Bug 431900 - selinux prevents installing fluendo codecs from downloaded package
Summary: selinux prevents installing fluendo codecs from downloaded package
Status: CLOSED WONTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy   
(Show other bugs)
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-07 18:22 UTC by Valent Turkovic
Modified: 2008-03-17 19:35 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-17 19:35:58 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux_alert_01 (3.66 KB, text/plain)
2008-02-07 18:25 UTC, Valent Turkovic
no flags Details
selinux_alert_02 (3.98 KB, text/plain)
2008-02-07 18:25 UTC, Valent Turkovic
no flags Details
selinux_alert_03 (4.04 KB, text/plain)
2008-02-07 18:26 UTC, Valent Turkovic
no flags Details
selinux_alert_04 (4.04 KB, text/plain)
2008-02-07 18:26 UTC, Valent Turkovic
no flags Details
selinux_alert_05 (3.53 KB, text/plain)
2008-02-07 18:33 UTC, Valent Turkovic
no flags Details
selinux_alert_06 (3.41 KB, text/plain)
2008-02-07 18:38 UTC, Valent Turkovic
no flags Details
selinux_alert_07 (3.47 KB, text/plain)
2008-02-07 18:38 UTC, Valent Turkovic
no flags Details
selinux_alert_08 (3.43 KB, text/plain)
2008-02-07 18:38 UTC, Valent Turkovic
no flags Details
selinux_alert_09 (2.52 KB, text/plain)
2008-02-07 18:42 UTC, Valent Turkovic
no flags Details

Description Valent Turkovic 2008-02-07 18:22:20 UTC
Description of problem:
I tried to install fluendo codecs with codeina and selinux stopped it from
installing.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. buy (or get for review) fluel ndo codec pack, save it on desktop
2. start codeina - choose from file menue "install downloaed plugin archive"
3. look at selinux-troubleshooter go wild :)
4. profit :)
 
Actual results:


Expected results:


Additional info:

Comment 1 Valent Turkovic 2008-02-07 18:24:25 UTC
after I got alert-01 (look at the attachement) I issued this:

chcon -t unconfined_execmem_exec_t '/usr/bin/gst-inspect-0.10'

that got the ball rolling and then I got alerts 02-04 (look at the attachements)

Comment 2 Valent Turkovic 2008-02-07 18:25:30 UTC
Created attachment 294248 [details]
selinux_alert_01

Comment 3 Valent Turkovic 2008-02-07 18:25:57 UTC
Created attachment 294249 [details]
selinux_alert_02

Comment 4 Valent Turkovic 2008-02-07 18:26:24 UTC
Created attachment 294250 [details]
selinux_alert_03

Comment 5 Valent Turkovic 2008-02-07 18:26:48 UTC
Created attachment 294251 [details]
selinux_alert_04

Comment 6 Valent Turkovic 2008-02-07 18:32:44 UTC
after manually installing codecs in ~/.gstreamer-0.10/plugins I still see a lot
of selinux AVC messages (alert_05)

Comment 7 Valent Turkovic 2008-02-07 18:33:15 UTC
Created attachment 294252 [details]
selinux_alert_05

Comment 8 Valent Turkovic 2008-02-07 18:35:47 UTC
after setting:
chcon -t unconfined_execmem_exec_t '/usr/bin/totem'

I still can't play video files and got 3 new selinux alerts (alerts 06-08)

Comment 9 Valent Turkovic 2008-02-07 18:38:04 UTC
Created attachment 294253 [details]
selinux_alert_06

Comment 10 Valent Turkovic 2008-02-07 18:38:26 UTC
Created attachment 294254 [details]
selinux_alert_07

Comment 11 Valent Turkovic 2008-02-07 18:38:49 UTC
Created attachment 294255 [details]
selinux_alert_08

Comment 12 Valent Turkovic 2008-02-07 18:41:13 UTC
after doing this:
chcon -t textrel_shlib_t '/home/fedora/.gstreamer-0.10/plugins/'

I got alert_09

Comment 13 Valent Turkovic 2008-02-07 18:42:08 UTC
Created attachment 294257 [details]
selinux_alert_09

Comment 14 Daniel Walsh 2008-02-07 20:16:28 UTC
fluendo has built thier libaries with Intel compiler which does nor properly
setup the shared library to handle executable memory.  It causes execmod to
happen.  If you choose to install these files you either need to change the
allow_exec* booleans or label the files on disk correctly.  I will turn on these
booleans when we release, but during rawhide they are off so we can know where
the bad applications and libraries are.

The final alert looks like a mislabeled file in /var/spool

restorecon -R -v /var/spool 

should fix.




Note You need to log in before you can comment on or make changes to this bug.