Bug 237473 - Need to handle vlc (videolan) with selinux
Summary: Need to handle vlc (videolan) with selinux
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-23 13:00 UTC by Nicolas Chauvet (kwizart)
Modified: 2007-11-30 22:12 UTC (History)
1 user (show)

Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-22 14:14:05 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Nicolas Chauvet (kwizart) 2007-04-23 13:00:22 UTC
Description of problem: from

Version-Release number of selected component (if applicable): FC-6 and devel on
x86 only (FC-5 not affected)

I would like to solve the Selinux context issue with vlc x86
It is supposed to do the same purpose as mplayer do with 32bit codecs
dll if there are present on the end-user system.

Can you handle vlc with a selinux-policy ?

Comment 1 Daniel Walsh 2007-05-17 16:49:21 UTC
Fixed in selinux-policy-2.6.4-5

Comment 2 Nicolas Chauvet (kwizart) 2007-06-04 20:27:33 UTC
Need the same context to be applyed... (/usr/lib64 for x86_64 - livna currently
do not build for ppc64 for now...)
Actually it is supposed to be the case for F-7 and FC-6 (FC-5 also but seem
close to end of life...)

Here is the copy of the full log from:
This bug is against the released version of FC7 with SELinux enabled
SELinux blocks libvlcplugin.so from being loaded by firefox with the following
message from setrouleshoot
    SELinux is preventing /usr/lib/firefox- from loading
    /usr/lib/mozilla/plugins/libvlcplugin.so which requires text relocation.

Detailed Description
    The /usr/lib/firefox- application attempted to load
    /usr/lib/mozilla/plugins/libvlcplugin.so which requires text relocation.
    This is a potential security problem. Most libraries do not need this
    permission. Libraries are sometimes coded incorrectly and request this
    permission.  The http://people.redhat.com/drepper/selinux-mem.html web page
    explains how to remove this requirement.  You can configure SELinux
    temporarily to allow /usr/lib/mozilla/plugins/libvlcplugin.so to use
    relocation as a workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /usr/lib/mozilla/plugins/libvlcplugin.so to run correctly, you
    can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t

    The following command will allow this access:
    chcon -t textrel_shlib_t /usr/lib/mozilla/plugins/libvlcplugin.so

Additional Information        

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib/mozilla/plugins/libvlcplugin.so [ file ]
Affected RPM Packages         firefox- [application]mozilla-
                              vlc-0.8.6b-5.lvn7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execmod
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 i686
Alert Count                   41
First Seen                    Mon 04 Jun 2007 12:34:42 AM CEST
Last Seen                     Mon 04 Jun 2007 10:04:48 PM CEST
Local ID                      b5cb7544-8520-4b9a-90b0-1ee6b838e6ca
Line Numbers                  

Raw Audit Messages            

avc: denied { execmod } for comm="firefox-bin" dev=dm-0 egid=501 euid=501
exe="/usr/lib/firefox-" exit=-13 fsgid=501 fsuid=501 gid=501
items=0 name="libvlcplugin.so" path="/usr/lib/mozilla/plugins/libvlcplugin.so"
pid=9056 scontext=user_u:system_r:unconfined_t:s0 sgid=501
subj=user_u:system_r:unconfined_t:s0 suid=501 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=501

Comment 3 Daniel Walsh 2007-06-04 20:32:51 UTC
Is there an RPM package that plcaes this file there?  If not and it was copied,
you will have to take care of the labeling

semanage fcontext -a -t textrel_shlib_t /usr/lib/mozilla/plugins/libvlcplugin.so

Will make it permanent on your machine.  Hopefully this bug has been reported to
the developers of libvlcplugin.so to fix the way they build their shared library.

Comment 4 Nicolas Chauvet (kwizart) 2007-06-04 22:51:01 UTC
yes! this file is from mozilla-vlc package...

I'm in contact with upstream i can report it to them but i will test if it work
recompiled with -fPIC only first...

thx for your advices.

Comment 5 Nicolas Chauvet (kwizart) 2007-06-05 09:23:32 UTC
ok then it was sometimes able to solve this issue but not in this case:
If recompiled with -fPIC, the error still appears...

I've found this doc:

Can i provide others doc to upstream about this issue?

Comment 6 Daniel Walsh 2007-06-05 12:21:31 UTC

Comment 7 Daniel Walsh 2007-08-22 14:14:05 UTC
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.