Bug 145067 - Execmod denials: texrel_shlib_t list
Summary: Execmod denials: texrel_shlib_t list
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict   
(Show other bugs)
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-01-14 01:32 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-15 11:33:18 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Ivan Gyurdiev 2005-01-14 01:32:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
Out of curiosity, what is execmod?


... we have gpg (probably something from yum):

audit(1105666083.045:0): avc:  denied  { execmod } for  pid=5384
comm=gpg path=/usr/bin/gpg dev=dm-0 ino=1031029
scontext=user_u:user_r:user_gpg_t
tcontext=system_u:object_r:gpg_exec_t tclass=file

...and firefox trying to watch flash:

audit(1105656636.364:0): avc:  denied  { execmod } for  pid=4857
comm=firefox-bin path=/home/phantom/.mozilla/plugins/libflashplayer.so
dev=dm-2 ino=326929 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:user_mozilla_rw_t tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.1-1

How reproducible:
Didn't try

Steps to Reproduce:

    

Additional info:

Comment 1 Ivan Gyurdiev 2005-01-18 23:09:18 UTC
X and nvidia:

audit(1106088181.401:0): avc:  denied  { execmod } for  pid=3119
comm=X path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0
ino=526001 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:shlib_t tclass=file

(this one in enforcing mode)

Comment 2 Ivan Gyurdiev 2005-01-20 10:32:12 UTC
Here are the libs with text relocations, I think:

[phantom@cobra lib]$ for FILE in `/sbin/ldconfig -p|sed -e s/.*"=>
"//|uniq` `ls /usr/lib/firefox*/plugins/*` `ls
/usr/lib/mozilla*/plugins/*`; do if [ ! -z "`readelf -d "$FILE"
2>/dev/null|grep TEXTREL`" ]; then if [ -L "$FILE" ]; then echo
"$FILE"|sed -e s/`basename "$FILE"`/"`ls -l "$FILE"|sed -e s/.*"->
"//`"/; else echo "$FILE"; fi; fi; done | uniq /usr/lib/libxvidcore.so.4.0
/usr/lib/libstdc++.so.2.7.2.8
/usr/lib/libpostproc.so.0.0.1
/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629
/usr/lib/nvidia/libnvidia-tls.so.1.0.6629
/usr/lib/libmp3lame.so.0.0.0
/usr/lib/libmlib_jai.so
/usr/lib/libgsm.so.1.0.10
/usr/lib/libglide3.so.3.10.0
/usr/lib/libg++.so.2.7.2.8
/usr/lib/libdv.so.4.0.1
/usr/lib/libavformat-0.4.9-pre1.so
/usr/lib/libavcodec-0.4.9-pre1.so
/usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629
/usr/lib/libSDL-1.2.so.0.7.0
/usr/X11R6/lib/libOSMesa.so.4.0
/usr/lib/libImlib2.so.1.2.0
/usr/lib/libHermes.so.1.0.0
/usr/lib/nvidia/libGLcore.so.1.0.6629
/usr/lib/nvidia/libGL.so.1.0.6629
sed: -e expression #1, char 13: unknown option to `s'
/usr/lib/firefox-0.10.0/plugins/libflashplayer.so
/usr/lib/firefox-0.9.3/plugins/libflashplayer.so

So the offending packages are:

nvidia-glx, proprietary, can't be fixed
flash, proprietary, can't be fixed
jai, proprietary (Sun), can't be fixed

Livna: xvidcore, ffmpeg, lame, gsm

Fedora Core: xorg-x11-libs (libOSMesa), SDL, Hermes, imlib2, libdv,
compat-libstdc++, Glide3

...and in fact I do get extmod denial with mplayer due to SDL.

What to do about this? Allow extmod in mozilla_t, mplayer_t,
and xserver_t ? X won't even start on my computer without this
because of nvidia.




Comment 3 Ivan Gyurdiev 2005-01-20 19:03:39 UTC
I see gpg execmod denial has been addressed.
Please add this to X and mozilla too - it's necessary
for nvidia driver and flash (and more?).



