Bug 591854
| Summary: | SELinux empêche /usr/bin/vlc de charger /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du texte. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | maxime.tierre |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 13 | CC: | abhi.kr191, adalsaady, adi.radutu, admin, agostino.leonida, ajw7v3, akbaruddin, al.damyanov, alessandro.azzurro, alexanderpomerleau, alurralde.mariano, amrlima, anas.mubeen, andreygeorge, androskalou, antenna-5, arnaud.bergmann, artemio.silva, avichandra.yallapalli, avramovski.dragan, bagal81, bala_ire, baleineh, bender.futurateam, bharrington, bjmeany, brucevannorman, b.subi68, b.thielman, bugzilla, bugzilla_rhn, bz5923, camille.plag, cassius, cdanaila2001, celiohermoso, coachepooh2, compaq88, copperjoy2002, coutinho.sanches, cpanceac, cp_caverna, daniel, davidsen, dchester11, deviantt3ch, dford, dkanunnikau, donnellydw, dwalsh, ehud.kaldor, emmcartier, endrju-87, evilastharoth, fer5437, fvqz69, galou_breizh, gatednyanesh, geotri314, germano.massullo, gibkristen, glaubitz, gokhanm, goucherg, guido.rugo, henry_thebuilder, hide_lynx, hihii352, hopparz, hrishikesh.kolhatkar, iborg, jackal_road2000, jacklupton, jarin.franek, jl.deloos, johannes.sierl, john.brown009, john, jonathanr.pritchard+bugzilla, jones.peter.busi, jorge.salgueiro, jose.sanchez.ramirez, jp.grossglauser, jrincon87, kailashdeora, kayowski, keith.flynn, kide65, kingbiotech, kkshethin, knighcl, kwizart, kybernetikkollektiv, lastripper, laurent.rineau__fedora, left4bread3, leonanavi, lewcat111, lorenzo.alvarez, mail.dsp, manoj.bgm, marko.nurmenniemi, maxime.tierre, mbf_26, mbruegge73, mdeggers, mgrepl, Micbel4225, michael.aeschbach, michapajocel, mickromick, mikepburke, mirvana-dmitry, mkkvs16, mofx71, mohamed_sam, moorayil.naveen, moorley, morphix, mr_izzy, nedved1988, netwizurd, nocountryman, occultmastery, oday.maleh, orb1337, pablofersanji, pavel.ondracka, pavel.stehule, pertti.runolinna, piotrk2683, pmvr, prashanth.rajagopal, predatorpeter, pronet_xvn, radwan_b1, rajeevrvis, ram7377, ramzi986, ravr03, rbr, rd8006, reachparthu, revjdc, rob2098, robert, romainlaf, ronaldcanete, saket, setzud.t, sixjanuary87, sktonoy, smold, snerq, soumyabardhan15, stefan998, steven, superspamo, syscreat, tachchot007, talltaurus2002, terrywallwork, textman, thanosk, th.sievers, trevor, v10power, vadimamc, veli-matti.sorvala, vikigoyal, vincent.tavier, wayne.lloyd2, whumphreys, woshanzhimu, xxxidiosyncraticxxx |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | i386 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:d7317c57db0141dcf33d1acbda6d95fa97de7c9634402069ee5a18471e9eb33f | ||
| Fixed In Version: | selinux-policy-3.7.19-51.fc13 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-11-08 09:41:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
maxime.tierre
2010-05-13 11:15:30 UTC
The sealert tells you what to do. Either # chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/libdmo_plugin.so' or # setsebool -P allow_execmod 1 Labeling will be Fixed in selinux-policy-3.7.19-16.fc13.noarch selinux-policy-3.7.19-21.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13 selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13 selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. Hello, I have selinux-policy-3.7.19-23.fc13.noarch and the behaviour isn't fixed. It might be a difference between vlc 1.0.x and vlc-1.1.x libdmo_plugin.so path. That version of vlc is aimed to be provided as an update for F-13. What is the new path? I have: libselinux-devel-2.0.90-5.fc13.i686 libselinux-2.0.90-5.fc13.i686 selinux-policy-3.7.19-47.fc13.noarch vlc-core-1.1.3-1.fc13.i686 vlc-1.1.3-1.fc13.i686 libselinux-python-2.0.90-5.fc13.i686 selinux-policy-targeted-3.7.19-47.fc13.noarch libselinux-utils-2.0.90-5.fc13.i686 I presume the path is given in the beginning of the report below: Summary: SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text relocation. Detailed Description: The vlc application attempted to load /usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/plugins/codec/librealvideo_plugin.so to use relocation as a workaround, until the library is fixed. Please file a bug report. Allowing Access: If you trust /usr/lib/vlc/plugins/codec/librealvideo_plugin.