Bug 253591 - /usr/lib/libtheora.so.0.2.0 requires execmod
/usr/lib/libtheora.so.0.2.0 requires execmod
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: libtheora (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Behdad Esfahbod
Fedora Extras Quality Assurance
: SELinux
: 283051 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-08-20 14:41 EDT by Daniel Walsh
Modified: 2008-04-17 06:07 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-09-14 16:05:16 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Daniel Walsh 2007-08-20 14:41:22 EDT
Description of problem:

/usr/lib/libtheora.so.0.2.0 needs execmod privs.  This is usually caused by a
build problem.

generates an avc message from selinux and is denied by default

time->Mon Aug 20 14:36:52 2007
type=SYSCALL msg=audit(1187635012.689:99): arch=40000003 syscall=125 success=no
exit=-13 a0=8f9000 a1=48000 a2=5 a3=bf8b6000 items=0 ppid=4172 pid=4212
auid=3267 uid=3267 gid=3267 euid=3267 suid=3267 fsuid=3267 egid=3267 sgid=3267
fsgid=3267 tty=(none) comm="mixer_applet2" exe="/usr/libexec/mixer_applet2"
subj=system_u:system_r:unconfined_t:s0 key=(null)
type=AVC msg=audit(1187635012.689:99): avc:  denied  { execmod } for  pid=4212
comm="mixer_applet2" path="/usr/lib/libtheora.so.0.2.0" dev=dm-0 ino=10335232
scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file

http://people.redhat.com/~drepper/selinux-mem.html

Explains what execmod is.  I can fix this with selinux policy labeling but it
would be better that you fix the library.
Comment 1 Electron 2007-08-26 07:30:44 EDT
Same for me. I confirm ;-)

Sorry Belgian(French) setroubleshoot.

Résumé
    SELinux empêche /usr/libexec/mixer_applet2 de charger
    /usr/lib/libtheora.so.0.2.0 qui exige une réinstallation du texte.

Description détaillée
    L'application /usr/libexec/mixer_applet2 a essayé de charger
    /usr/lib/libtheora.so.0.2.0 qui exige une réinstallation du texte. C'est un
    problème de sécurité potentiel. La plupart des bibliothèques n'ont pas
    besoin de cette permission. Les bibliothèques sont parfois programmées
    incorrectement et demandent cette permission. La page web
    http://people.redhat.com/drepper/selinux-mem.html explique comment retirer
    ces exigences. Vous pouvez configurer temporairement SELinux pour permettre
    à /usr/lib/libtheora.so.0.2.0 d'utiliser la réinstallation comme solution
    de contournement, jusqu'à ce que la bibliothèque soit corrigée. Merci de
    remplir un http://bugzilla.redhat.com/bugzilla/enter_bug.cgi pour ce
    paquetage.

Autoriser l'accès
    If you trust /usr/lib/libtheora.so.0.2.0 to run correctly, you can change
    the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
    /usr/lib/libtheora.so.0.2.0" You must also change the default file context
    files on the system in order to preserve them even on a full relabel.
    "semanage fcontext -a -t textrel_shlib_t /usr/lib/libtheora.so.0.2.0"

    La commande suivante autorisera cet accès :
    chcon -t textrel_shlib_t /usr/lib/libtheora.so.0.2.0

Informations complémentaires 

Contexte source               system_u:system_r:unconfined_t
Contexte cible                system_u:object_r:lib_t
Objets du contexte            /usr/lib/libtheora.so.0.2.0 [ file ]
Paquetages RPM affectés      gnome-applets-2.19.1-7.fc8
                              [application]libtheora-1.0alpha8-0.2.svn13393.fc8
                              [target]
Politique RPM                 selinux-policy-3.0.5-11.fc8
Selinux activé               True
Type de politique             targeted
MLS activé                   True
Mode strict                   Enforcing
Nom du plugin                 plugins.allow_execmod
Nom de l'hôte                ***-***-***-***.***.be
Plateforme                    Linux ***-***-***-***.***.be
                              2.6.23-0.129.rc3.git4.fc8 #1 SMP Wed Aug 22
                              01:58:38 EDT 2007 i686 athlon
Compteur d'alertes            7
First Seen                    dim 19 aoû 2007 22:34:19 CEST
Last Seen                     dim 26 aoû 2007 12:40:51 CEST
Local ID                      ***
Numéros des lignes           

