Attachment 294255 Details for Bug 431900 – selinux_alert_08

selinux_alert_08

selinux_alert_08.txt (text/plain), 3.43 KB, created by Valent Turkovic on 2008-02-07 18:38:49 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Valent Turkovic

Created: 2008-02-07 18:38:49 UTC

Size: 3.43 KB

patch

obsolete

>
>Summary:
>
>SELinux is preventing totem from loading
>/home/fedora/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so which requires text
>relocation.
>
>Detailed Description:
>
>The totem application attempted to load
>/home/fedora/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so which requires text
>relocation. This is a potential security problem. Most libraries do not need
>this permission. Libraries are sometimes coded incorrectly and request this
>permission. The SELinux Memory Protection Tests
>(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
>remove this requirement. You can configure SELinux temporarily to allow
>/home/fedora/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so to use relocation as
>a workaround, until the library is fixed. Please file a bug report
>(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
>
>Allowing Access:
>
>If you trust /home/fedora/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so to run
>correctly, you can change the file context to textrel_shlib_t. "chcon -t
>textrel_shlib_t '/home/fedora/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so'"
>You must also change the default file context files on the system in order to
>preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
>'/home/fedora/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so'"
>
>The following command will allow this access:
>
>chcon -t textrel_shlib_t '/home/fedora/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so'
>
>Additional Information:
>
>Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
>                              s0:c0.c1023
>Target Context                unconfined_u:object_r:user_home_t:s0
>Target Objects                /home/fedora/.gstreamer-0.10/plugins/libgstflumpeg
>                              2vdec.so [ file ]
>Source                        totem
>Source Path                   /usr/bin/totem
>Port                          <Unknown>
>Host                          localhost.localdomain
>Source RPM Packages           totem-2.21.92-1.fc9
>Target RPM Packages           
>Policy RPM                    selinux-policy-3.2.6-5.fc9
>Selinux Enabled               True
>Policy Type                   targeted
>MLS Enabled                   True
>Enforcing Mode                Enforcing
>Plugin Name                   allow_execmod
>Host Name                     localhost.localdomain
>Platform                      Linux localhost.localdomain 2.6.24-17.fc9 #1 SMP
>                              Mon Feb 4 19:02:27 EST 2008 i686 i686
>Alert Count                   1
>First Seen                    Thu 07 Feb 2008 07:35:30 PM CET
>Last Seen                     Thu 07 Feb 2008 07:35:30 PM CET
>Local ID                      ad1b3a57-f012-479d-bc27-95fba93dd2b4
>Line Numbers                  
>
>Raw Audit Messages            
>
>host=localhost.localdomain type=AVC msg=audit(1202409330.213:43): avc:  denied  { execmod } for  pid=6164 comm="totem" path="/home/fedora/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so" dev=dm-1 ino=311371 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file
>
>host=localhost.localdomain type=SYSCALL msg=audit(1202409330.213:43): arch=40000003 syscall=125 success=no exit=-13 a0=10d8000 a1=56000 a2=5 a3=bf907750 items=0 ppid=6163 pid=6164 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="totem" exe="/usr/bin/totem" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)
>
>

Actions: View

Attachments on bug 431900: 294248 | 294249 | 294250 | 294251 | 294252 | 294253 | 294254 | 294255 | 294257