Bug 463781
Summary: | SELinux violation from totem-audio-preview wanting an executable stack | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Ben Gamari <bgamari> | ||||
Component: | nautilus | Assignee: | Tomáš Bžatek <tbzatek> | ||||
Status: | CLOSED CANTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | drepper, dwalsh, mclasen, selinux, tbzatek, tsmetana | ||||
Target Milestone: | --- | ||||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2008-09-30 13:51:53 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
I get the above too when I roll-over an mp3 file. Could it be related to fluendo code? A bit more info: I only get this AVC when I am in "icons view". If I am in "list view" and roll-over an mp3, I get execstack AVCs "against" nautilus: type=AVC msg=audit(1222375638.224:51): avc: denied { execstack } for pid=3630 comm="nautilus" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1222375638.224:51): arch=40000003 syscall=125 success=no exit=-13 a0=bf994000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3556 pid=3630 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus" exe="/usr/bin/nautilus" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(1222375727.520:52): avc: denied { execstack } for pid=3630 comm="nautilus" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process type=SYSCALL msg=audit(1222375727.520:52): arch=40000003 syscall=125 success=no exit=-13 a0=bf994000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3556 pid=3630 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus" exe="/usr/bin/nautilus" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) (In reply to comment #1) > I get the above too when I roll-over an mp3 file. Could it be related to > fluendo code? Most likely it is, he have no executable stack user left in Fedora (AFAIK). I don't use these proprietary stuff. So somebody just run readelf -l BINARY over the Fluendo binaries and observe the GNU_STACK entry. If it shows RWX somewhere you found the culprit. [tbl@tlondon plugins]$ readelf -l libgstflump3dec.so Elf file type is DYN (Shared object file) Entry point 0xb8e0 There are 5 program headers, starting at offset 52 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x00000000 0x00000000 0xed40c 0xed40c R E 0x1000 LOAD 0x0ed40c 0x000ee40c 0x000ee40c 0x244b4 0x24798 RW 0x1000 DYNAMIC 0x0ed790 0x000ee790 0x000ee790 0x00120 0x00120 RW 0x4 GNU_EH_FRAME 0x0ec5e4 0x000ec5e4 0x000ec5e4 0x002d4 0x002d4 R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 Section to Segment mapping: Segment Sections... 00 .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 01 .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .debug$s .data1 .bss 02 .dynamic 03 .eh_frame_hdr 04 [tbl@tlondon plugins]$ So is nautilus "running" this different ways depending on the view? (In reply to comment #3) > [tbl@tlondon plugins]$ readelf -l libgstflump3dec.so > [...] > GNU_STACK 0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4 Two things: - somehow cause the idiots writing that code some pain - use execstack -c libgstflump3dec.so and see whether anything fails. If yes, it can be reverted using execstack -s libgstflump3dec.so > So is nautilus "running" this different ways depending on the view? I have no idea how these programs interact. My guess is that this gstreamer plugin is loaded by Nautilus using dlopen(). This would require the stack to be made executable. Cool. Running "execstack -c libgstflump3dec.so" seems not to break totem, rhythmbox or nautilus (roll-over mode). I now get music playing in nautilus window while running in enforcing mode. But...., looks like /usr/bin/totem* is labelled execmem_exec_t:s0. Daniel.... did this change in the last policy? I'm running: [root@tlondon ~]# rpm -qa selinux\* selinux-policy-3.5.9-1.fc10.noarch selinux-policy-targeted-3.5.9-1.fc10.noarch [root@tlondon ~]# I did a "chcon -t bin_t /usr/bin/totem*" and it appears to still "work".... So this means the tool chain is marking this as needing execstack when it doesn't really need it? Don't see any AVCs with cleared flag..... Looks like reverting /usr/bin/rhythmbox to bin_t works too..... > So this means the tool chain is marking this as needing execstack when it
> doesn't really need it?
Tell that to the idiots writing that code...
A fluendo bug has been filed here, https://core.fluendo.com/gstreamer/trac/ticket/158. Just for completness: upstream claims this is fixed: #158: libgstflump3dec.so requires unnecessary executable stack --------------------------------+------------------------------------------- Reporter: bgamari | Owner: salvarez Type: defect | Status: closed Priority: high | Milestone: Component: gst-fluendo-mp3dec | Version: Severity: normal | Resolution: fixed Keywords: | --------------------------------+------------------------------------------- Changes (by jep): * status: new => closed * resolution: => fixed |
Created attachment 317610 [details] SELinux alert Description of problem: When using roll-over audio preview in nautilus rawhide, SELinux complains that totem-audio-preview wants an executable stack.