Bug 520526

Summary: setroubleshoot: SELinux is preventing xine from loading /usr/lib/libavutil.so.49.15.0 which requires text relocation.
Product: [Fedora] Fedora Reporter: Brian Harrington <bharrington>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: rawhideCC: dwalsh, jkubin, mgrepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:73198c0416b07b08cc82f5a4cad2018b7b861849e78a831f37f5efedd3f60827
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-01 12:36:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Brian Harrington 2009-08-31 22:43:42 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing xine from loading /usr/lib/libavutil.so.49.15.0 which
requires text relocation.

Detailed Description:

The xine application attempted to load /usr/lib/libavutil.so.49.15.0 which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libavutil.so.49.15.0 to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib/libavutil.so.49.15.0 to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libavutil.so.49.15.0'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/usr/lib/libavutil.so.49.15.0'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib/libavutil.so.49.15.0'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/libavutil.so.49.15.0 [ file ]
Source                        vlc
Source Path                   /usr/bin/vlc
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xine-ui-0.99.5-15.fc12
Target RPM Packages           libavutil49-0.5-30.fc10_92
Policy RPM                    selinux-policy-3.6.26-8.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31-0.125.4.2.rc5.git2.fc12.i686 #1 SMP Tue Aug
                              11 21:20:05 EDT 2009 i686 i686
Alert Count                   19
First Seen                    Sun 23 Aug 2009 08:37:20 PM EDT
Last Seen                     Sun 30 Aug 2009 05:22:57 PM EDT
Local ID                      fe5ad7a3-5851-466a-a315-d7ee90d07d36
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1251667377.721:111): avc:  denied  { execmod } for  pid=3938 comm="xine" path="/usr/lib/libavutil.so.49.15.0" dev=dm-4 ino=61638 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1251667377.721:111): arch=40000003 syscall=125 success=no exit=-13 a0=812000 a1=d000 a2=5 a3=bf8c3a00 items=0 ppid=3727 pid=3938 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="xine" exe="/usr/bin/xine" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_execmem_t ==============
allow unconfined_execmem_t lib_t:file execmod;

Comment 1 Daniel Walsh 2009-09-01 12:36:17 UTC
Fixed in selinux-policy-3.6.29-2.fc12.noarch