Bug 520226

Summary: Quake Live causes issues for selinux
Product: [Fedora] Fedora Reporter: Jonathan Pritchard <jonathanr.pritchard+bugzilla>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 11CC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://http://www.quakelive.com/
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-08-31 13:05:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jonathan Pritchard 2009-08-29 10:00:55 UTC
Description of problem:

Recently Quake Live, which is a browser based, free and online version of Quake 3 was updated with Linux support.

I tried it out with Firefox and it causes setroubleshooter to throw many hundred of the same issue at me.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-80.fc11.noarch
selinux-policy-3.6.12-80.fc11.noarch


How reproducible:
Every time, just log-in to quakelive.com and it'll occur every time.


Steps to Reproduce:
1. Go to quakelive.com
2. Install the game launcher in Firefox (happens automatically, just confirm)
3. Revisit quakelive.com and attempt to play.

Full error message from setroubleshoot as follows (currently tallied at 529 occurences):


Summary:

SELinux is preventing firefox from loading
/home/Jon/.quakelive/quakelive/home/pb/pbcl.so which requires text relocation.

Detailed Description:

The firefox application attempted to load
/home/Jon/.quakelive/quakelive/home/pb/pbcl.so which requires text relocation.
This is a potential security problem. Most libraries do not need this
permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/home/Jon/.quakelive/quakelive/home/pb/pbcl.so to use relocation as a
workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /home/Jon/.quakelive/quakelive/home/pb/pbcl.so to run correctly,
you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/home/Jon/.quakelive/quakelive/home/pb/pbcl.so'" You must also change the
default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t textrel_shlib_t
'/home/Jon/.quakelive/quakelive/home/pb/pbcl.so'"

Fix Command:

chcon -t textrel_shlib_t '/home/Jon/.quakelive/quakelive/home/pb/pbcl.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                /home/Jon/.quakelive/quakelive/home/pb/pbcl.so [
                              file ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.5.2/firefox
Port                          <Unknown>
Host                          Jon-Laptop
Source RPM Packages           firefox-3.5.2-2.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-78.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     Jon-Laptop
Platform                      Linux Jon-Laptop 2.6.29.6-217.2.8.fc11.i686.PAE #1
                              SMP Sat Aug 15 01:07:59 EDT 2009 i686 i686
Alert Count                   529
First Seen                    Mon 24 Aug 2009 22:25:07 BST
Last Seen                     Mon 24 Aug 2009 22:25:33 BST
Local ID                      479ab8d7-3eef-42b2-a6a8-fc8b84c7dd9d
Line Numbers                  

Raw Audit Messages            

node=Jon-Laptop type=AVC msg=audit(1251149133.74:30653): avc:  denied  { execmod } for  pid=6630 comm="firefox" path="/home/Jon/.quakelive/quakelive/home/pb/pbcl.so" dev=sda6 ino=131475 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file

node=Jon-Laptop type=SYSCALL msg=audit(1251149133.74:30653): arch=40000003 syscall=125 success=no exit=-13 a0=3bb4000 a1=d0000 a2=5 a3=17c3ab0 items=0 ppid=5950 pid=6630 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5.2/firefox" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2009-08-31 13:05:19 UTC
This indicates a bug in the way quakelives library was built,  You can tell SELinux to ignore this by executing the command in the setroubleshoot message.

Please report this as a bug to quakelive, to build thier library correctly.

Include this link to help them understand what is going on.

http://people.redhat.com/~drepper/selinux-mem.html

It also look like your homedir might be mislabeled.  Run

restorecon -R -v /home/Jon