Bug 431900 - selinux prevents installing fluendo codecs from downloaded package
selinux prevents installing fluendo codecs from downloaded package
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
rawhide
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-07 13:22 EST by Valent Turkovic
Modified: 2008-03-17 15:35 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-03-17 15:35:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
selinux_alert_01 (3.66 KB, text/plain)
2008-02-07 13:25 EST, Valent Turkovic
no flags Details
selinux_alert_02 (3.98 KB, text/plain)
2008-02-07 13:25 EST, Valent Turkovic
no flags Details
selinux_alert_03 (4.04 KB, text/plain)
2008-02-07 13:26 EST, Valent Turkovic
no flags Details
selinux_alert_04 (4.04 KB, text/plain)
2008-02-07 13:26 EST, Valent Turkovic
no flags Details
selinux_alert_05 (3.53 KB, text/plain)
2008-02-07 13:33 EST, Valent Turkovic
no flags Details
selinux_alert_06 (3.41 KB, text/plain)
2008-02-07 13:38 EST, Valent Turkovic
no flags Details
selinux_alert_07 (3.47 KB, text/plain)
2008-02-07 13:38 EST, Valent Turkovic
no flags Details
selinux_alert_08 (3.43 KB, text/plain)
2008-02-07 13:38 EST, Valent Turkovic
no flags Details
selinux_alert_09 (2.52 KB, text/plain)
2008-02-07 13:42 EST, Valent Turkovic
no flags Details

  None (edit)
Description Valent Turkovic 2008-02-07 13:22:20 EST
Description of problem:
I tried to install fluendo codecs with codeina and selinux stopped it from
installing.

Version-Release number of selected component (if applicable):


How reproducible:
every time

Steps to Reproduce:
1. buy (or get for review) fluel ndo codec pack, save it on desktop
2. start codeina - choose from file menue "install downloaed plugin archive"
3. look at selinux-troubleshooter go wild :)
4. profit :)
 
Actual results:


Expected results:


Additional info:
Comment 1 Valent Turkovic 2008-02-07 13:24:25 EST
after I got alert-01 (look at the attachement) I issued this:

chcon -t unconfined_execmem_exec_t '/usr/bin/gst-inspect-0.10'

that got the ball rolling and then I got alerts 02-04 (look at the attachements)
Comment 2 Valent Turkovic 2008-02-07 13:25:30 EST
Created attachment 294248 [details]
selinux_alert_01
Comment 3 Valent Turkovic 2008-02-07 13:25:57 EST
Created attachment 294249 [details]
selinux_alert_02
Comment 4 Valent Turkovic 2008-02-07 13:26:24 EST
Created attachment 294250 [details]
selinux_alert_03
Comment 5 Valent Turkovic 2008-02-07 13:26:48 EST
Created attachment 294251 [details]
selinux_alert_04
Comment 6 Valent Turkovic 2008-02-07 13:32:44 EST
after manually installing codecs in ~/.gstreamer-0.10/plugins I still see a lot
of selinux AVC messages (alert_05)
Comment 7 Valent Turkovic 2008-02-07 13:33:15 EST
Created attachment 294252 [details]
selinux_alert_05
Comment 8 Valent Turkovic 2008-02-07 13:35:47 EST
after setting:
chcon -t unconfined_execmem_exec_t '/usr/bin/totem'

I still can't play video files and got 3 new selinux alerts (alerts 06-08)
Comment 9 Valent Turkovic 2008-02-07 13:38:04 EST
Created attachment 294253 [details]
selinux_alert_06
Comment 10 Valent Turkovic 2008-02-07 13:38:26 EST
Created attachment 294254 [details]
selinux_alert_07
Comment 11 Valent Turkovic 2008-02-07 13:38:49 EST
Created attachment 294255 [details]
selinux_alert_08
Comment 12 Valent Turkovic 2008-02-07 13:41:13 EST
after doing this:
chcon -t textrel_shlib_t '/home/fedora/.gstreamer-0.10/plugins/'

I got alert_09
Comment 13 Valent Turkovic 2008-02-07 13:42:08 EST
Created attachment 294257 [details]
selinux_alert_09
Comment 14 Daniel Walsh 2008-02-07 15:16:28 EST
fluendo has built thier libaries with Intel compiler which does nor properly
setup the shared library to handle executable memory.  It causes execmod to
happen.  If you choose to install these files you either need to change the
allow_exec* booleans or label the files on disk correctly.  I will turn on these
booleans when we release, but during rawhide they are off so we can know where
the bad applications and libraries are.

The final alert looks like a mislabeled file in /var/spool

restorecon -R -v /var/spool 

should fix.


Note You need to log in before you can comment on or make changes to this bug.