The mp3 plugin, at least, requires execmem and so when it's untarred, it doesn't have a reasonable context and thus SELinux denies it. Which makes things not work.
Already reported upstream: https://core.fluendo.com/gstreamer/trac/ticket/24 If this isn't fixed by then, we'll probably have to pull out codeina from the default install.
There's a hack in codeina to avoid this problem though: if which.which('chcon') and 'i386' in basename and 'mp3' in name:• log.debug('install', "modifying mp3 plug-in's secontext")• status = os.system('chcon --type=textrel_shlib_t %s' %»• plugin_tmp_path)• if status:• log.warning('install',• 'Failed to change secontext, status %r' %• status)• Could you try and reproduce and let me know whether there's any output in the logs?
They get labeled as textrel_shlib_t, but that doesn't allow execmem. And iirc, some of the non-mp3 ones required execmem or execstack also.
avc: denied { execstack } for comm=gst-inspect-0.1 egid=500 euid=500 exe=/usr/bin/gst-inspect-0.10 exit=0 fsgid=500 fsuid=500 gid=500 items=0 pid=3631 scontext=system_u:system_r:unconfined_t:s0 sgid=500 subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process tcontext=system_u:system_r:unconfined_t:s0 tty=(none) uid=500
The error message I get is: Summary SELinux is preventing /usr/bin/gst-inspect-0.10 from loading /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so which requires text relocation. Detailed Description The /usr/bin/gst-inspect-0.10 application attempted to load /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so" The following command will allow this access: chcon -t textrel_shlib_t /home/hadess/.gstreamer-0.10/plugins/libgstflump3dec.so So textrel_shlib_t is right.
Dan, which commands should Thomas use to regenerate/extract the tarballs so that they contain the SELinux context?
There are three ways to fix this problem. The most desirable is to fix the codec to not require execmem/execstack. http://people.redhat.com/~drepper/selinux-mem.html This is something we want in order to improve the security of the system. A second alternative is to hunt down all the apps that will use this codec and set them up unconfined_execmem_exec_t semanage fcontext -a -t unconfined_execmem_exec_t PATHTOEXEC restrorecon PATHTOEXE THis would make any app that is labeled this way, no longer protected from execmem/execstack attack Third you can turn off the execmem/execstack for the unconfined_t domain setsebool -P allow_execmem 0 This would make most apps run by a user, no longer protected by execmem/execstack checks.
(In reply to comment #7) > There are three ways to fix this problem. The most desirable is to fix the > codec to not require execmem/execstack. > > http://people.redhat.com/~drepper/selinux-mem.html > > This is something we want in order to improve the security of the system. Unfortunately, that's waiting on Intel to fix their proprietary library. > A second alternative is to hunt down all the apps that will use this codec and > set them up unconfined_execmem_exec_t > > semanage fcontext -a -t unconfined_execmem_exec_t PATHTOEXEC > restrorecon PATHTOEXE > > THis would make any app that is labeled this way, no longer protected from > execmem/execstack attack That's not possible. It's a plugin that could be used by any GStreamer application, so we can't hunt down apps that would require it. > Third you can turn off the execmem/execstack for the unconfined_t domain > > setsebool -P allow_execmem 0 > > This would make most apps run by a user, no longer protected by > execmem/execstack checks. That's also not a good idea, as it would need to be done manually by users. Any way to save/restore SELinux attributes on files inside a tarball then, as I asked first?
Selinux can mark a library as requiring execmod but not execmem/execstack. It needs to mark the executable. So if we can not mark a particular executable, we need to push back on codina to fix the library or build it with gcc.
Jeremy, I can't reproduce this bug anymore (just like I couldn't in the first place, given the work-around was already there). Let me know how to reproduce include which SELinux policy you're using.
Check the output of 'getsebool -a' and look at the allow_execmem and allow_execstack booleans. If they're on, then you've made it so that they're allowed and the codec will work. But if the booleans are off, then the access will be denied.
I just did a setsebool allow_execmem 0; setsetbool allow_execstack 0 and totem still played my test mp3
It works for me as well. Jeremy, please attach the output of "ls -lZ ~/.gstreamer-0.10/plugins" and the avc error you get when reproducing the problem.
Works with rawhide live image of today.