Bug 237473 - Need to handle vlc (videolan) with selinux
Need to handle vlc (videolan) with selinux
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-23 09:00 EDT by Nicolas Chauvet (kwizart)
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:14:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Nicolas Chauvet (kwizart) 2007-04-23 09:00:22 EDT
Description of problem: from
https://www.redhat.com/archives/fedora-selinux-list/2007-April/msg00018.html

Version-Release number of selected component (if applicable): FC-6 and devel on
x86 only (FC-5 not affected)

I would like to solve the Selinux context issue with vlc x86
It is supposed to do the same purpose as mplayer do with 32bit codecs
dll if there are present on the end-user system.

Can you handle vlc with a selinux-policy ?
Comment 1 Daniel Walsh 2007-05-17 12:49:21 EDT
Fixed in selinux-policy-2.6.4-5
Comment 2 Nicolas Chauvet (kwizart) 2007-06-04 16:27:33 EDT
/usr/lib/mozilla/plugins/libvlcplugin.so 
Need the same context to be applyed... (/usr/lib64 for x86_64 - livna currently
do not build for ppc64 for now...)
Actually it is supposed to be the case for F-7 and FC-6 (FC-5 also but seem
close to end of life...)

Here is the copy of the full log from:
http://bugzilla.livna.org/show_bug.cgi?id=1518
----
This bug is against the released version of FC7 with SELinux enabled
SELinux blocks libvlcplugin.so from being loaded by firefox with the following
message from setrouleshoot
----
Summary
    SELinux is preventing /usr/lib/firefox-2.0.0.4/firefox-bin from loading
    /usr/lib/mozilla/plugins/libvlcplugin.so which requires text relocation.

Detailed Description
    The /usr/lib/firefox-2.0.0.4/firefox-bin application attempted to load
    /usr/lib/mozilla/plugins/libvlcplugin.so which requires text relocation.
    This is a potential security problem. Most libraries do not need this
    permission. Libraries are sometimes coded incorrectly and request this
    permission.  The http://people.redhat.com/drepper/selinux-mem.html web page
    explains how to remove this requirement.  You can configure SELinux
    temporarily to allow /usr/lib/mozilla/plugins/libvlcplugin.so to use
    relocation as a workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /usr/lib/mozilla/plugins/libvlcplugin.so to run correctly, you
    can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
    /usr/lib/mozilla/plugins/libvlcplugin.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t /usr/lib/mozilla/plugins/libvlcplugin.so

Additional Information        

Source Context                user_u:system_r:unconfined_t
Target Context                system_u:object_r:lib_t
Target Objects                /usr/lib/mozilla/plugins/libvlcplugin.so [ file ]
Affected RPM Packages         firefox-2.0.0.4-1.fc7 [application]mozilla-
                              vlc-0.8.6b-5.lvn7 [target]
Policy RPM                    selinux-policy-2.6.4-8.fc7
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   plugins.allow_execmod
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.21-1.3194.fc7 #1
                              SMP Wed May 23 22:35:01 EDT 2007 i686 i686
Alert Count                   41
First Seen                    Mon 04 Jun 2007 12:34:42 AM CEST
Last Seen                     Mon 04 Jun 2007 10:04:48 PM CEST
Local ID                      b5cb7544-8520-4b9a-90b0-1ee6b838e6ca
Line Numbers                  

Raw Audit Messages            

avc: denied { execmod } for comm="firefox-bin" dev=dm-0 egid=501 euid=501
exe="/usr/lib/firefox-2.0.0.4/firefox-bin" exit=-13 fsgid=501 fsuid=501 gid=501
items=0 name="libvlcplugin.so" path="/usr/lib/mozilla/plugins/libvlcplugin.so"
pid=9056 scontext=user_u:system_r:unconfined_t:s0 sgid=501
subj=user_u:system_r:unconfined_t:s0 suid=501 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=501
Comment 3 Daniel Walsh 2007-06-04 16:32:51 EDT
Is there an RPM package that plcaes this file there?  If not and it was copied,
you will have to take care of the labeling

semanage fcontext -a -t textrel_shlib_t /usr/lib/mozilla/plugins/libvlcplugin.so

Will make it permanent on your machine.  Hopefully this bug has been reported to
the developers of libvlcplugin.so to fix the way they build their shared library.

Comment 4 Nicolas Chauvet (kwizart) 2007-06-04 18:51:01 EDT
yes! this file is from mozilla-vlc package...

I'm in contact with upstream i can report it to them but i will test if it work
recompiled with -fPIC only first...

thx for your advices.
Comment 5 Nicolas Chauvet (kwizart) 2007-06-05 05:23:32 EDT
ok then it was sometimes able to solve this issue but not in this case:
If recompiled with -fPIC, the error still appears...

I've found this doc:
http://people.redhat.com/drepper/selinux-mem.html

Can i provide others doc to upstream about this issue?
Comment 6 Daniel Walsh 2007-06-05 08:21:31 EDT
Yes,
Comment 7 Daniel Walsh 2007-08-22 10:14:05 EDT
Should be fixed in the current release

Note You need to log in before you can comment on or make changes to this bug.