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'" Fix Command: chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/vlc/plugins/codec/librealvideo_plugin.so [ file ] Source vlc Source Path /usr/bin/vlc Port <Unknown> Host (removed) Source RPM Packages vlc-core-1.1.3-1.fc13 Target RPM Packages vlc-core-1.1.3-1.fc13 Policy RPM selinux-policy-3.7.19-47.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execmod Host Name (removed) Platform Linux localhost.localdomain 2.6.33.6-147.2.4.fc13.i686.PAE #1 SMP Fri Jul 23 17:21:06 UTC 2010 i686 i686 Alert Count 2 First Seen Mon 23 Aug 2010 12:17:44 PM EDT Last Seen Mon 23 Aug 2010 12:17:44 PM EDT Local ID 6628583a-a80c-492c-84d9-1b6772b217aa Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1282580264.250:60): avc: denied { execmod } for pid=7810 comm="vlc" path="/usr/lib/vlc/plugins/codec/librealvideo_plugin.so" dev=sda7 ino=1198999 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1282580264.250:60): arch=40000003 syscall=125 success=no exit=-13 a0=19f1000 a1=1b000 a2=5 a3=bf8b40e0 items=0 ppid=7724 pid=7810 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="vlc" exe="/usr/bin/vlc" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) I have abrt-desktop-1.1.13-2.fc13.i686 abrt-plugin-logger-1.1.13-2.fc13.i686 abrt-plugin-runapp-1.1.13-2.fc13.i686 abrt-libs-1.1.13-2.fc13.i686 abrt-plugin-bugzilla-1.1.13-2.fc13.i686 abrt-addon-kerneloops-1.1.13-2.fc13.i686 abrt-addon-ccpp-1.1.13-2.fc13.i686 abrt-addon-python-1.1.13-2.fc13.i686 abrt-gui-1.1.13-2.fc13.i686 abrt-1.1.13-2.fc13.i686 The decision to add the vlc bug information to the existing bug report was made by abrt, even though I don't see a window to change the status of the this report from Closed Insufficient Data to Assigned. I hope there will be a response to the new information. I received the same troubleshooter message as Peter H. Jones. Same packet versions and arch. There is indeed a redesign in the module path from vlc 1.0.x to vlc 1.1.x What's in the current selinux-policy-targeted is : /usr/lib(64)?/vlc/codec/librealvideo_plugin\.so But the new path in vlc 1.1.x is /usr/lib(64)?/vlc/codec/plugins/librealvideo_plugin\.so Same for libdmo_plugin\.so which is 32bit only: from: /usr/lib/vlc/codec/libdmo_plugin\.so to :/usr/lib/vlc/codec/plugins/libdmo_plugin\.so and /usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so to /usr/lib64/vlc/plugins/mmx/libi420_rgb_mmx_plugin.so The mozilla plugin hasn't changed. Thx Side note: Thx for adding /usr/lib(64)?/libpostproc4vlc\.so.* . I wasn't aware such context is still needed. Is it possible to add a wildcard instead as libprostproc\*.so so it can be used by any implementation specially as libpostproc4fedora.so could be in the work. Fixed in selinux-policy-3.7.19-50.fc13 selinux-policy-3.7.19-51.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13 selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13 selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report. I still have the same security alert with selinux-policy-3.7.19-51.fc13. Fixed in selinux-policy-3.7.19-52.fc13. I just had this trigger with selinux-policy-3.7.19-54.fc13.noarch The vlc application attempted to load /usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/plugins/codec/librealvideo_plugin.so to use relocation as a workaround, until the library is fixed. Please file a bug report. selinux-policy-3.7.19-54.fc13.noarch The problem persists. I feel for you guys... I'm just posting to say that it actually stop for me : From every use of VLC to none what so ever. Linux T42.mobile1 2.6.34.6-54.fc13.i686 #1 SMP Sun Sep 5 17:52:31 UTC 2010 i686 i686 i386 GNU/Linux Execute the chcon command from the alert. Will fix for now. The policy doesn't define label for /usr/lib/vlc/plugins/codec/librealvideo_plugin.so