Bug 145067 - Execmod denials: texrel_shlib_t list
Execmod denials: texrel_shlib_t list
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict (Show other bugs)
rawhide
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-13 20:32 EST by Ivan Gyurdiev
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-15 07:33:18 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ivan Gyurdiev 2005-01-13 20:32:39 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
Out of curiosity, what is execmod?


... we have gpg (probably something from yum):

audit(1105666083.045:0): avc:  denied  { execmod } for  pid=5384
comm=gpg path=/usr/bin/gpg dev=dm-0 ino=1031029
scontext=user_u:user_r:user_gpg_t
tcontext=system_u:object_r:gpg_exec_t tclass=file

...and firefox trying to watch flash:

audit(1105656636.364:0): avc:  denied  { execmod } for  pid=4857
comm=firefox-bin path=/home/phantom/.mozilla/plugins/libflashplayer.so
dev=dm-2 ino=326929 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:user_mozilla_rw_t tclass=file

Version-Release number of selected component (if applicable):
selinux-policy-strict-1.21.1-1

How reproducible:
Didn't try

Steps to Reproduce:

    

Additional info:
Comment 1 Ivan Gyurdiev 2005-01-18 18:09:18 EST
X and nvidia:

audit(1106088181.401:0): avc:  denied  { execmod } for  pid=3119
comm=X path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0
ino=526001 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:shlib_t tclass=file

(this one in enforcing mode)
Comment 2 Ivan Gyurdiev 2005-01-20 05:32:12 EST
Here are the libs with text relocations, I think:

[phantom@cobra lib]$ for FILE in `/sbin/ldconfig -p|sed -e s/.*"=>
"//|uniq` `ls /usr/lib/firefox*/plugins/*` `ls
/usr/lib/mozilla*/plugins/*`; do if [ ! -z "`readelf -d "$FILE"
2>/dev/null|grep TEXTREL`" ]; then if [ -L "$FILE" ]; then echo
"$FILE"|sed -e s/`basename "$FILE"`/"`ls -l "$FILE"|sed -e s/.*"->
"//`"/; else echo "$FILE"; fi; fi; done | uniq /usr/lib/libxvidcore.so.4.0
/usr/lib/libstdc++.so.2.7.2.8
/usr/lib/libpostproc.so.0.0.1
/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629
/usr/lib/nvidia/libnvidia-tls.so.1.0.6629
/usr/lib/libmp3lame.so.0.0.0
/usr/lib/libmlib_jai.so
/usr/lib/libgsm.so.1.0.10
/usr/lib/libglide3.so.3.10.0
/usr/lib/libg++.so.2.7.2.8
/usr/lib/libdv.so.4.0.1
/usr/lib/libavformat-0.4.9-pre1.so
/usr/lib/libavcodec-0.4.9-pre1.so
/usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629
/usr/lib/libSDL-1.2.so.0.7.0
/usr/X11R6/lib/libOSMesa.so.4.0
/usr/lib/libImlib2.so.1.2.0
/usr/lib/libHermes.so.1.0.0
/usr/lib/nvidia/libGLcore.so.1.0.6629
/usr/lib/nvidia/libGL.so.1.0.6629
sed: -e expression #1, char 13: unknown option to `s'
/usr/lib/firefox-0.10.0/plugins/libflashplayer.so
/usr/lib/firefox-0.9.3/plugins/libflashplayer.so

So the offending packages are:

nvidia-glx, proprietary, can't be fixed
flash, proprietary, can't be fixed
jai, proprietary (Sun), can't be fixed

Livna: xvidcore, ffmpeg, lame, gsm

Fedora Core: xorg-x11-libs (libOSMesa), SDL, Hermes, imlib2, libdv,
compat-libstdc++, Glide3

...and in fact I do get extmod denial with mplayer due to SDL.

What to do about this? Allow extmod in mozilla_t, mplayer_t,
and xserver_t ? X won't even start on my computer without this
because of nvidia.


Comment 3 Ivan Gyurdiev 2005-01-20 14:03:39 EST
I see gpg execmod denial has been addressed.
Please add this to X and mozilla too - it's necessary
for nvidia driver and flash (and more?).

