Description of problem: I am running the mythtv application using the rpms installed from the atrpm repo. I reported the following selinux conflict (under the 'targeted' policy) to the maintainer, but their philosophy has been pretty much to ignore (i.e., turn-off) selinux. So, I was wondering what is the best way to resolve such conflicts (other than just running audit2allow on the avc errors) -------------------------------------------------------------------------------- First, libmythavcodec (which is called by both mythtvsetup and the mythbackend daemon) has an selinux conflict when run under the (default) 'targeted' selinux policy. Specifically, I get the following "avc: denied" errors: avc: denied { execmod } comm="mythbackend" name="libmythavcodec-0.20.so.0.20.0" scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file avc: denied { execmod } comm=mythtvsetup name=libmythavcodec-0.20.so.0.20.0 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file avc: denied { execmod } comm=ld-linux.so.2 name=libmythavcodec-0.20.so.0.20.0 scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file audit2allow gives the following policy rules: require { class file execmod; type initrc_t; type lib_t; type unconfined_t; role system_r; }; allow initrc_t lib_t:file execmod; allow unconfined_t lib_t:file execmod; ------------------------------------------------------------------------------ Second, mythweb gives the following selinux policy conflicts: avc: denied { name_connect } comm=httpd scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:port_t:s0 tclass=tcp_socket avc: denied { getattr } comm=sh name=hostname scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file avc: denied { execute } comm=sh name=hostnamescontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file avc: denied { read } comm=sh name=hostname scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file avc: denied { execute_no_trans } comm=sh name=hostname scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:hostname_exec_t:s0 tclass=file avc: denied { search } comm=httpd name=/ dev=dm-1 ino=2 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir avc: denied { getattr } comm=httpd name=/ dev=dm-1 ino=2 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=dir avc: denied { getattr } comm=httpd dev=dm-1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file avc: denied { read } comm=httpd dev=dm-1 scontext=system_u:system_r:httpd_t:s0 tcontext=system_u:object_r:file_t:s0 tclass=file Audit2allow suggests the following policy changes: require { class dir { getattr search }; class file { execute execute_no_trans getattr read }; class tcp_socket name_connect; type file_t; type hostname_exec_t; type httpd_t; type port_t; role system_r; }; allow httpd_t file_t:dir { getattr search }; allow httpd_t file_t:file { getattr read }; allow httpd_t hostname_exec_t:file { execute execute_no_trans getattr read }; allow httpd_t port_t:tcp_socket name_connect; ------------------------------------------------------------------------------ In summary, I am looking for the best way to correct these conflicts that will be helpful not just to me but to any user of these rather popular applications. (I know that I can always fix it using audit2allow but I am not sure that is the best or most user-friendly way). Please let me know what is the best approach: 1. Fixing the Fedora Core selinux policy? 2. Making changes to the mythtv/mythweb apps themselves? 3. Adding application-specific policy rules to the mythtv/mythweb rpms? 4. Just running audit2allow and adding to my local policy file? (that is what I am doing now) 5. Nothing -- the applications are real security risks? 6. Other? Again, I am an selinux newbie (despite having read the HOWTO's :) so I am really not sure what is the best way to fix such conflicts and I always worry that a little knowledge here can be dangerous :) Thanks, Jeff
chcon -t textrel_shlib_t libmythavcodec-0.20.so.0.20.0 Should fix the execmod problems. Installing setroubleshoot will help diagnose problems. THe other problem seems to be a badly mislabeled file system. You have a file/directory that is not labeled. This is what file_t indicates. You can either label the file system using restorecon on mount it using a -o context= switch. Make sure you are up2date on policy also. Please send me the full path to the execmod libraries. And attaching the audit.log would make it easier to diagnose.
Daniel, Can you clarify whether these problems are best fixed by doing the 'chcon' in the rpm spec file or by changing the 'base' policy? Also, the paths to the library are: /usr/lib/libmythavcodec-0.20.so.0 -> libmythavcodec-0.20.so.0.2 /usr/lib/libmythavcodec-0.20.so.0.20 -> libmythavcodec-0.20.so.0.20.0* /usr/lib/libmythavcodec-0.20.so.0.20.0*
I will change the base policy. The best place to fix this is to just fix the library. The library should not require execmod and is probably compiled incorrectly or should be coded differently. Updaded base policy will be in selinux-policy-2.4.6-27 http://people.redhat.com/~drepper/selinux-mem.html Explains what execmod means.