to make aMSN use TLS 1.50 ...
> >>
> >> I tried Sander's rpm with rpm2targz but it didn't work, failed on some
> >> .so I didn't have. I tried compiling one on my pc, sent it to Jonne,
> >> didn't work. We decided to make it link statically, and after hours of
> >> sweating, Jonne found the way to do it:
> >>
> >> ./configure --with-ssl-dir=/usr
> >> make
> >> gcc -pipe -shared -o libtls1.50.so tls.o tlsIO.o tlsBIO.o tlsX509.o
> >> fixstrtod.o -Wl,-Bstatic -lssl -lcrypto -Wl,-Bdynamic
> >>
> >> This produced a non-working .so on him and a working .so on me :
> >>
> >> bash-3.00$ cd tls1.50/
> >> bash-3.00$ ldd libtls-1.50.so
> >>         linux-gate.so.1 =>  (0xffffe000)
> >>         libc.so.6 => /lib/tls/libc.so.6 (0xb7d19000)
> >>         /lib/ld-linux.so.2 (0x80000000)
> >>
> >> Just like the .so from 1.4 . I sent him my .so and now SELinux gives him
> >> an error:
> >>
> >> Cannot restore segment prot after reloc: Permission denied
> >>
> >> The solution is to run chcon on the .so as root, but I can't find an
> >> easy way to force everyone who is using SELinux to do so.
> >>
> >> ANY IDEAS?????
> >>
> >> If you want, I have uploaded what I have so far on
> >>
> >> http://www.autom.teithe.gr/~vivia/tls-1.5.0-linux-x86.tar.gz
>
> -------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job
> easier Download IBM WebSphere Application Server v.1.0.1 based on Apache
> Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Amsn-devel mailing list
> Amsn-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/amsn-devel



-------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0709&bid&3057&dat1642
_______________________________________________
Amsn-devel mailing list
Amsn-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/amsn-devel

Reply via email to