Comment 4 Ivan Gyurdiev 2005-01-27 03:19:44 EST
Okay, gpg is fixed, X (nvidia) and mozilla(flash) are
addressed in the 1.21.3-4 beta that I am looking at.

The following libs listed above are still not marked texrel_shlib_t:

/usr/lib/libstdc++.so.2.7.2.8
/usr/lib/libpostproc.so.0.0.1
/usr/lib/libmp3lame.so.0.0.0
/usr/lib/libmlib_jai.so
/usr/lib/libgsm.so.1.0.10
/usr/lib/libglide3.so.3.10.0
/usr/lib/libg++.so.2.7.2.8
/usr/lib/libdv.so.4.0.1
/usr/lib/libavformat-0.4.9-pre1.so
/usr/lib/libavcodec-0.4.9-pre1.so
/usr/lib/libSDL-1.2.so.0.7.0
/usr/X11R6/lib/libOSMesa.so.4.0
/usr/lib/libImlib2.so.1.2.0
/usr/lib/libHermes.so.1.0.0
Comment 5 Ivan Gyurdiev 2005-02-01 18:05:34 EST
Add to list:

/usr/lib/gstreamer-0.8/libgstffmpeg.so
/usr/lib/gstreamer-0.8/libgsthermescolorspace.so
/usr/lib/gstreamer-0.8/libgstmms.so
Comment 6 Daniel Walsh 2005-02-09 10:53:32 EST
Added in policy-1.21.10-1
Comment 7 Ivan Gyurdiev 2005-02-09 15:29:13 EST
Which part? 

I see /usr/lib/gstreamer-0.8/libgstffmpeg.so,
but none of the other ones.

In particular, libSDL is annoying, because media players
(like mplayer) won't start without it.
Comment 8 Daniel Walsh 2005-02-09 15:41:40 EST
Make that 1.21.11-2
Comment 9 Ivan Gyurdiev 2005-02-09 16:10:36 EST
Still missing those two:

/usr/lib/gstreamer-0.8/libgsthermescolorspace.so
/usr/lib/gstreamer-0.8/libgstmms.so

Also, you said that Redhat is working to fix those libraries
so they don't need text relocations. (is it you that said that 
or S. Smalley - I can't remember)

Does that mean this list is temporary only, or have you already
looked at those and decided they won't be fixed?
Comment 10 Daniel Walsh 2005-02-09 16:30:02 EST
We are looking into fixing some of the ones that we ship.
So hopefully we can remove some of these eventually.

Dan
Comment 11 Ivan Gyurdiev 2005-02-09 19:20:35 EST
Also, please add 
/usr/lib/libxvidcore.so.4

Not sure why script didn't find it originally, but
now I get denials for it.


So, in summary:
=================

/usr/lib/gstreamer-0.8/libgsthermescolorspace.so
/usr/lib/gstreamer-0.8/libgstmms.so
/usr/lib/libxvidcore.so.4

Here's also a mplayer path:
===========================

--- mplayer_macros.te  2005-02-09 19:19:21.000000000 -0500
+++ mplayer_macros.new   2005-02-09 19:20:11.000000000 -0500
@@ -62,10 +62,9 @@

 if (allow_execmod) {
 allow $1_$2_t zero_device_t:chr_file execmod;
+allow $1_$2_t texrel_shlib_t:file execmod;
 }

-
-
 # Access to DVD/CD/V4L
 allow $1_$2_t device_t:dir r_dir_perms;
 allow $1_$2_t device_t:lnk_file { getattr read };
Comment 12 Ivan Gyurdiev 2005-02-09 19:21:41 EST
Err that should be:

/usr/lib/libxvidcore.so.4.0
Comment 13 Ivan Gyurdiev 2005-02-09 20:26:25 EST
And all of this too. Is there no end to them? Found those after
running gst-register. 

