Bug 145067
Summary: | Execmod denials: texrel_shlib_t list | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ivan Gyurdiev <ivg231> |
Component: | selinux-policy-strict | Assignee: | Daniel Walsh <dwalsh> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | kim-rh |
Target Milestone: | --- | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-08-15 11:33:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Ivan Gyurdiev
2005-01-14 01:32:39 UTC
X and nvidia: audit(1106088181.401:0): avc: denied { execmod } for pid=3119 comm=X path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0 ino=526001 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:shlib_t tclass=file (this one in enforcing mode) Here are the libs with text relocations, I think: [phantom@cobra lib]$ for FILE in `/sbin/ldconfig -p|sed -e s/.*"=> "//|uniq` `ls /usr/lib/firefox*/plugins/*` `ls /usr/lib/mozilla*/plugins/*`; do if [ ! -z "`readelf -d "$FILE" 2>/dev/null|grep TEXTREL`" ]; then if [ -L "$FILE" ]; then echo "$FILE"|sed -e s/`basename "$FILE"`/"`ls -l "$FILE"|sed -e s/.*"-> "//`"/; else echo "$FILE"; fi; fi; done | uniq /usr/lib/libxvidcore.so.4.0 /usr/lib/libstdc++.so.2.7.2.8 /usr/lib/libpostproc.so.0.0.1 /usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 /usr/lib/nvidia/libnvidia-tls.so.1.0.6629 /usr/lib/libmp3lame.so.0.0.0 /usr/lib/libmlib_jai.so /usr/lib/libgsm.so.1.0.10 /usr/lib/libglide3.so.3.10.0 /usr/lib/libg++.so.2.7.2.8 /usr/lib/libdv.so.4.0.1 /usr/lib/libavformat-0.4.9-pre1.so /usr/lib/libavcodec-0.4.9-pre1.so /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 /usr/lib/libSDL-1.2.so.0.7.0 /usr/X11R6/lib/libOSMesa.so.4.0 /usr/lib/libImlib2.so.1.2.0 /usr/lib/libHermes.so.1.0.0 /usr/lib/nvidia/libGLcore.so.1.0.6629 /usr/lib/nvidia/libGL.so.1.0.6629 sed: -e expression #1, char 13: unknown option to `s' /usr/lib/firefox-0.10.0/plugins/libflashplayer.so /usr/lib/firefox-0.9.3/plugins/libflashplayer.so So the offending packages are: nvidia-glx, proprietary, can't be fixed flash, proprietary, can't be fixed jai, proprietary (Sun), can't be fixed Livna: xvidcore, ffmpeg, lame, gsm Fedora Core: xorg-x11-libs (libOSMesa), SDL, Hermes, imlib2, libdv, compat-libstdc++, Glide3 ...and in fact I do get extmod denial with mplayer due to SDL. What to do about this? Allow extmod in mozilla_t, mplayer_t, and xserver_t ? X won't even start on my computer without this because of nvidia. I see gpg execmod denial has been addressed. Please add this to X and mozilla too - it's necessary for nvidia driver and flash (and more?). Okay, gpg is fixed, X (nvidia) and mozilla(flash) are addressed in the 1.21.3-4 beta that I am looking at. The following libs listed above are still not marked texrel_shlib_t: /usr/lib/libstdc++.so.2.7.2.8 /usr/lib/libpostproc.so.0.0.1 /usr/lib/libmp3lame.so.0.0.0 /usr/lib/libmlib_jai.so /usr/lib/libgsm.so.1.0.10 /usr/lib/libglide3.so.3.10.0 /usr/lib/libg++.so.2.7.2.8 /usr/lib/libdv.so.4.0.1 /usr/lib/libavformat-0.4.9-pre1.so /usr/lib/libavcodec-0.4.9-pre1.so /usr/lib/libSDL-1.2.so.0.7.0 /usr/X11R6/lib/libOSMesa.so.4.0 /usr/lib/libImlib2.so.1.2.0 /usr/lib/libHermes.so.1.0.0 Add to list: /usr/lib/gstreamer-0.8/libgstffmpeg.so /usr/lib/gstreamer-0.8/libgsthermescolorspace.so /usr/lib/gstreamer-0.8/libgstmms.so Added in policy-1.21.10-1 Which part? I see /usr/lib/gstreamer-0.8/libgstffmpeg.so, but none of the other ones. In particular, libSDL is annoying, because media players (like mplayer) won't start without it. Make that 1.21.11-2 Still missing those two: /usr/lib/gstreamer-0.8/libgsthermescolorspace.so /usr/lib/gstreamer-0.8/libgstmms.so Also, you said that Redhat is working to fix those libraries so they don't need text relocations. (is it you that said that or S. Smalley - I can't remember) Does that mean this list is temporary only, or have you already looked at those