Bug 237473

Summary: Need to handle vlc (videolan) with selinux
Product: [Fedora] Fedora Reporter: Nicolas Chauvet (kwizart) <kwizart>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Current Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-22 14:14:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nicolas Chauvet (kwizart) 2007-04-23 13:00:22 UTC 
Description of problem: from
https://www.redhat.com/archives/fedora-selinux-list/2007-April/msg00018.html

Version-Release number of selected component (if applicable): FC-6 and devel on
x86 only (FC-5 not affected)

I would like to solve the Selinux context issue with vlc x86
It is supposed to do the same purpose as mplayer do with 32bit codecs
dll if there are present on the end-user system.

Can you handle vlc with a selinux-policy ?
Comment 1 Daniel Walsh 2007-05-17 16:49:21 UTC 
Fixed in selinux-policy-2.6.4-5
Comment 2 Nicolas Chauvet (kwizart) 2007-06-04 20:27:33 UTC 
/usr/lib/mozilla/plugins/libvlcplugin.so 
Need the same context to be applyed... (/usr/lib64 for x86_64 - livna currently
do not build for ppc64 for now...)
Actually it is supposed to be the case for F-7 and FC-6 (FC-5 also but seem
close to end of life...)

Here is the copy of the full log from:
http://bugzilla.livna.org/show_bug.cgi?id=1518
----
This bug is against the released version of FC7 with SELinux enabled
SELinux blocks libvlcplugin.so from being loaded by firefox with the following
message from setrouleshoot
----
Summary
    SELinux is preventing /usr/lib/firefox-2.0.0.4/firefox-bin from loading
    /usr/lib/mozilla/plugins/libvlcplugin.so which requires text relocation.

Detailed Description
    The /usr/lib/firefox-2.0.0.4/firefox-bin application attempted to load
    /usr/lib/mozilla/plugins/libvlcplugin.so which requires text relocation.
    This is a potential security problem. Most libraries do not need this
    permission. Libraries are sometimes coded incorrectly and request this
    permission.  The http://people.redhat.com/drepper/selinux-mem.html web page
    explains how to remove this requirement.  You can configure SELinux
    temporarily to allow /usr/lib/mozilla/plugins/libvlcplugin.so to use
    relocation as a workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /usr/lib/mozilla/plugins/libvlcplugin.so to run correctly, you
    can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
    /usr/lib/mozilla/plugins/libvlcplugin.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t /usr/lib/mozilla/plugins/libvlcplugin.so

Additional Information        

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib/mozilla/plugins/libvlcplugin.so [ file ]
Affected RPM Packages         firefox-2.0.0.4-1.fc7 [application]mozilla-
                              vlc-0.8.6b-5.lvn7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execmod
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 i686
Alert Count                   41
First Seen                    Mon 04 Jun 2007 12:34:42 AM CEST
Last Seen                     Mon 04 Jun 2007 10:04:48 PM CEST
Local ID                      b5cb7544-8520-4b9a-90b0-1ee6b838e6ca
Line Numbers                  

Raw Audit Messages            

avc: denied { execmod } for comm="firefox-bin" dev=dm-0 egid=501 euid=501
exe="/usr/lib/firefox-2.0.0.4/firefox-bin" exit=-13 fsgid=501 fsuid=501 gid=501
items=0 name="libvlcplugin.so" path="/usr/lib/mozilla/plugins/libvlcplugin.so"
pid=9056 scontext=user_u:system_r:unconfined_t:s0 sgid=501
subj=user_u:system_r:unconfined_t:s0 suid=501 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=501
Comment 3 Daniel Walsh 2007-06-04 20:32:51 UTC 
Is there an RPM package that plcaes this file there?  If not and it was copied,
you will have to take care of the labeling

semanage fcontext -a -t textrel_shlib_t /usr/lib/mozilla/plugins/libvlcplugin.so

Will make it permanent on your machine.  Hopefully this bug has been reported to
the developers of libvlcplugin.so to fix the way they build their shared library.
Comment 4 Nicolas Chauvet (kwizart) 2007-06-04 22:51:01 UTC 
yes! this file is from mozilla-vlc package...

I'm in contact with upstream i can report it to them but i will test if it work
recompiled with -fPIC only first...

thx for your advices.
Comment 5 Nicolas Chauvet (kwizart) 2007-06-05 09:23:32 UTC 
ok then it was sometimes able to solve this issue but not in this case:
If recompiled with -fPIC, the error still appears...

I've found this doc:
http://people.redhat.com/drepper/selinux-mem.html

Can i provide others doc to upstream about this issue?
Comment 6 Daniel Walsh 2007-06-05 12:21:31 UTC 
Yes,
Comment 7 Daniel Walsh 2007-08-22 14:14:05 UTC 
Should be fixed in the current release