Bug 298741

Already reported upstream:
https://core.fluendo.com/gstreamer/trac/ticket/24

If this isn't fixed by then, we'll probably have to pull out codeina from the
default install.

There's a hack in codeina to avoid this problem though:

            if which.which('chcon') and 'i386' in basename and 'mp3' in name:•
                log.debug('install', "modifying mp3 plug-in's secontext")•
                status = os.system('chcon --type=textrel_shlib_t %s' %»•
                    plugin_tmp_path)•
                if status:•
                    log.warning('install',•
                        'Failed to change secontext, status %r' %•
                            status)•

Could you try and reproduce and let me know whether there's any output in the logs?

They get labeled as textrel_shlib_t, but that doesn't allow execmem.  And iirc,
some of the non-mp3 ones required execmem or execstack also.

avc: denied { execstack } for comm=gst-inspect-0.1 egid=500 euid=500
exe=/usr/bin/gst-inspect-0.10 exit=0 fsgid=500 fsuid=500 gid=500 items=0
pid=3631 scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 

The error message I get is:
Summary
    SELinux is preventing /usr/bin/gst-inspect-0.10 from loading
    /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so which requires text
    relocation.

Detailed Description
    The /usr/bin/gst-inspect-0.10 application attempted to load
    /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so which requires text
    relocation.  This is a potential security problem. Most libraries do not
    need this permission. Libraries are sometimes coded incorrectly and request
    this permission.  The http://people.redhat.com/drepper/selinux-mem.html web
    page explains how to remove this requirement.  You can configure SELinux
    temporarily to allow /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so
    to use relocation as a workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so to run
    correctly, you can change the file context to textrel_shlib_t. "chcon -t
    textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so" You
    must also change the default file context files on the system in order to
    preserve them even on a full relabel.  "semanage fcontext -a -t
    textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so

So textrel_shlib_t is right.

Dan, which commands should Thomas use to regenerate/extract the tarballs so that
they contain the SELinux context?

There are three ways to fix this problem.  The most desirable is to fix the
codec to not require execmem/execstack.  

http://people.redhat.com/~drepper/selinux-mem.html

This is something we want in order to improve the security of the system.

A second alternative is to hunt down all the apps that will use this codec and
set them up unconfined_execmem_exec_t  

semanage fcontext -a -t unconfined_execmem_exec_t PATHTOEXEC
restrorecon PATHTOEXE

THis would make any app that is labeled this way, no longer protected from
execmem/execstack attack

Third you can turn off the execmem/execstack for the unconfined_t domain

setsebool -P allow_execmem 0

This would make most apps run by a user, no longer protected by
execmem/execstack checks.

(In reply to comment #7)
> There are three ways to fix this problem.  The most desirable is to fix the
> codec to not require execmem/execstack.  
> 
> http://people.redhat.com/~drepper/selinux-mem.html
> 
> This is something we want in order to improve the security of the system.

Unfortunately, that's waiting on Intel to fix their proprietary library.

> A second alternative is to hunt down all the apps that will use this codec and
> set them up unconfined_execmem_exec_t  
> 
> semanage fcontext -a -t unconfined_execmem_exec_t PATHTOEXEC
> restrorecon PATHTOEXE
> 
> THis would make any app that is labeled this way, no longer protected from
> execmem/execstack attack

That's not possible. It's a plugin that could be used by any GStreamer
application, so we can't hunt down apps that would require it.

> Third you can turn off the execmem/execstack for the unconfined_t domain
> 
> setsebool -P allow_execmem 0
> 
> This would make most apps run by a user, no longer protected by
> execmem/execstack checks.

That's also not a good idea, as it would need to be done manually by users.

Any way to save/restore SELinux attributes on files inside a tarball then, as I
asked first?

Selinux can mark a library as requiring execmod but not execmem/execstack.  It
needs to mark the executable.  So if we can not mark a particular executable, we
need to push back on codina to fix the library or build it with gcc.

Jeremy, I can't reproduce this bug anymore (just like I couldn't in the first
place, given the work-around was already there).

Let me know how to reproduce include which SELinux policy you're using.

Check the output of 'getsebool -a' and look at the allow_execmem and
allow_execstack booleans.  If they're on, then you've made it so that they're
allowed and the codec will work.  But if the booleans are off, then the access
will be denied.

I just did a setsebool allow_execmem 0; setsetbool allow_execstack 0 and totem
still played my test mp3

It works for me as well. Jeremy, please attach the output of "ls -lZ
~/.gstreamer-0.10/plugins" and the avc error you get when reproducing the problem.

Works with rawhide live image of today.