Messages d'audit bruts        

avc: denied { execmod } for comm="mixer_applet2" dev=dm-0 egid=500 euid=500
exe="/usr/libexec/mixer_applet2" exit=-13 fsgid=500 fsuid=500 gid=500 items=0
path="/usr/lib/libtheora.so.0.2.0" pid=2845
scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=500

Comment 2 Zack Cerza 2007-08-27 10:31:44 EDT
This is also a problem on F7; let me know if you want another bug filed.
Comment 3 Behdad Esfahbod 2007-09-07 17:56:17 EDT
Someone filed Bug 283051 for F7
Comment 4 Behdad Esfahbod 2007-09-07 18:01:46 EDT
This is one of the rare cases not fixable by tweaking build options.  The
relocation comes from hand-written MMX assembly code.  It's out of my knowledge
for now.  If it can be punched in selinux policies, I suggest doing that for now
and report thing to be fixed upstream.
Comment 5 Behdad Esfahbod 2007-09-07 18:02:21 EDT
*** Bug 283051 has been marked as a duplicate of this bug. ***
Comment 6 Matěj Cepl 2007-09-08 06:02:27 EDT
Just to be sure it doesn't slip under your radar screen, Dave.
Comment 7 Hans de Goede 2007-09-11 03:50:24 EDT
Adding myself to the CC, as I'm afraid I caused this while fixing bug 232179,
Daniel I saw you already fixed / worked around this in selinux-policy-targeted
in rawhide, thanks!

Notice that there also is an update for F-7 in updates-testing:
https://admin.fedoraproject.org/updates/testing/F7/libtheora-1.0alpha8-0.1.svn13393.fc7

Which will without doubts be bitten by the same problem. I think we should
resolve this issue on F-7 too and push the update for F-7 as its a rather bad
bug, making us look bad esp. because it stops totem and other players from
playing video's from our own website!

The problem is caused by some asm code in the new libtheora (its only present on
i386 which is why I didn't notice it when preparing the update on my x86_64
machine, I do always run with selinux enabled).

I see 3 solutions for this:
1) Add the selinux exception to an update for F-7
2) disable the asm even on i386 (atleast on F-7)
3) Rewrite the asm

3 is not really an option, atleast not for me. So unless we find a volunteer for
3, we need to choose between 1 and 2 .

I would prefer 1 as that would make the situation in F-7 and devel identical,
and since video decoding can be cpu intensive I thing some optimalisation is
good. Bit I can live with 2 too.

Daniel any chance of getting a selinux-policy update for F-7 with the workaround
for this included? If not I'll start working on a F-7 version with the asm disabled.
Comment 8 Hans de Goede 2007-09-11 04:01:12 EDT
Reported upstream:
https://trac.xiph.org/ticket/1237
Comment 9 Ulrich Drepper 2007-09-13 22:00:03 EDT
(In reply to comment #7)
> I see 3 solutions for this:
> 1) Add the selinux exception to an update for F-7
> 2) disable the asm even on i386 (atleast on F-7)
> 3) Rewrite the asm

The answer in all these cases should be 2.  The code is simply not safe. 
Punching holes in the policy makes the situation even worse.  We would have a
hard time reverting it even if we think of it.
Comment 10 Hans de Goede 2007-09-14 16:05:16 EDT
Ok, I've looked into this and it turns out that only one set of asm routines is
non PIC (eu-findtextrel is your friend). I've removed this set (the code now
always uses the C-routines) and things work fine with a normal lib_t selinux
type now.

I've build this for both RawHide and F-7, the F-7 version has been pushed to
testing and the old F-7 updates-testing version has been removed.

Closing with a resolution of rawhide as this bug was never present in F-7 proper.
Comment 11 Bastien Nocera 2007-09-17 05:09:33 EDT
Hans, did you report the bug upstream? There's an execmod bug upstream, but it's
kind of dated. The reports:
https://trac.xiph.org/report/10
The SELinux bug:
https://trac.xiph.org/ticket/928
Comment 12 Hans de Goede 2007-09-17 07:14:33 EDT
Bastien, see comment #8
Comment 13 Fabio Pedretti 2008-04-17 06:07:53 EDT
libtheora 1.0 beta 3 should include a fix for this:
https://trac.xiph.org/ticket/928

Note You need to log in before you can comment on or make changes to this bug.