Bug 145067 - Execmod denials: texrel_shlib_t list
Summary: Execmod denials: texrel_shlib_t list
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-strict
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-01-14 01:32 UTC by Ivan Gyurdiev
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2006-08-15 11:33:18 UTC

Attachments (Terms of Use)

Description Ivan Gyurdiev 2005-01-14 01:32:39 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.5)
Gecko/20041228 Firefox/1.0 Fedora/1.0-8

Description of problem:
Out of curiosity, what is execmod?

... we have gpg (probably something from yum):

audit(1105666083.045:0): avc:  denied  { execmod } for  pid=5384
comm=gpg path=/usr/bin/gpg dev=dm-0 ino=1031029
tcontext=system_u:object_r:gpg_exec_t tclass=file

...and firefox trying to watch flash:

audit(1105656636.364:0): avc:  denied  { execmod } for  pid=4857
comm=firefox-bin path=/home/phantom/.mozilla/plugins/libflashplayer.so
dev=dm-2 ino=326929 scontext=user_u:user_r:user_mozilla_t
tcontext=system_u:object_r:user_mozilla_rw_t tclass=file

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Steps to Reproduce:


Additional info:

Comment 1 Ivan Gyurdiev 2005-01-18 23:09:18 UTC
X and nvidia:

audit(1106088181.401:0): avc:  denied  { execmod } for  pid=3119
comm=X path=/usr/lib/nvidia/tls/libnvidia-tls.so.1.0.6629 dev=dm-0
ino=526001 scontext=system_u:system_r:xdm_xserver_t
tcontext=system_u:object_r:shlib_t tclass=file

(this one in enforcing mode)

Comment 2 Ivan Gyurdiev 2005-01-20 10:32:12 UTC
Here are the libs with text relocations, I think:

[phantom@cobra lib]$ for FILE in `/sbin/ldconfig -p|sed -e s/.*"=>
"//|uniq` `ls /usr/lib/firefox*/plugins/*` `ls
/usr/lib/mozilla*/plugins/*`; do if [ ! -z "`readelf -d "$FILE"
2>/dev/null|grep TEXTREL`" ]; then if [ -L "$FILE" ]; then echo
"$FILE"|sed -e s/`basename "$FILE"`/"`ls -l "$FILE"|sed -e s/.*"->
"//`"/; else echo "$FILE"; fi; fi; done | uniq /usr/lib/libxvidcore.so.4.0
sed: -e expression #1, char 13: unknown option to `s'

So the offending packages are:

nvidia-glx, proprietary, can't be fixed
flash, proprietary, can't be fixed
jai, proprietary (Sun), can't be fixed

Livna: xvidcore, ffmpeg, lame, gsm

Fedora Core: xorg-x11-libs (libOSMesa), SDL, Hermes, imlib2, libdv,
compat-libstdc++, Glide3

...and in fact I do get extmod denial with mplayer due to SDL.

What to do about this? Allow extmod in mozilla_t, mplayer_t,
and xserver_t ? X won't even start on my computer without this
because of nvidia.

Comment 3 Ivan Gyurdiev 2005-01-20 19:03:39 UTC
I see gpg execmod denial has been addressed.
Please add this to X and mozilla too - it's necessary
for nvidia driver and flash (and more?).

Comment 4 Ivan Gyurdiev 2005-01-27 08:19:44 UTC
Okay, gpg is fixed, X (nvidia) and mozilla(flash) are
addressed in the 1.21.3-4 beta that I am looking at.

The following libs listed above are still not marked texrel_shlib_t:


Comment 5 Ivan Gyurdiev 2005-02-01 23:05:34 UTC
Add to list:


Comment 6 Daniel Walsh 2005-02-09 15:53:32 UTC
Added in policy-1.21.10-1

Comment 7 Ivan Gyurdiev 2005-02-09 20:29:13 UTC
Which part? 

I see /usr/lib/gstreamer-0.8/libgstffmpeg.so,
but none of the other ones.

In particular, libSDL is annoying, because media players
(like mplayer) won't start without it.

Comment 8 Daniel Walsh 2005-02-09 20:41:40 UTC
Make that 1.21.11-2

Comment 9 Ivan Gyurdiev 2005-02-09 21:10:36 UTC
Still missing those two:


Also, you said that Redhat is working to fix those libraries
so they don't need text relocations. (is it you that said that 
or S. Smalley - I can't remember)

Does that mean this list is temporary only, or have you already
looked at those and decided they won't be fixed?

Comment 10 Daniel Walsh 2005-02-09 21:30:02 UTC
We are looking into fixing some of the ones that we ship.
So hopefully we can remove some of these eventually.


Comment 11 Ivan Gyurdiev 2005-02-10 00:20:35 UTC
Also, please add 

Not sure why script didn't find it originally, but
now I get denials for it.

So, in summary:


Here's also a mplayer path:

--- mplayer_macros.te  2005-02-09 19:19:21.000000000 -0500
+++ mplayer_macros.new   2005-02-09 19:20:11.000000000 -0500
@@ -62,10 +62,9 @@

 if (allow_execmod) {
 allow $1_$2_t zero_device_t:chr_file execmod;
+allow $1_$2_t texrel_shlib_t:file execmod;

 # Access to DVD/CD/V4L
 allow $1_$2_t device_t:dir r_dir_perms;
 allow $1_$2_t device_t:lnk_file { getattr read };

Comment 12 Ivan Gyurdiev 2005-02-10 00:21:41 UTC
Err that should be:


Comment 13 Ivan Gyurdiev 2005-02-10 01:26:25 UTC
And all of this too. Is there no end to them? Found those after
running gst-register. 


Comment 14 Ivan Gyurdiev 2005-02-10 04:31:42 UTC
Apparently those too:


Plus everything that's part of xine:

... and all the valgrind libs:


This too:


Some openoffice libs:

I'm really starting to think I should have included all of
/usr/lib/<dir>/*.so in my script to begin with. 

Comment 15 Ivan Gyurdiev 2005-02-10 17:52:29 UTC
One More :)

/usr/lib/gstreameri-.*/libgstffmpeg\.so.*  -- system_u:object_r:texrel_shlib_t

Typo.... s/gstreameri/gstreamer/

Comment 16 Kim Bisgaard 2006-08-15 06:38:52 UTC
I use Nvidia graphics drivers packaged by atrpms, and have get execmod problems,
and thus have to do:
execstack -c
execstack -c /usr/lib/nvidia-graphics-1.0-8762/tls/libnvidia-tls.so.1.0.8762
execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGLcore.so.1
execstack -c /usr/lib/nvidia-graphics-1.0-8762/libGL.so.1.0.8762

Tedious details:
# /usr/sbin/sestatus -v
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          enforcing
Policy version:                 20
Policy from config file:        targeted

# rpm -qa selinux\*

Comment 17 Daniel Walsh 2006-08-15 11:33:18 UTC
These files are already marked as textrel_shlib_t, execstack -c would elminate
execstack problem.  These bugs should be reported to nvidia.

You might want to attach this link


Note You need to log in before you can comment on or make changes to this bug.