Bug 298741
Summary: | non-working with SELinux enabled | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Jeremy Katz <katzj> |
Component: | codeina | Assignee: | Bastien Nocera <bnocera> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | rawhide | CC: | bnocera, drepper, dwalsh, thomas |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-10-11 14:16:55 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 235703 |
Description
Jeremy Katz
2007-09-20 18:08:44 UTC
Already reported upstream: https://core.fluendo.com/gstreamer/trac/ticket/24 If this isn't fixed by then, we'll probably have to pull out codeina from the default install. There's a hack in codeina to avoid this problem though: if which.which('chcon') and 'i386' in basename and 'mp3' in name:• log.debug('install', "modifying mp3 plug-in's secontext")• status = os.system('chcon --type=textrel_shlib_t %s' %»• plugin_tmp_path)• if status:• log.warning('install',• 'Failed to change secontext, status %r' %• status)• Could you try and reproduce and let me know whether there's any output in the logs? They get labeled as textrel_shlib_t, but that doesn't allow execmem. And iirc, some of the non-mp3 ones required execmem or execstack also. avc: denied { execstack } for comm=gst-inspect-0.1 egid=500 euid=500 exe=/usr/bin/gst-inspect-0.10 exit=0 fsgid=500 fsuid=500 gid=500 items=0 pid=3631 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500 The error message I get is: Summary SELinux is preventing /usr/bin/gst-inspect-0.10 from loading /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so which requires text relocation. Detailed Description The /usr/bin/gst-inspect-0.10 application attempted to load /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so" The following command will allow this access: chcon -t textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so So textrel_shlib_t is right. Dan, which commands should Thomas use to regenerate/extract the tarballs so that they contain the SELinux context? There are three ways to fix this problem. The most desirable is to fix the codec to not require execmem/execstack. http://people.redhat.com/~drepper/selinux-mem.html This is something we want in order to improve the security of the system. A second alternative is to hunt down all the apps that will use this codec and set them up unconfined_execmem_exec_t semanage fcontext -a -t unconfined_execmem_exec_t PATHTOEXEC restrorecon PATHTOEXE THis would make any app that is labeled this way, no longer protected from execmem/execstack attack Third you can turn off the execmem/execstack for the unconfined_t domain setsebool -P allow_execmem 0 This would make most apps run by a user, no longer protected by execmem/execstack checks. (In reply to comment #7) > There are three ways to fix this problem. The most desirable is to fix the > codec to not require execmem/execstack. > > http://people.redhat.com/~drepper/selinux-mem.html > > This is something we want in order to improve the security of the system. Unfortunately, that's waiting on Intel to fix their proprietary library. > A second alternative is to hunt down all the apps that will use this codec and > set them up unconfined_execmem_exec_t > > semanage fcontext -a -t unconfined_execmem_exec_t PATHTOEXEC > restrorecon PATHTOEXE > > THis would make any app that is labeled this way, no longer protected from > execmem/execstack attack That's not possible. It's a plugin that could be used by any GStreamer application, so we can't hunt down apps that would require it. > Third you can turn off the execmem/execstack for the unconfined_t domain > > setsebool -P allow_execmem 0 > > This would make most apps run by a user, no longer protected by > execmem/execstack checks. That's also not a good idea, as it would need to be done manually by users. Any way to save/restore SELinux attributes on files inside a tarball then, as I asked first? Selinux can mark a library as requiring execmod but not execmem/execstack. It needs to mark the executable. So if we can not mark a particular executable, we need to push back on codina to fix the library or build it with gcc. Jeremy, I can't reproduce this bug anymore (just like I couldn't in the first place, given the work-around was already there). Let me know how to reproduce include which SELinux policy you're using. Check the output of 'getsebool -a' and look at the allow_execmem and allow_execstack booleans. If they're on, then you've made it so that they're allowed and the codec will work. But if the booleans are off, then the access will be denied. I just did a setsebool allow_execmem 0; setsetbool allow_execstack 0 and totem still played my test mp3 It works for me as well. Jeremy, please attach the output of "ls -lZ ~/.gstreamer-0.10/plugins" and the avc error you get when reproducing the problem. Works with rawhide live image of today. |