and decided they won't be fixed? We are looking into fixing some of the ones that we ship. So hopefully we can remove some of these eventually. Dan Also, please add /usr/lib/libxvidcore.so.4 Not sure why script didn't find it originally, but now I get denials for it. So, in summary: ================= /usr/lib/gstreamer-0.8/libgsthermescolorspace.so /usr/lib/gstreamer-0.8/libgstmms.so /usr/lib/libxvidcore.so.4 Here's also a mplayer path: =========================== --- mplayer_macros.te 2005-02-09 19:19:21.000000000 -0500 +++ mplayer_macros.new 2005-02-09 19:20:11.000000000 -0500 @@ -62,10 +62,9 @@ if (allow_execmod) { allow $1_$2_t zero_device_t:chr_file execmod; +allow $1_$2_t texrel_shlib_t:file execmod; } - - # Access to DVD/CD/V4L allow $1_$2_t device_t:dir r_dir_perms; allow $1_$2_t device_t:lnk_file { getattr read }; Err that should be: /usr/lib/libxvidcore.so.4.0 And all of this too. Is there no end to them? Found those after running gst-register. /usr/lib/ladspa/analogue_osc_1416.so /usr/lib/ladspa/bandpass_a_iir_1893.so /usr/lib/ladspa/bandpass_iir_1892.so /usr/lib/ladspa/butterworth_1902.so /usr/lib/ladspa/fm_osc_1415.so /usr/lib/ladspa/gsm_1215.so /usr/lib/ladspa/gverb_1216.so /usr/lib/ladspa/hermes_filter_1200.so /usr/lib/ladspa/highpass_iir_1890.so /usr/lib/ladspa/lowpass_iir_1891.so /usr/lib/ladspa/notch_iir_1894.so /usr/lib/ladspa/pitch_scale_1193.so /usr/lib/ladspa/pitch_scale_1194.so /usr/lib/ladspa/sc1_1425.so /usr/lib/ladspa/sc2_1426.so /usr/lib/ladspa/sc3_1427.so /usr/lib/ladspa/sc4_1882.so /usr/lib/ladspa/se4_1883.so Apparently those too: /usr/lib/helix/plugins/oggfformat.so /usr/lib/helix/plugins/theorarend.so /usr/lib/helix/plugins/vorbisrend.so /usr/lib/helix/codecs/colorcvt.so /usr/lib/helix/codecs/cvt1.so Plus everything that's part of xine: /usr/lib/xine/plugins/1.0.0/vidix/*.so /usr/lib/xine/plugins/1.0.0/post/*.so /usr/lib/xine/plugins/1.0.0/*.so ... and all the valgrind libs: /usr/lib/valgrind/libpthread.so /usr/lib/valgrind/libpthread.so.0 /usr/lib/valgrind/vgpreload_addrcheck.so /usr/lib/valgrind/vgpreload_memcheck.so /usr/lib/valgrind/vgskin_addrcheck.so /usr/lib/valgrind/vgskin_cachegrind.so /usr/lib/valgrind/vgskin_callgrind.so /usr/lib/valgrind/vgskin_corecheck.so /usr/lib/valgrind/vgskin_helgrind.so /usr/lib/valgrind/vgskin_lackey.so /usr/lib/valgrind/vgskin_massif.so /usr/lib/valgrind/vgskin_memcheck.so /usr/lib/valgrind/vgskin_none.so This too: /usr/lib/xmms/Input/libmpg123.so Ocaml: /usr/lib/ocaml/stublibs/dllnums.so Some openoffice libs: /usr/lib/ooo-1.1/program/libicudata.so /usr/lib/ooo-1.1/program/libicudata.so.22 /usr/lib/ooo-1.1/program/libicudata.so.22.0 /usr/lib/ooo-1.1/program/libsts645li.so /usr/lib/ooo-1.1/program/libvclplug_gen645li.so /usr/lib/ooo-1.1/program/libwrp645li.so I'm really starting to think I should have included all of /usr/lib/<dir>/*.so in my script to begin with. One More :) /usr/lib/gstreameri-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t Typo.... s/gstreameri/gstreamer/ I use Nvidia graphics drivers packaged by atrpms, and have get execmod problems, and thus have to do: execstack -c /usr/lib/xorg/modules/extensions/nvidia-graphics-1.0-8762/libglx.so.1.0.8762 execstack -c /usr/lib/nvidia-graphics-1.0-8762/tls/libnvidia-tls.so.1.0.8762 execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGLcore.so.1 execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGL.so.1.0.8762 Tedious details: # /usr/sbin/sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 20 Policy from config file: targeted # rpm -qa selinux\* selinux-policy-2.3.3-8.fc5 selinux-policy-targeted-2.3.3-8.fc5 These files are already marked as textrel_shlib_t, execstack -c would elminate execstack problem. These bugs should be reported to nvidia. You might want to attach this link http://people.redhat.com/~drepper/selinux-mem.html |