Comment 4 Ivan Gyurdiev 2005-01-27 08:19:44 UTC
Okay, gpg is fixed, X (nvidia) and mozilla(flash) are
addressed in the 1.21.3-4 beta that I am looking at.

The following libs listed above are still not marked texrel_shlib_t:

/usr/lib/libstdc++.so.2.7.2.8
/usr/lib/libpostproc.so.0.0.1
/usr/lib/libmp3lame.so.0.0.0
/usr/lib/libmlib_jai.so
/usr/lib/libgsm.so.1.0.10
/usr/lib/libglide3.so.3.10.0
/usr/lib/libg++.so.2.7.2.8
/usr/lib/libdv.so.4.0.1
/usr/lib/libavformat-0.4.9-pre1.so
/usr/lib/libavcodec-0.4.9-pre1.so
/usr/lib/libSDL-1.2.so.0.7.0
/usr/X11R6/lib/libOSMesa.so.4.0
/usr/lib/libImlib2.so.1.2.0
/usr/lib/libHermes.so.1.0.0

Comment 5 Ivan Gyurdiev 2005-02-01 23:05:34 UTC
Add to list:

/usr/lib/gstreamer-0.8/libgstffmpeg.so
/usr/lib/gstreamer-0.8/libgsthermescolorspace.so
/usr/lib/gstreamer-0.8/libgstmms.so


Comment 6 Daniel Walsh 2005-02-09 15:53:32 UTC
Added in policy-1.21.10-1


Comment 7 Ivan Gyurdiev 2005-02-09 20:29:13 UTC
Which part? 

I see /usr/lib/gstreamer-0.8/libgstffmpeg.so,
but none of the other ones.

In particular, libSDL is annoying, because media players
(like mplayer) won't start without it.


Comment 8 Daniel Walsh 2005-02-09 20:41:40 UTC
Make that 1.21.11-2

Comment 9 Ivan Gyurdiev 2005-02-09 21:10:36 UTC
Still missing those two:

/usr/lib/gstreamer-0.8/libgsthermescolorspace.so
/usr/lib/gstreamer-0.8/libgstmms.so

Also, you said that Redhat is working to fix those libraries
so they don't need text relocations. (is it you that said that 
or S. Smalley - I can't remember)

Does that mean this list is temporary only, or have you already
looked at those and decided they won't be fixed?

Comment 10 Daniel Walsh 2005-02-09 21:30:02 UTC
We are looking into fixing some of the ones that we ship.
So hopefully we can remove some of these eventually.

Dan

Comment 11 Ivan Gyurdiev 2005-02-10 00:20:35 UTC
Also, please add 
/usr/lib/libxvidcore.so.4

Not sure why script didn't find it originally, but
now I get denials for it.


So, in summary:
=================

/usr/lib/gstreamer-0.8/libgsthermescolorspace.so
/usr/lib/gstreamer-0.8/libgstmms.so
/usr/lib/libxvidcore.so.4

Here's also a mplayer path:
===========================

--- mplayer_macros.te  2005-02-09 19:19:21.000000000 -0500
+++ mplayer_macros.new   2005-02-09 19:20:11.000000000 -0500
@@ -62,10 +62,9 @@

 if (allow_execmod) {
 allow $1_$2_t zero_device_t:chr_file execmod;
+allow $1_$2_t texrel_shlib_t:file execmod;
 }

-
-
 # Access to DVD/CD/V4L
 allow $1_$2_t device_t:dir r_dir_perms;
 allow $1_$2_t device_t:lnk_file { getattr read };

Comment 12 Ivan Gyurdiev 2005-02-10 00:21:41 UTC
Err that should be:

/usr/lib/libxvidcore.so.4.0

Comment 13 Ivan Gyurdiev 2005-02-10 01:26:25 UTC
And all of this too. Is there no end to them? Found those after
running gst-register. 

