Bug 463781

Summary: SELinux violation from totem-audio-preview wanting an executable stack
Product: [Fedora] Fedora Reporter: Ben Gamari <bgamari>
Component: nautilusAssignee: Tomáš Bžatek <tbzatek>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: drepper, dwalsh, mclasen, selinux, tbzatek, tsmetana
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-30 13:51:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
SELinux alert none

Description Ben Gamari 2008-09-24 17:38:58 UTC 
Created attachment 317610 [details]
SELinux alert

Description of problem:
When using roll-over audio preview in nautilus rawhide, SELinux complains that totem-audio-preview wants an executable stack.
Comment 1 Tom London 2008-09-26 14:13:41 UTC 
I get the above too when I roll-over an mp3 file.  Could it be related to fluendo code?

A bit more info:  I only get this AVC when I am in "icons view".

If I am in "list view" and roll-over an mp3, I get execstack AVCs "against" nautilus:

type=AVC msg=audit(1222375638.224:51): avc:  denied  { execstack } for  pid=3630 comm="nautilus" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1222375638.224:51): arch=40000003 syscall=125 success=no exit=-13 a0=bf994000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3556 pid=3630 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus" exe="/usr/bin/nautilus" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(1222375727.520:52): avc:  denied  { execstack } for  pid=3630 comm="nautilus" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1222375727.520:52): arch=40000003 syscall=125 success=no exit=-13 a0=bf994000 a1=1000 a2=1000007 a3=fffff000 items=0 ppid=3556 pid=3630 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="nautilus" exe="/usr/bin/nautilus" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 2 Ulrich Drepper 2008-09-29 18:18:37 UTC 
(In reply to comment #1)
> I get the above too when I roll-over an mp3 file.  Could it be related to
> fluendo code?

Most likely it is, he have no executable stack user left in Fedora (AFAIK).

I don't use these proprietary stuff.  So somebody just run

  readelf -l BINARY

over the Fluendo binaries and observe the GNU_STACK entry.  If it shows RWX somewhere you found the culprit.
Comment 3 Tom London 2008-09-29 19:37:43 UTC 
[tbl@tlondon plugins]$ readelf -l libgstflump3dec.so 

Elf file type is DYN (Shared object file)
Entry point 0xb8e0
There are 5 program headers, starting at offset 52

Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
  LOAD           0x000000 0x00000000 0x00000000 0xed40c 0xed40c R E 0x1000
  LOAD           0x0ed40c 0x000ee40c 0x000ee40c 0x244b4 0x24798 RW  0x1000
  DYNAMIC        0x0ed790 0x000ee790 0x000ee790 0x00120 0x00120 RW  0x4
  GNU_EH_FRAME   0x0ec5e4 0x000ec5e4 0x000ec5e4 0x002d4 0x002d4 R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4

 Section to Segment mapping:
  Segment Sections...
   00     .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame 
   01     .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .debug$s .data1 .bss 
   02     .dynamic 
   03     .eh_frame_hdr 
   04     
[tbl@tlondon plugins]$ 

So is nautilus "running" this different ways depending on the view?
Comment 4 Ulrich Drepper 2008-09-29 20:23:04 UTC 
(In reply to comment #3)
> [tbl@tlondon plugins]$ readelf -l libgstflump3dec.so 
> [...]
>   GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4

Two things:

- somehow cause the idiots writing that code some pain

- use

    execstack -c libgstflump3dec.so

  and see whether anything fails.  If yes, it can be reverted using

    execstack -s libgstflump3dec.so


> So is nautilus "running" this different ways depending on the view?

I have no idea how these programs interact.  My guess is that this gstreamer plugin is loaded by Nautilus using dlopen().  This would require the stack to be made executable.
Comment 5 Tom London 2008-09-29 20:44:52 UTC 
Cool.  Running "execstack -c libgstflump3dec.so" seems not to break totem, rhythmbox or nautilus (roll-over mode).

I now get music playing in nautilus window while running in enforcing mode.

But...., looks like /usr/bin/totem* is labelled execmem_exec_t:s0.

Daniel.... did this change in the last policy?  I'm running:
[root@tlondon ~]# rpm -qa selinux\*
selinux-policy-3.5.9-1.fc10.noarch
selinux-policy-targeted-3.5.9-1.fc10.noarch
[root@tlondon ~]# 

I did a "chcon -t bin_t /usr/bin/totem*" and it appears to still "work"....

So this means the tool chain is marking this as needing execstack when it doesn't really need it?

Don't see any AVCs with cleared flag.....
Comment 6 Tom London 2008-09-29 20:48:19 UTC 
Looks like reverting /usr/bin/rhythmbox to bin_t works too.....
Comment 7 Matthias Clasen 2008-09-29 23:34:56 UTC 
> So this means the tool chain is marking this as needing execstack when it
> doesn't really need it?

Tell that to the idiots writing that code...
Comment 8 Ben Gamari 2008-09-30 14:35:29 UTC 
A fluendo bug has been filed here, https://core.fluendo.com/gstreamer/trac/ticket/158.
Comment 9 Tom London 2009-08-25 23:01:28 UTC 
Just for completness: upstream claims this is fixed:

#158: libgstflump3dec.so requires unnecessary executable stack
--------------------------------+-------------------------------------------
 Reporter:  bgamari   |        Owner:  salvarez
    Type:  defect              |       Status:  closed
 Priority:  high                |    Milestone:
Component:  gst-fluendo-mp3dec  |      Version:
 Severity:  normal              |   Resolution:  fixed
 Keywords:                      |
--------------------------------+-------------------------------------------
Changes (by jep):

 * status:  new => closed
 * resolution:  => fixed