restorecon -R -v /usr/lib/vlc Or turn the check off altogether as I said in comment 1 (In reply to comment #0) > Résumé: > > SELinux empêche /usr/bin/vlc de charger > /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du > texte. > > Description détaillée: > > L'application vlc a essayé de charger > /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du > texte. C'est un problème potentiel de sécurité . La plupart des > bibliothèques n'ont pas besoin de cette permission. Les bibliothèques sont > parfois programmées incorrectement et demandent cette permission. La page web > Essais de protection mémoire de SELinux > (http://people.redhat.com/drepper/selinux-mem.html) explique comment retirer > ces > exigences. Vous pouvez configurer temporairement SELinux pour permettre à > /usr/lib/vlc/plugins/codec/libdmo_plugin.so d'utiliser le ré-adressage et > contourner cette protection, jusqu'à ce que la bibliothèque soit corrigée. > Merci de remplir un rapport de bogue > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) pour c > > Autoriser l'accès: > > Si vous autorisez /usr/lib/vlc/plugins/codec/libdmo_plugin.so à fonctionner > correctement, vous pouvez changer le contexte du fichier à textrel_shlib_t. > "chcon -t textrel_shlib_t /usr/lib/vlc/plugins/codec/libdmo_plugin.so" Vous > devez aussi changer le dossier par défaut des fichiers de contexte de votre > système, même lors d'un réétiquetage complet, de manière à les préserver. > "semanage fcontext -a -t textrel_shlib_t > '/usr/lib/vlc/plugins/codec/libdmo_plugin.so'" > > Commande de correction: > > chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/libdmo_plugin.so' > > Informations complémentaires: > > Contexte source > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > 023 > Contexte cible system_u:object_r:lib_t:s0 > Objets du contexte /usr/lib/vlc/plugins/codec/libdmo_plugin.so [ > file > ] > source vlc > Chemin de la source /usr/bin/vlc > Port <Inconnu> > Hôte (supprimé) > Paquetages RPM source vlc-core-1.1.0-0.6.pre3.fc14 > Paquetages RPM cible vlc-core-1.1.0-0.6.pre3.fc14 > Politique RPM selinux-policy-3.7.19-10.fc13 > Selinux activé True > Type de politique targeted > Mode strict Enforcing > Nom du plugin allow_execmod > Nom de l'hôte (supprimé) > Plateforme Linux (supprimé) 2.6.33.3-85.fc13.i686.PAE #1 > SMP Thu May 6 18:27:11 UTC 2010 i686 i686 > Compteur d'alertes 2 > Première alerte jeu. 13 mai 2010 13:13:33 CEST > Dernière alerte jeu. 13 mai 2010 13:13:33 CEST > ID local ac19f197-cee2-4fd7-b97f-fb4d2560fc8c > Numéros des lignes > > Messages d'audit bruts > > node=(supprimé) type=AVC msg=audit(1273749213.308:32053): avc: denied { > execmod } for pid=2303 comm="vlc" > path="/usr/lib/vlc/plugins/codec/libdmo_plugin.so" dev=sda3 ino=536338 > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:lib_t:s0 tclass=file > > node=(supprimé) type=SYSCALL msg=audit(1273749213.308:32053): arch=40000003 > syscall=125 success=no exit=-13 a0=273d000 a1=1e000 a2=5 a3=bfbffba0 items=0 > ppid=1 pid=2303 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > sgid=500 fsgid=500 tty=(none) ses=1 comm="vlc" exe="/usr/bin/vlc" > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > > Hash String generated from allow_execmod,vlc,unconfined_t,lib_t,file,execmod > audit2allow suggests: > > #============= unconfined_t ============== > #!!!! This avc can be allowed using the boolean 'allow_execmod' > > allow unconfined_t lib_t:file execmod; Learn some English dude! (In reply to comment #22) > Learn some English dude! I don’t wish to be a hypocrite, but please avoid making pointless comments, everyone attached to the bug will be sent them. (In reply to comment #22) > (In reply to comment #0) > > Résumé: > > > > SELinux empêche /usr/bin/vlc de charger > > /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du > > texte. > > > > Description détaillée: > > > > L'application vlc a essayé de charger > > /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du > > texte. C'est un problème potentiel de sécurité . La