/usr/lib/ladspa/analogue_osc_1416.so
/usr/lib/ladspa/bandpass_a_iir_1893.so
/usr/lib/ladspa/bandpass_iir_1892.so
/usr/lib/ladspa/butterworth_1902.so
/usr/lib/ladspa/fm_osc_1415.so
/usr/lib/ladspa/gsm_1215.so
/usr/lib/ladspa/gverb_1216.so
/usr/lib/ladspa/hermes_filter_1200.so
/usr/lib/ladspa/highpass_iir_1890.so
/usr/lib/ladspa/lowpass_iir_1891.so
/usr/lib/ladspa/notch_iir_1894.so
/usr/lib/ladspa/pitch_scale_1193.so
/usr/lib/ladspa/pitch_scale_1194.so
/usr/lib/ladspa/sc1_1425.so
/usr/lib/ladspa/sc2_1426.so
/usr/lib/ladspa/sc3_1427.so
/usr/lib/ladspa/sc4_1882.so
/usr/lib/ladspa/se4_1883.so


Comment 14 Ivan Gyurdiev 2005-02-10 04:31:42 UTC
Apparently those too:

/usr/lib/helix/plugins/oggfformat.so
/usr/lib/helix/plugins/theorarend.so
/usr/lib/helix/plugins/vorbisrend.so
/usr/lib/helix/codecs/colorcvt.so
/usr/lib/helix/codecs/cvt1.so

Plus everything that's part of xine:
/usr/lib/xine/plugins/1.0.0/vidix/*.so
/usr/lib/xine/plugins/1.0.0/post/*.so
/usr/lib/xine/plugins/1.0.0/*.so

... and all the valgrind libs:

/usr/lib/valgrind/libpthread.so
/usr/lib/valgrind/libpthread.so.0
/usr/lib/valgrind/vgpreload_addrcheck.so
/usr/lib/valgrind/vgpreload_memcheck.so
/usr/lib/valgrind/vgskin_addrcheck.so
/usr/lib/valgrind/vgskin_cachegrind.so
/usr/lib/valgrind/vgskin_callgrind.so
/usr/lib/valgrind/vgskin_corecheck.so
/usr/lib/valgrind/vgskin_helgrind.so
/usr/lib/valgrind/vgskin_lackey.so
/usr/lib/valgrind/vgskin_massif.so
/usr/lib/valgrind/vgskin_memcheck.so
/usr/lib/valgrind/vgskin_none.so

This too:
/usr/lib/xmms/Input/libmpg123.so


Ocaml:
/usr/lib/ocaml/stublibs/dllnums.so

Some openoffice libs:
/usr/lib/ooo-1.1/program/libicudata.so
/usr/lib/ooo-1.1/program/libicudata.so.22
/usr/lib/ooo-1.1/program/libicudata.so.22.0
/usr/lib/ooo-1.1/program/libsts645li.so
/usr/lib/ooo-1.1/program/libvclplug_gen645li.so
/usr/lib/ooo-1.1/program/libwrp645li.so

I'm really starting to think I should have included all of
/usr/lib/<dir>/*.so in my script to begin with. 


Comment 15 Ivan Gyurdiev 2005-02-10 17:52:29 UTC
One More :)

/usr/lib/gstreameri-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t

Typo.... s/gstreameri/gstreamer/


Comment 16 Kim Bisgaard 2006-08-15 06:38:52 UTC
I use Nvidia graphics drivers packaged by atrpms, and have get execmod problems,
and thus have to do:
execstack -c
/usr/lib/xorg/modules/extensions/nvidia-graphics-1.0-8762/libglx.so.1.0.8762
execstack -c /usr/lib/nvidia-graphics-1.0-8762/tls/libnvidia-tls.so.1.0.8762
execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGLcore.so.1
execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGL.so.1.0.8762

Tedious details:
# /usr/sbin/sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 20
Policy from config file:        targeted

# rpm -qa selinux\*
selinux-policy-2.3.3-8.fc5
selinux-policy-targeted-2.3.3-8.fc5

Comment 17 Daniel Walsh 2006-08-15 11:33:18 UTC
These files are already marked as textrel_shlib_t, execstack -c would elminate
execstack problem.  These bugs should be reported to nvidia.

You might want to attach this link

http://people.redhat.com/~drepper/selinux-mem.html



Note You need to log in before you can comment on or make changes to this bug.