Bug 596983

Summary: SELinux is preventing /home/eddie/google-earth/googleearth-bin from loading /home/eddie/google-earth/librender.so which requires text relocation.
Product: [Fedora] Fedora Reporter: Eddie Lania <eddie>
Component: selinux-policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 13CC: 521, alessandromachado.vip, ameya.gore, avramovski.dragan, bndrcr82a08e349g, carlos.rca185, cedpren, dakshay, dankahazi, dwalsh, eyeneeserver, germano.massullo, maskimko, mgrepl, mirvana-dmitry, nikolas.moraitis, n.underwood78, pascalarnold.varniol, Robert-Martin, rohinbanerji, santiago.lunar.m, sharrana, subscribed-lists, th-topo, valent.turkovic, willians.hxcx, wlh2008
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: setroubleshoot_trace_hash:19d8c96b052b680416c17294c2c0a2eecd9eb7755f0ef24e94d2b3f6f8862cae
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-01 13:46:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eddie Lania 2010-05-27 20:53:19 UTC 
Summary:

SELinux is preventing /home/eddie/google-earth/googleearth-bin from loading
/home/eddie/google-earth/librender.so which requires text relocation.

Detailed Description:

[SELinux is in permissive mode. This access was not denied.]

The googleearth-bin application attempted to load
/home/eddie/google-earth/librender.so which requires text relocation. This is a
potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission. The
SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/home/eddie/google-earth/librender.so to use relocation as a workaround, until
the library is fixed. Please file a bug report.

Allowing Access:

If you trust /home/eddie/google-earth/librender.so to run correctly, you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/home/eddie/google-earth/librender.so'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t textrel_shlib_t
'/home/eddie/google-earth/librender.so'"

Fix Command:

chcon -t textrel_shlib_t '/home/eddie/google-earth/librender.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:object_r:user_home_t:s0
Target Objects                /home/eddie/google-earth/librender.so [ file ]
Source                        googleearth-bin
Source Path                   /home/eddie/google-earth/googleearth-bin
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.7.19-15.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Permissive
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.33.4-95.fc13.i686.PAE #1 SMP Thu May 13
                              05:38:26 UTC 2010 i686 i686
Alert Count                   1
First Seen                    Thu 27 May 2010 10:51:01 PM CEST
Last Seen                     Thu 27 May 2010 10:51:01 PM CEST
Local ID                      0ecc213a-8171-4044-afb4-360403404552
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1274993461.83:26313): avc:  denied  { execmod } for  pid=31202 comm="googleearth-bin" path="/home/eddie/google-earth/librender.so" dev=sda2 ino=1989873 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1274993461.83:26313): arch=40000003 syscall=125 success=yes exit=0 a0=159f000 a1=87000 a2=5 a3=bfc393f0 items=0 ppid=1 pid=31202 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=14 comm="googleearth-bin" exe="/home/eddie/google-earth/googleearth-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execmod,googleearth-bin,unconfined_t,user_home_t,file,execmod
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow unconfined_t user_home_t:file execmod;
Comment 1 Eddie Lania 2010-05-27 20:54:49 UTC 
I have issued the Fix Command:

chcon -t textrel_shlib_t '/home/eddie/google-earth/librender.so'

several times, as user and as root, but the error/denial keeps coming back.
Comment 2 Daniel Walsh 2010-05-27 21:17:38 UTC 
Turn off the check.

# setsebool -P allow_execmod 1
Comment 3 Eddie Lania 2010-05-30 09:19:29 UTC 
Isn't that preventing selinux from detecting of all other applications attempting to load objects which requires text relocation as well? Is that a good idea?
Comment 4 Daniel Walsh 2010-06-01 13:46:24 UTC 
Yes and know.  If a huge number of bugs come in reporting third party libraries are built incorrectly then this check becomes almost worthless for the vast majority of users.  You have two choices here tell SELinux to ignore the error, or fix the labeling your self using chcon -t textrel_shlib_t on all libraries that exhibit this behaviour.

allow_execmod only allows it for the unconfined domain, not for any confined domains.  Google and others know about their problems but are either slow to fix or ignoring the problem.  During rawhide cycle this is turned off and I have decided to turn it on for the F13 release.
Comment 5 Daniel Walsh 2010-06-01 13:46:51 UTC 
Since this is a google bug I can not fix it.
Comment 6 Carlos Díaz 2010-08-08 08:56:11 UTC 
I label my files *.so using chcon -t textrel_shlib_t. But SElinux still detecting the same problem.
Comment 7 Daniel Walsh 2010-08-13 15:25:23 UTC 
Carlos please attach the bugs, or just set the boolean allow_execmod

# setsebool -P allow_execmod 1