Bug 560573
Summary: | SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loading shared libraries: /usr/lib/libqavcodec.so.51. | ||||||
---|---|---|---|---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Omri Hochman <ohochman> | ||||
Component: | qffmpeg | Assignee: | Monty <cmontgom> | ||||
Status: | CLOSED CURRENTRELEASE | QA Contact: | Desktop QE <desktop-qa-list> | ||||
Severity: | high | Docs Contact: | |||||
Priority: | high | ||||||
Version: | 5.5 | CC: | atodorov, bgollahe, ddumas, jturner, kem, lmiksik, Rhev-m-bugs, rluxenbe, uril, ykaul | ||||
Target Milestone: | rc | Keywords: | ZStream | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | VDI | ||||||
Fixed In Version: | qffmpeg-0.4.9-0.16.20080908.el5_5 | Doc Type: | Bug Fix | ||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | |||||||
: | 618288 (view as bug list) | Environment: | |||||
Last Closed: | 2013-05-08 14:46:20 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | |||||||
Bug Blocks: | 545860, 545928, 576564, 618288, 847650, 854013, 862822, 864489, 866391, 869122, 871540, 877308 | ||||||
Attachments: |
|
Description
Omri Hochman
2010-02-01 08:25:04 UTC
Note that for x86_64 there is no such problem. audit.log: type=AVC msg=audit(1265015895.882:12): avc: denied { execmod } for pid=3443 comm="spicec" path="/usr/lib/libqavcodec.so.51.71.0" dev=dm-3 ino=1780003 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1265015895.882:12): arch=40000003 syscall=125 success=no exit=-13 a0=3e1000 a1=78000 a2=5 a3=bfc27620 items=0 ppid=3411 pid=3443 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="spicec" exe="/usr/bin/spicec" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) setroubleshootd.log: empty After disabling selinux (+ reboot) and re-enabling it (system-config-selinux -- Enforcing + reboot + labelling + reboot), there is no problem. Then after "yum remove qffmpeg-libs qspice-client" + "yum localinstall qspice-client" (which also installs qffmpeg-libs), we again experience the permission problem. Roni Luxenberg, found another workaround: ELinux is preventing spicec from loading /usr/lib/libqavcodec.so.51.71.0 which requires text relocation. Detailed Description: The spicec application attempted to load /usr/lib/libqavcodec.so.51.71.0 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/libqavcodec.so.51.71.0 to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/lib/libqavcodec.so.51.71.0 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/libqavcodec.so.51.71.0'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/libqavcodec.so.51.71.0'" Following #c3 moving the bug to qffmpeg component of RHEL-5 *** Bug 545860 has been marked as a duplicate of this bug. *** Some more information: following http://people.redhat.com/drepper/textrelocs.html (snipped lines that appear more than once): # eu-findtextrel libqavcodec.so.51.71.0 either the file containing the function 'dsputil_init_pix_mmx' or the file containing the function 'ff_simple_idct_put_mmx' is not compiled with -fpic/-fPIC the file containing the function 'ff_simple_idct_put_mmx' is not compiled with -fpic/-fPIC the file containing the function 'ff_simple_idct_mmx' is not compiled with -fpic/-fPIC the file containing the function 'ff_simple_idct_add_mmx' is not compiled with -fpic/-fPIC "The tool is not able to distinguish compiler-generated code from assembler code written by the programmer. If the problem is indeed the result of hand-written assembler code the solution is not as simple as adding a compiler/assembler flag. The code needs to be rewritten. This is architecture specific and can vary widely between every single instance. We are not going into those details here. Find a person with sufficient assembly programming skills if this problem appears." Unfortunately, the offending file is a hand-written i386 assembly file. I don't understand the actual text relocation problem in enough detail to know how to go about fixing it. However, I recall similar problems coming up in the Theora source at one point, I will go grovel through the bug logs at Xiph and see if there was a code pattern I can learn from. Yes, OK, I did see this in the past and the patches were instructive. I believe i have a fix; will need to test tomorrow though. Note-- I sent a patch to Uri that should fix the issue. If feedback is positive, I'll get it in distCVS and kick off a build immediately. Created attachment 398949 [details]
eliminate text relocations in hand-written i386 assembly
FTR, this is the proposed patch. Actual change is a few lines, it's larger only because I removed a chunk of dead code in an #if 0 while working on the fix.
Works for me. Built a scratch build [1] and tested (with Haim Ateya) on a rhel-5.5 i386 machine. Did not test on rhel-5.4 i386 machine [1] https://brewweb.devel.redhat.com/taskinfo?taskID=2306715 patch committed to distCVS for RHEL-5 verified: spice not blocked by selinux when qffmpeg-0.4.9-0.16.20080908.el5_5 installed. |