Bug 145067

Summary: Execmod denials: texrel_shlib_t list
Product: [Fedora] Fedora Reporter: Ivan Gyurdiev <ivg231>
Component: selinux-policy-strictAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: kim-rh
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-08-15 11:33:18 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Ivan Gyurdiev 2005-01-14 01:32:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
Out of curiosity, what is execmod?

... we have gpg (probably something from yum):

audit(1105666083.045:0): avc:  denied  { execmod } for  pid=5384
comm=gpg path=/usr/bin/gpg dev=dm-0 ino=1031029
tcontext=system_u:object_r:gpg_exec_t tclass=file

...and firefox trying to watch flash:

audit(1105656636.364:0): avc:  denied  { execmod } for  pid=4857
comm=firefox-bin path=/home/phantom/.mozilla/plugins/libflashplayer.so
dev=dm-2 ino=326929 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:user_mozilla_rw_t tclass=file

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:


Additional info:

Comment 1 Ivan Gyurdiev 2005-01-18 23:09:18 UTC
X and nvidia:

audit(1106088181.401:0): avc:  denied  { execmod } for  pid=3119
comm=X path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0
ino=526001 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:shlib_t tclass=file

(this one in enforcing mode)

Comment 2 Ivan Gyurdiev 2005-01-20 10:32:12 UTC
Here are the libs with text relocations, I think:

[phantom@cobra lib]$ for FILE in `/sbin/ldconfig -p|sed -e s/.*"=>
"//|uniq` `ls /usr/lib/firefox*/plugins/*` `ls
/usr/lib/mozilla*/plugins/*`; do if [ ! -z "`readelf -d "$FILE"
2>/dev/null|grep TEXTREL`" ]; then if [ -L "$FILE" ]; then echo
"$FILE"|sed -e s/`basename "$FILE"`/"`ls -l "$FILE"|sed -e s/.*"->
"//`"/; else echo "$FILE"; fi; fi; done | uniq /usr/lib/libxvidcore.so.4.0
sed: -e expression #1, char 13: unknown option to `s'

So the offending packages are:

nvidia-glx, proprietary, can't be fixed
flash, proprietary, can't be fixed
jai, proprietary (Sun), can't be fixed

Livna: xvidcore, ffmpeg, lame, gsm

Fedora Core: xorg-x11-libs (libOSMesa), SDL, Hermes, imlib2, libdv,
compat-libstdc++, Glide3

...and in fact I do get extmod denial with mplayer due to SDL.

What to do about this? Allow extmod in mozilla_t, mplayer_t,
and xserver_t ? X won't even start on my computer without this
because of nvidia.

Comment 3 Ivan Gyurdiev 2005-01-20 19:03:39 UTC
I see gpg execmod denial has been addressed.
Please add this to X and mozilla too - it's necessary
for nvidia driver and flash (and more?).

Comment 4 Ivan Gyurdiev 2005-01-27 08:19:44 UTC
Okay, gpg is fixed, X (nvidia) and mozilla(flash) are
addressed in the 1.21.3-4 beta that I am looking at.

The following libs listed above are still not marked texrel_shlib_t:


Comment 5 Ivan Gyurdiev 2005-02-01 23:05:34 UTC
Add to list:


Comment 6 Daniel Walsh 2005-02-09 15:53:32 UTC
Added in policy-1.21.10-1

Comment 7 Ivan Gyurdiev 2005-02-09 20:29:13 UTC
Which part? 

I see /usr/lib/gstreamer-0.8/libgstffmpeg.so,
but none of the other ones.

In particular, libSDL is annoying, because media players
(like mplayer) won't start without it.

Comment 8 Daniel Walsh 2005-02-09 20:41:40 UTC
Make that 1.21.11-2

Comment 9 Ivan Gyurdiev 2005-02-09 21:10:36 UTC
Still missing those two:


Also, you said that Redhat is working to fix those libraries
so they don't need text relocations. (is it you that said that 
or S. Smalley - I can't remember)

Does that mean this list is temporary only, or have you already
looked at those and decided they won't be fixed?

Comment 10 Daniel Walsh 2005-02-09 21:30:02 UTC
We are looking into fixing some of the ones that we ship.
So hopefully we can remove some of these eventually.


Comment 11 Ivan Gyurdiev 2005-02-10 00:20:35 UTC
Also, please add 

Not sure why script didn't find it originally, but
now I get denials for it.

So, in summary:


Here's also a mplayer path:

--- mplayer_macros.te  2005-02-09 19:19:21.000000000 -0500
+++ mplayer_macros.new   2005-02-09 19:20:11.000000000 -0500
@@ -62,10 +62,9 @@

 if (allow_execmod) {
 allow $1_$2_t zero_device_t:chr_file execmod;
+allow $1_$2_t texrel_shlib_t:file execmod;

 # Access to DVD/CD/V4L
 allow $1_$2_t device_t:dir r_dir_perms;
 allow $1_$2_t device_t:lnk_file { getattr read };

Comment 12 Ivan Gyurdiev 2005-02-10 00:21:41 UTC
Err that should be:


Comment 13 Ivan Gyurdiev 2005-02-10 01:26:25 UTC
And all of this too. Is there no end to them? Found those after
running gst-register. 


Comment 14 Ivan Gyurdiev 2005-02-10 04:31:42 UTC
Apparently those too:


Plus everything that's part of xine:

... and all the valgrind libs:


This too:


Some openoffice libs:

I'm really starting to think I should have included all of
/usr/lib/<dir>/*.so in my script to begin with. 

Comment 15 Ivan Gyurdiev 2005-02-10 17:52:29 UTC
One More :)

/usr/lib/gstreameri-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t

Typo.... s/gstreameri/gstreamer/

Comment 16 Kim Bisgaard 2006-08-15 06:38:52 UTC
I use Nvidia graphics drivers packaged by atrpms, and have get execmod problems,
and thus have to do:
execstack -c
execstack -c /usr/lib/nvidia-graphics-1.0-8762/tls/libnvidia-tls.so.1.0.8762
execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGLcore.so.1
execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGL.so.1.0.8762

Tedious details:
# /usr/sbin/sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 20
Policy from config file:        targeted

# rpm -qa selinux\*

Comment 17 Daniel Walsh 2006-08-15 11:33:18 UTC
These files are already marked as textrel_shlib_t, execstack -c would elminate
execstack problem.  These bugs should be reported to nvidia.

You might want to attach this link