• 1
> Why don't people read my man pages?
Unfortunately because for a lot of new stuff, the developer doesn't write a man page (or keep it up to date).

Which means the user stops looking.

An application "firefox-bin" on your system attempted to load a library "libflashplayer.so" that requires text relocation. This is a potential security problem. Most libraries should not need this permission. Libraries are sometimes coded incorrectly and request this permission. You can configure SELinux temporarily to allow this to happen as a workaround until the library is fixed, but please file a bugzilla against package flash-plugin-7.0.63-1 to get the library corrected. Execute the following command, "chcon -t textrel_shlib_t /usr/lib/flash-plugin/libflashplayer.so" if you want to allow the application to continue.

I hang out on Linux end-user support sites, and I can tell you that even this is not clear enough. The questions that will result from the improved message:

- firefox-bin: What's that? Is it the same as Mozilla Firefox?
- library "libflashplayer.so": What's a library?
- text relocation: This is a completely meaningless phrase.
- until the library is fixed: How will I know when it's fixed?
- file a bugzilla: How do I do this?
- Execute the following command: How? In a terminal? As root? How do I issue the command as root?
- chcon -t textrel_shlib_t /usr/lib/flash-plugin/libflashplayer.so: You've got to be kidding! What does this mean?

It's very hard for most developers to put themselves into the mental mindset of an end-user. If you really want to address this for users, my suggestion is:

Generate a pop-up message (like a baloon on the toolbar), that says something along the lines of:

"The application 'Mozilla Firefox' would like permission to use a possibly insecure plugin. If you would like to allow this, click here."

Beyond that, you are not addressing users, but administrators.

Man Pages

The unfortunate thing about man pages they are usually written by the developer, and while they may code really well, they might not write very well. Even if they do wrote very well, most man pages suffer from reader myopia, in that the writer is too close to the subject and makes the prose somewhat intractable.....

Just my two cents worth.


I'd like to see SELinux actually _log_ messages somewhere between the actual AVC message and your long-verbose-version. (It should of course still log the cryptic "real" message, but at the "debug" syslog level.)

I strongly beleive that at this stage, SELinux needs better sysadmin buyin to succeed, and while we've got a thick skin for arcane messages, SELinux is too much all at once.

(And I still stand by my earlier suggestion of getting rid of "_u", "_r", and "_t"....)

I agree with what macemoneta said, with the addition of a "details" button which contains your "nice" text, along with a link to the actual system message (in another tab?). This should probably use DBus and libnotify.

Text Relocation problem with Seamonkey

Running into this problem with the flash-plugin as well as with the Seamonkey suite also exhibiting this error, it was easier to just put SELinux into permissive instead of researching the problem.
Anyway, having a popup screen that informed me that seamonkey-bin would not start because of text relocation and generating a bug report would be fine. The problem lies in the fact that the submittal of reports needs a mailer other than sendmail from localhost on most systems due to spam prevention efforts at most sites that a bug report will be submitted. Saving the information to a file and advising the user to include it with a bug report would probably be wiser. Sending the warning to the system administrator will also help.
With the error due to text relocation encountered by myself and other users, the application just did not launch. The bug-buddy or SELinux tool informing me that there was a problem and to submit a report and also use the command to be able to use the application until the patch is applied would have helped out a lot.



So, I had a problem with latest SELinux policy at Fedora Core 6 for OpenOffice.org 2.1

cat /var/log/messages | grep soffice.bin said that OO requires text relocation. I'm a newbie in Linux (Only one year of experience) and a've asked Google to help me. That's how I'm here :)

So, I tried your Seamonkey solution for OO and it now works :) That's beautiful :)

equity credit line question


diazepam online valium


Great work and thank you for your service

to good night
prompt who for you was engaged in a design ? so all is good but as I looked for you problem with the spam of type of it
< a href= http://lesbian-cam.premium10adult.info/cam-girl-lesbian.html >cam girl lesbian </a> все while I ustal after today in life in a network if that write on mail



where did httpd try to write given this AVC?

time->Mon Sep 23 05:22:02 2013
type=SYSCALL msg=audit(1379928122.825:295): arch=c000003e syscall=2 success=no exit=-13 a0=7f95aae20c20 a1=242 a2=1b6 a3=0 items=0 ppid=14896 pid=14897 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="httpd" exe="/usr/sbin/httpd" subj=unconfined_u:system_r:httpd_t:s0 key=(null)
type=AVC msg=audit(1379928122.825:295): avc: denied { write } for pid=14897 comm="httpd" name="jk.shm.14897" dev=dm-0 ino=262746 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:httpd_log_t:s0 tclass=file

I see that httpd tries to write jk.shm.14897 but no idea which target directory it is using. Any ideas?

Re: where did httpd try to write given this AVC?

locate jk.shm.15897

Does not show anything?

You can turn on full auditing by executing

auditctl -w /etc/shadow

And then trigger another AVC.

Did you change any default labelling?

Re: where did httpd try to write given this AVC?

btw I've just hit this incomprehensible error:
time->Mon Sep 23 12:26:21 2013
type=USER_AVC msg=audit(1379953581.314:170): user pid=3316 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: received policyload notice (seqno=2) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)'

Any idea what could have caused this?

P.S. do you see my previous message? It was marked as spam but I see it here.

Edited at 2013-09-24 04:20 pm (UTC)

  • 1

Log in