/usr/lib/ladspa/analogue_osc_1416.so
/usr/lib/ladspa/bandpass_a_iir_1893.so
/usr/lib/ladspa/bandpass_iir_1892.so
/usr/lib/ladspa/butterworth_1902.so
/usr/lib/ladspa/fm_osc_1415.so
/usr/lib/ladspa/gsm_1215.so
/usr/lib/ladspa/gverb_1216.so
/usr/lib/ladspa/hermes_filter_1200.so
/usr/lib/ladspa/highpass_iir_1890.so
/usr/lib/ladspa/lowpass_iir_1891.so
/usr/lib/ladspa/notch_iir_1894.so
/usr/lib/ladspa/pitch_scale_1193.so
/usr/lib/ladspa/pitch_scale_1194.so
/usr/lib/ladspa/sc1_1425.so
/usr/lib/ladspa/sc2_1426.so
/usr/lib/ladspa/sc3_1427.so
/usr/lib/ladspa/sc4_1882.so
/usr/lib/ladspa/se4_1883.so
Comment 14 Ivan Gyurdiev 2005-02-09 23:31:42 EST
Apparently those too:

/usr/lib/helix/plugins/oggfformat.so
/usr/lib/helix/plugins/theorarend.so
/usr/lib/helix/plugins/vorbisrend.so
/usr/lib/helix/codecs/colorcvt.so
/usr/lib/helix/codecs/cvt1.so

Plus everything that's part of xine:
/usr/lib/xine/plugins/1.0.0/vidix/*.so
/usr/lib/xine/plugins/1.0.0/post/*.so
/usr/lib/xine/plugins/1.0.0/*.so

... and all the valgrind libs:

/usr/lib/valgrind/libpthread.so
/usr/lib/valgrind/libpthread.so.0
/usr/lib/valgrind/vgpreload_addrcheck.so
/usr/lib/valgrind/vgpreload_memcheck.so
/usr/lib/valgrind/vgskin_addrcheck.so
/usr/lib/valgrind/vgskin_cachegrind.so
/usr/lib/valgrind/vgskin_callgrind.so
/usr/lib/valgrind/vgskin_corecheck.so
/usr/lib/valgrind/vgskin_helgrind.so
/usr/lib/valgrind/vgskin_lackey.so
/usr/lib/valgrind/vgskin_massif.so
/usr/lib/valgrind/vgskin_memcheck.so
/usr/lib/valgrind/vgskin_none.so

This too:
/usr/lib/xmms/Input/libmpg123.so


Ocaml:
/usr/lib/ocaml/stublibs/dllnums.so

Some openoffice libs:
/usr/lib/ooo-1.1/program/libicudata.so
/usr/lib/ooo-1.1/program/libicudata.so.22
/usr/lib/ooo-1.1/program/libicudata.so.22.0
/usr/lib/ooo-1.1/program/libsts645li.so
/usr/lib/ooo-1.1/program/libvclplug_gen645li.so
/usr/lib/ooo-1.1/program/libwrp645li.so

I'm really starting to think I should have included all of
/usr/lib/<dir>/*.so in my script to begin with. 
Comment 15 Ivan Gyurdiev 2005-02-10 12:52:29 EST
One More :)

/usr/lib/gstreameri-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t

Typo.... s/gstreameri/gstreamer/
Comment 16 Kim Bisgaard 2006-08-15 02:38:52 EDT
I use Nvidia graphics drivers packaged by atrpms, and have get execmod problems,
and thus have to do:
execstack -c
/usr/lib/xorg/modules/extensions/nvidia-graphics-1.0-8762/libglx.so.1.0.8762
execstack -c /usr/lib/nvidia-graphics-1.0-8762/tls/libnvidia-tls.so.1.0.8762
execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGLcore.so.1
execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGL.so.1.0.8762

Tedious details:
# /usr/sbin/sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 20
Policy from config file:        targeted

# rpm -qa selinux\*
selinux-policy-2.3.3-8.fc5
selinux-policy-targeted-2.3.3-8.fc5
Comment 17 Daniel Walsh 2006-08-15 07:33:18 EDT
These files are already marked as textrel_shlib_t, execstack -c would elminate
execstack problem.  These bugs should be reported to nvidia.

You might want to attach this link

http://people.redhat.com/~drepper/selinux-mem.html

Note You need to log in before you can comment on or make changes to this bug.