plupart des > > bibliothèques n'ont pas besoin de cette permission. Les bibliothèques sont > > parfois programmées incorrectement et demandent cette permission. La page web > > Essais de protection mémoire de SELinux > > (http://people.redhat.com/drepper/selinux-mem.html) explique comment retirer > > ces > > exigences. Vous pouvez configurer temporairement SELinux pour permettre à > > /usr/lib/vlc/plugins/codec/libdmo_plugin.so d'utiliser le ré-adressage et > > contourner cette protection, jusqu'à ce que la bibliothèque soit corrigée. > > Merci de remplir un rapport de bogue > > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) pour c > > > > Autoriser l'accès: > > > > Si vous autorisez /usr/lib/vlc/plugins/codec/libdmo_plugin.so à fonctionner > > correctement, vous pouvez changer le contexte du fichier à textrel_shlib_t. > > "chcon -t textrel_shlib_t /usr/lib/vlc/plugins/codec/libdmo_plugin.so" Vous > > devez aussi changer le dossier par défaut des fichiers de contexte de votre > > système, même lors d'un réétiquetage complet, de manière à les préserver. > > "semanage fcontext -a -t textrel_shlib_t > > '/usr/lib/vlc/plugins/codec/libdmo_plugin.so'" > > > > Commande de correction: > > > > chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/libdmo_plugin.so' > > > > Informations complémentaires: > > > > Contexte source > > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 > > 023 > > Contexte cible system_u:object_r:lib_t:s0 > > Objets du contexte /usr/lib/vlc/plugins/codec/libdmo_plugin.so [ > > file > > ] > > source vlc > > Chemin de la source /usr/bin/vlc > > Port <Inconnu> > > Hôte (supprimé) > > Paquetages RPM source vlc-core-1.1.0-0.6.pre3.fc14 > > Paquetages RPM cible vlc-core-1.1.0-0.6.pre3.fc14 > > Politique RPM selinux-policy-3.7.19-10.fc13 > > Selinux activé True > > Type de politique targeted > > Mode strict Enforcing > > Nom du plugin allow_execmod > > Nom de l'hôte (supprimé) > > Plateforme Linux (supprimé) 2.6.33.3-85.fc13.i686.PAE #1 > > SMP Thu May 6 18:27:11 UTC 2010 i686 i686 > > Compteur d'alertes 2 > > Première alerte jeu. 13 mai 2010 13:13:33 CEST > > Dernière alerte jeu. 13 mai 2010 13:13:33 CEST > > ID local ac19f197-cee2-4fd7-b97f-fb4d2560fc8c > > Numéros des lignes > > > > Messages d'audit bruts > > > > node=(supprimé) type=AVC msg=audit(1273749213.308:32053): avc: denied { > > execmod } for pid=2303 comm="vlc" > > path="/usr/lib/vlc/plugins/codec/libdmo_plugin.so" dev=sda3 ino=536338 > > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > > tcontext=system_u:object_r:lib_t:s0 tclass=file > > > > node=(supprimé) type=SYSCALL msg=audit(1273749213.308:32053): arch=40000003 > > syscall=125 success=no exit=-13 a0=273d000 a1=1e000 a2=5 a3=bfbffba0 items=0 > > ppid=1 pid=2303 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 > > sgid=500 fsgid=500 tty=(none) ses=1 comm="vlc" exe="/usr/bin/vlc" > > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > > > > > > > > Hash String generated from allow_execmod,vlc,unconfined_t,lib_t,file,execmod > > audit2allow suggests: > > > > #============= unconfined_t ============== > > #!!!! This avc can be allowed using the boolean 'allow_execmod' > > > > allow unconfined_t lib_t:file execmod; > > Learn some English dude! I thought you was having a go at me then. I agree with the previous Comment its not fair to make comments like that. The tool reports in the native language, it is not the reporters fault. And we do not even look at the report but just the raw data at the bottom anyways. We are working on a rewrite of the tool for F15 that will not report in the native lang. I have the same problem You can turn this check off altogether by executing # setsebool -P allow_execmod 1 Does the problem still apply with current f13 x86 and vlc 1.1.4-4.fc13 ? I've forced the related modules to be built with -fPIC which is explicitely avoided in the upstream vlc sources, specially for some modules (real, dmo). If thoses modules still works, I would consider the problem solved. Let's close the bug. |