From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5) Gecko/20041228 Firefox/1.0 Fedora/1.0-8 Description of problem: Out of curiosity, what is execmod? ... we have gpg (probably something from yum): audit(1105666083.045:0): avc: denied { execmod } for pid=5384 comm=gpg path=/usr/bin/gpg dev=dm-0 ino=1031029 scontext=user_u:user_r:user_gpg_t tcontext=system_u:object_r:gpg_exec_t tclass=file ...and firefox trying to watch flash: audit(1105656636.364:0): avc: denied { execmod } for pid=4857 comm=firefox-bin path=/home/phantom/.mozilla/plugins/libflashplayer.so dev=dm-2 ino=326929 scontext=user_u:user_r:user_mozilla_t tcontext=system_u:object_r:user_mozilla_rw_t tclass=file Version-Release number of selected component (if applicable): selinux-policy-strict-1.21.1-1 How reproducible: Didn't try Steps to Reproduce: Additional info:
X and nvidia: audit(1106088181.401:0): avc: denied { execmod } for pid=3119 comm=X path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0 ino=526001 scontext=system_u:system_r:xdm_xserver_t tcontext=system_u:object_r:shlib_t tclass=file (this one in enforcing mode)
Here are the libs with text relocations, I think: [phantom@cobra lib]$ for FILE in `/sbin/ldconfig -p|sed -e s/.*"=> "//|uniq` `ls /usr/lib/firefox*/plugins/*` `ls /usr/lib/mozilla*/plugins/*`; do if [ ! -z "`readelf -d "$FILE" 2>/dev/null|grep TEXTREL`" ]; then if [ -L "$FILE" ]; then echo "$FILE"|sed -e s/`basename "$FILE"`/"`ls -l "$FILE"|sed -e s/.*"-> "//`"/; else echo "$FILE"; fi; fi; done | uniq /usr/lib/libxvidcore.so.4.0 /usr/lib/libstdc++.so.2.7.2.8 /usr/lib/libpostproc.so.0.0.1 /usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 /usr/lib/nvidia/libnvidia-tls.so.1.0.6629 /usr/lib/libmp3lame.so.0.0.0 /usr/lib/libmlib_jai.so /usr/lib/libgsm.so.1.0.10 /usr/lib/libglide3.so.3.10.0 /usr/lib/libg++.so.2.7.2.8 /usr/lib/libdv.so.4.0.1 /usr/lib/libavformat-0.4.9-pre1.so /usr/lib/libavcodec-0.4.9-pre1.so /usr/X11R6/lib/libXvMCNVIDIA.so.1.0.6629 /usr/lib/libSDL-1.2.so.0.7.0 /usr/X11R6/lib/libOSMesa.so.4.0 /usr/lib/libImlib2.so.1.2.0 /usr/lib/libHermes.so.1.0.0 /usr/lib/nvidia/libGLcore.so.1.0.6629 /usr/lib/nvidia/libGL.so.1.0.6629 sed: -e expression #1, char 13: unknown option to `s' /usr/lib/firefox-0.10.0/plugins/libflashplayer.so /usr/lib/firefox-0.9.3/plugins/libflashplayer.so So the offending packages are: nvidia-glx, proprietary, can't be fixed flash, proprietary, can't be fixed jai, proprietary (Sun), can't be fixed Livna: xvidcore, ffmpeg, lame, gsm Fedora Core: xorg-x11-libs (libOSMesa), SDL, Hermes, imlib2, libdv, compat-libstdc++, Glide3 ...and in fact I do get extmod denial with mplayer due to SDL. What to do about this? Allow extmod in mozilla_t, mplayer_t, and xserver_t ? X won't even start on my computer without this because of nvidia.
I see gpg execmod denial has been addressed. Please add this to X and mozilla too - it's necessary for nvidia driver and flash (and more?).
Okay, gpg is fixed, X (nvidia) and mozilla(flash) are addressed in the 1.21.3-4 beta that I am looking at. The following libs listed above are still not marked texrel_shlib_t: /usr/lib/libstdc++.so.2.7.2.8 /usr/lib/libpostproc.so.0.0.1 /usr/lib/libmp3lame.so.0.0.0 /usr/lib/libmlib_jai.so /usr/lib/libgsm.so.1.0.10 /usr/lib/libglide3.so.3.10.0 /usr/lib/libg++.so.2.7.2.8 /usr/lib/libdv.so.4.0.1 /usr/lib/libavformat-0.4.9-pre1.so /usr/lib/libavcodec-0.4.9-pre1.so /usr/lib/libSDL-1.2.so.0.7.0 /usr/X11R6/lib/libOSMesa.so.4.0 /usr/lib/libImlib2.so.1.2.0 /usr/lib/libHermes.so.1.0.0
Add to list: /usr/lib/gstreamer-0.8/libgstffmpeg.so /usr/lib/gstreamer-0.8/libgsthermescolorspace.so /usr/lib/gstreamer-0.8/libgstmms.so
Added in policy-1.21.10-1
Which part? I see /usr/lib/gstreamer-0.8/libgstffmpeg.so, but none of the other ones. In particular, libSDL is annoying, because media players (like mplayer) won't start without it.
