Bug 599096
| Summary: | SELinux is preventing /home/ri/google-earth/googleearth-bin from loading /usr/lib/dri/fglrx_dri.so which requires text relocation. | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | vafr <rf.av> |
| Component: | selinux-policy | Assignee: | Miroslav Grepl <mgrepl> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | carlg, dwalsh, mgrepl, rf.av |
| Target Milestone: | --- | Keywords: | Reopened |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | setroubleshoot_trace_hash:5a2e40bce7a7d55522ee2e0a93fae6a87cda52f8b4e479f95683741ade47dacb | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-07-19 13:03:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
vafr
2010-06-02 17:07:59 UTC
Execute chcon -t textrel_shlib_t '/usr/lib/dri/fglrx_dri.so' Will fix. Hi Miroslav, your suggestion to; chcon -t textrel_shlib_t '/usr/lib/dri/fglrx_dri.so' did fix it for a while and made google earth work without problems. But now google earth is messed up again for some reason. Not that important to me. I will try to fix it again. But to be honest I think there might be an underlying problem as I get the following new alert which at first seems to be a nspluginwrapper / catalyst related thing but when the bug is reported turns out to be a google earth issue??? Sorry for the Dutch comments, I need to fix that sometime, reading between the lines should provide you with the necessary info. The bug is not accepted as 'it was already reported'. Perhaps a selinux or bug report issue instead of a google earth issue (never even used google earth during the last sessions). This is the report (just ignore the Dutch parts).... Samenvatting: SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from loading /usr/lib/catalyst/libatiadlxx.so which requires text relocation. Gedetailleerde omschrijving: The npviewer.bin application attempted to load /usr/lib/catalyst/libatiadlxx.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/catalyst/libatiadlxx.so to use relocation as a workaround, until the library is fixed. Please file a bug report. Teogang toestaan: If you trust /usr/lib/catalyst/libatiadlxx.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'" Commando repareren: chcon -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so' Additionele informatie: Bron context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Doel context system_u:object_r:lib_t:s0 Doel objecten /usr/lib/catalyst/libatiadlxx.so [ file ] Bron googleearth-bin Bron pad /home/ri/google-earth/googleearth-bin Poort <Onbekend> Host localhost.localdomain Bron RPM pakketten nspluginwrapper-1.3.0-10.fc12 Doel RPM pakketten xorg-x11-drv-catalyst-libs-10.4-2.fc12 Gedragslijn RPM selinux-policy-3.6.32-114.fc12 SELinux aangezet True Gedragslijn type targeted Enforcing modus Enforcing Pluginnaam allow_execmod Hostnaam localhost.localdomain Platform Linux localhost.localdomain 2.6.32.12-115.fc12.x86_64 #1 SMP Fri Apr 30 19:46:25 UTC 2010 x86_64 x86_64 Aantal waarschuwingen 5 Eerst gezien op di 01 jun 2010 22:40:19 CEST Laatst gezien op do 03 jun 2010 23:00:28 CEST Locale ID e3855828-4ab5-4cef-a12f-c3f2b199b60e Regelnummers Onbewerkte audit boodschappen node=localhost.localdomain type=AVC msg=audit(1275598828.999:32829): avc: denied { execmod } for pid=4407 comm="npviewer.bin" path="/usr/lib/catalyst/libatiadlxx.so" dev=dm-2 ino=396814 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1275598828.999:32829): arch=40000003 syscall=125 per=8 success=no exit=-13 a0=7c5d000 a1=2e000 a2=5 a3=ff8b7c60 items=0 ppid=3049 pid=4407 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null) If you run restorecon '/usr/lib/catalyst/libatiadlxx.so' -v does it change the label? I ran restorecon '/usr/lib/catalyst/libatiadlxx.so' -v but there was no feedback and I'm not sure as to what it actually did/does. Do you still see those AVCs or changing the label fixed it? No, have not seen them again. Has the SELinux user interface changed? I believe we had a log file like history list in earlier versions of the troubleshooter which was very clear. The current trouble shooter screen does not show the warnings in chronological order (at least it seems so and I do not know how to make it do that). Just a matter of getting used to I guess. Upon a recent, more detailed inspection of the SELinux troubleshooter reports I wondered if the problem wasn't already solved in some other way as the report of this error at the moment says (see below) that it occurred only 5 times from 1 June to 3 June. I assume I must have been confused by the troubleshooter reports. I will keep a close watch on new alerts... Samenvatting: SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from loading /usr/lib/catalyst/libatiadlxx.so which requires text relocation. Gedetailleerde omschrijving: The npviewer.bin application attempted to load /usr/lib/catalyst/libatiadlxx.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/catalyst/libatiadlxx.so to use relocation as a workaround, until the library is fixed. Please file a bug report. Toegang toestaan: If you trust /usr/lib/catalyst/libatiadlxx.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'" Commando repareren: chcon -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so' Additionele informatie: Bron context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Doel context system_u:object_r:lib_t:s0 Doel objecten /usr/lib/catalyst/libatiadlxx.so [ file ] Bron googleearth-bin Bron pad /home/ri/google-earth/googleearth-bin Poort <Onbekend> Host localhost.localdomain Bron RPM pakketten nspluginwrapper-1.3.0-10.fc12 Doel RPM pakketten xorg-x11-drv-catalyst-libs-10.4-2.fc12 Gedragslijn RPM selinux-policy-3.6.32-114.fc12 SELinux aangezet True Gedragslijn type targeted Enforcing modus Enforcing Pluginnaam allow_execmod Hostnaam localhost.localdomain Platform Linux localhost.localdomain 2.6.32.12-115.fc12.x86_64 #1 SMP Fri Apr 30 19:46:25 UTC 2010 x86_64 x86_64 Aantal waarschuwingen 5 Eerst gezien op di 01 jun 2010 22:40:19 CEST Laatst gezien op do 03 jun 2010 23:00:28 CEST Locale ID e3855828-4ab5-4cef-a12f-c3f2b199b60e Regelnummers Onbewerkte audit boodschappen node=localhost.localdomain type=AVC msg=audit(1275598828.999:32829): avc: denied { execmod } for pid=4407 comm="npviewer.bin" path="/usr/lib/catalyst/libatiadlxx.so" dev=dm-2 ino=396814 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1275598828.999:32829): arch=40000003 syscall=125 per=8 success=no exit=-13 a0=7c5d000 a1=2e000 a2=5 a3=ff8b7c60 items=0 ppid=3049 pid=4407 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null) Just execute chcon -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so' Will fix for now. |