Bug 298741

Summary: non-working with SELinux enabled
Product: [Fedora] Fedora Reporter: Jeremy Katz <katzj>
Component: codeinaAssignee: Bastien Nocera <bnocera>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: bnocera, drepper.fsp, dwalsh, thomas
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-10-11 10:16:55 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 235703    

Description Jeremy Katz 2007-09-20 14:08:44 EDT
The mp3 plugin, at least, requires execmem and so when it's untarred, it doesn't
have a reasonable context and thus SELinux denies it.  Which makes things not work.
Comment 1 Bastien Nocera 2007-09-25 09:07:59 EDT
Already reported upstream:
https://core.fluendo.com/gstreamer/trac/ticket/24

If this isn't fixed by then, we'll probably have to pull out codeina from the
default install.
Comment 2 Bastien Nocera 2007-09-25 12:00:22 EDT
There's a hack in codeina to avoid this problem though:

            if which.which('chcon') and 'i386' in basename and 'mp3' in name:•
                log.debug('install', "modifying mp3 plug-in's secontext")•
                status = os.system('chcon --type=textrel_shlib_t %s' %»•
                    plugin_tmp_path)•
                if status:•
                    log.warning('install',•
                        'Failed to change secontext, status %r' %•
                            status)•

Could you try and reproduce and let me know whether there's any output in the logs?
Comment 3 Jeremy Katz 2007-09-25 12:05:47 EDT
They get labeled as textrel_shlib_t, but that doesn't allow execmem.  And iirc,
some of the non-mp3 ones required execmem or execstack also.
Comment 4 Jeremy Katz 2007-09-25 12:06:39 EDT
avc: denied { execstack } for comm=gst-inspect-0.1 egid=500 euid=500
exe=/usr/bin/gst-inspect-0.10 exit=0 fsgid=500 fsuid=500 gid=500 items=0
pid=3631 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 
Comment 5 Bastien Nocera 2007-09-27 09:53:53 EDT
The error message I get is:
Summary
    SELinux is preventing /usr/bin/gst-inspect-0.10 from loading
    /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so which requires text
    relocation.

Detailed Description
    The /usr/bin/gst-inspect-0.10 application attempted to load
    /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so which requires text
    relocation.  This is a potential security problem. Most libraries do not
    need this permission. Libraries are sometimes coded incorrectly and request
    this permission.  The http://people.redhat.com/drepper/selinux-mem.html web
    page explains how to remove this requirement.  You can configure SELinux
    temporarily to allow /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so
    to use relocation as a workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so to run
    correctly, you can change the file context to textrel_shlib_t. "chcon -t
    textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so" You
    must also change the default file context files on the system in order to
    preserve them even on a full relabel.  "semanage fcontext -a -t
    textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so

So textrel_shlib_t is right.
Comment 6 Bastien Nocera 2007-09-27 10:07:55 EDT
Dan, which commands should Thomas use to regenerate/extract the tarballs so that
they contain the SELinux context?
Comment 7 Daniel Walsh 2007-09-27 14:40:07 EDT
There are three ways to fix this problem.  The most desirable is to fix the
codec to not require execmem/execstack.  

http://people.redhat.com/~drepper/selinux-mem.html

This is something we want in order to improve the security of the system.

A second alternative is to hunt down all the apps that will use this codec and
set them up unconfined_execmem_exec_t  

semanage fcontext -a -t unconfined_execmem_exec_t PATHTOEXEC
restrorecon PATHTOEXE

THis would make any app that is labeled this way, no longer protected from
execmem/execstack attack

Third you can turn off the execmem/execstack for the unconfined_t domain

setsebool -P allow_execmem 0

This would make most apps run by a user, no longer protected by
execmem/execstack checks.
Comment 8 Bastien Nocera 2007-09-30 19:36:57 EDT
(In reply to comment #7)
> There are three ways to fix this problem.  The most desirable is to fix the
> codec to not require execmem/execstack.  
> 
> http://people.redhat.com/~drepper/selinux-mem.html
> 
> This is something we want in order to improve the security of the system.

Unfortunately, that's waiting on Intel to fix their proprietary library.

> A second alternative is to hunt down all the apps that will use this codec and
> set them up unconfined_execmem_exec_t  
> 
> semanage fcontext -a -t unconfined_execmem_exec_t PATHTOEXEC
> restrorecon PATHTOEXE
> 
> THis would make any app that is labeled this way, no longer protected from
> execmem/execstack attack

That's not possible. It's a plugin that could be used by any GStreamer
application, so we can't hunt down apps that would require it.

> Third you can turn off the execmem/execstack for the unconfined_t domain
> 
> setsebool -P allow_execmem 0
> 
> This would make most apps run by a user, no longer protected by
> execmem/execstack checks.

That's also not a good idea, as it would need to be done manually by users.

Any way to save/restore SELinux attributes on files inside a tarball then, as I
asked first?
Comment 9 Daniel Walsh 2007-10-01 16:34:31 EDT
Selinux can mark a library as requiring execmod but not execmem/execstack.  It
needs to mark the executable.  So if we can not mark a particular executable, we
need to push back on codina to fix the library or build it with gcc.
Comment 10 Bastien Nocera 2007-10-09 09:56:52 EDT
Jeremy, I can't reproduce this bug anymore (just like I couldn't in the first
place, given the work-around was already there).

Let me know how to reproduce include which SELinux policy you're using.
Comment 11 Jeremy Katz 2007-10-09 10:35:57 EDT
Check the output of 'getsebool -a' and look at the allow_execmem and
allow_execstack booleans.  If they're on, then you've made it so that they're
allowed and the codec will work.  But if the booleans are off, then the access
will be denied.
Comment 12 Matthias Clasen 2007-10-10 10:21:29 EDT
I just did a setsebool allow_execmem 0; setsetbool allow_execstack 0 and totem
still played my test mp3
Comment 13 Bastien Nocera 2007-10-11 06:15:36 EDT
It works for me as well. Jeremy, please attach the output of "ls -lZ
~/.gstreamer-0.10/plugins" and the avc error you get when reproducing the problem.
Comment 14 Jeremy Katz 2007-10-11 10:16:55 EDT
Works with rawhide live image of today.