Make that 1.21.11-2
Still missing those two: /usr/lib/gstreamer-0.8/libgsthermescolorspace.so /usr/lib/gstreamer-0.8/libgstmms.so Also, you said that Redhat is working to fix those libraries so they don't need text relocations. (is it you that said that or S. Smalley - I can't remember) Does that mean this list is temporary only, or have you already looked at those and decided they won't be fixed?
We are looking into fixing some of the ones that we ship. So hopefully we can remove some of these eventually. Dan
Also, please add /usr/lib/libxvidcore.so.4 Not sure why script didn't find it originally, but now I get denials for it. So, in summary: ================= /usr/lib/gstreamer-0.8/libgsthermescolorspace.so /usr/lib/gstreamer-0.8/libgstmms.so /usr/lib/libxvidcore.so.4 Here's also a mplayer path: =========================== --- mplayer_macros.te 2005-02-09 19:19:21.000000000 -0500 +++ mplayer_macros.new 2005-02-09 19:20:11.000000000 -0500 @@ -62,10 +62,9 @@ if (allow_execmod) { allow $1_$2_t zero_device_t:chr_file execmod; +allow $1_$2_t texrel_shlib_t:file execmod; } - - # Access to DVD/CD/V4L allow $1_$2_t device_t:dir r_dir_perms; allow $1_$2_t device_t:lnk_file { getattr read };
Err that should be: /usr/lib/libxvidcore.so.4.0
And all of this too. Is there no end to them? Found those after running gst-register. /usr/lib/ladspa/analogue_osc_1416.so /usr/lib/ladspa/bandpass_a_iir_1893.so /usr/lib/ladspa/bandpass_iir_1892.so /usr/lib/ladspa/butterworth_1902.so /usr/lib/ladspa/fm_osc_1415.so /usr/lib/ladspa/gsm_1215.so /usr/lib/ladspa/gverb_1216.so /usr/lib/ladspa/hermes_filter_1200.so /usr/lib/ladspa/highpass_iir_1890.so /usr/lib/ladspa/lowpass_iir_1891.so /usr/lib/ladspa/notch_iir_1894.so /usr/lib/ladspa/pitch_scale_1193.so /usr/lib/ladspa/pitch_scale_1194.so /usr/lib/ladspa/sc1_1425.so /usr/lib/ladspa/sc2_1426.so /usr/lib/ladspa/sc3_1427.so /usr/lib/ladspa/sc4_1882.so /usr/lib/ladspa/se4_1883.so
Apparently those too: /usr/lib/helix/plugins/oggfformat.so /usr/lib/helix/plugins/theorarend.so /usr/lib/helix/plugins/vorbisrend.so /usr/lib/helix/codecs/colorcvt.so /usr/lib/helix/codecs/cvt1.so Plus everything that's part of xine: /usr/lib/xine/plugins/1.0.0/vidix/*.so /usr/lib/xine/plugins/1.0.0/post/*.so /usr/lib/xine/plugins/1.0.0/*.so ... and all the valgrind libs: /usr/lib/valgrind/libpthread.so /usr/lib/valgrind/libpthread.so.0 /usr/lib/valgrind/vgpreload_addrcheck.so /usr/lib/valgrind/vgpreload_memcheck.so /usr/lib/valgrind/vgskin_addrcheck.so /usr/lib/valgrind/vgskin_cachegrind.so /usr/lib/valgrind/vgskin_callgrind.so /usr/lib/valgrind/vgskin_corecheck.so /usr/lib/valgrind/vgskin_helgrind.so /usr/lib/valgrind/vgskin_lackey.so /usr/lib/valgrind/vgskin_massif.so /usr/lib/valgrind/vgskin_memcheck.so /usr/lib/valgrind/vgskin_none.so This too: /usr/lib/xmms/Input/libmpg123.so Ocaml: /usr/lib/ocaml/stublibs/dllnums.so Some openoffice libs: /usr/lib/ooo-1.1/program/libicudata.so /usr/lib/ooo-1.1/program/libicudata.so.22 /usr/lib/ooo-1.1/program/libicudata.so.22.0 /usr/lib/ooo-1.1/program/libsts645li.so /usr/lib/ooo-1.1/program/libvclplug_gen645li.so /usr/lib/ooo-1.1/program/libwrp645li.so I'm really starting to think I should have included all of /usr/lib/<dir>/*.so in my script to begin with.
One More :) /usr/lib/gstreameri-.*/libgstffmpeg\.so.* -- system_u:object_r:texrel_shlib_t Typo.... s/gstreameri/gstreamer/
I use Nvidia graphics drivers packaged by atrpms, and have get execmod problems, and thus have to do: execstack -c /usr/lib/xorg/modules/extensions/nvidia-graphics-1.0-8762/libglx.so.1.0.8762 execstack -c /usr/lib/nvidia-graphics-1.0-8762/tls/libnvidia-tls.so.1.0.8762 execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGLcore.so.1 execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGL.so.1.0.8762 Tedious details: # /usr/sbin/sestatus -v SELinux status: enabled SELinuxfs mount: /selinux Current mode: enforcing Mode from config file: enforcing Policy version: 20 Policy from config file: targeted # rpm -qa selinux\* selinux-policy-2.3.3-8.fc5 selinux-policy-targeted-2.3.3-8.fc5
These files are already marked as textrel_shlib_t, execstack -c would elminate execstack problem. These bugs should be reported to nvidia. You might want to attach this link http://people.redhat.com/~drepper/selinux-mem.html