Bug 472712 – SeLinux blocks channel changing in Kaffeine DVB-T viewer

Bug 472712 - SeLinux blocks channel changing in Kaffeine DVB-T viewer

Summary:	SeLinux blocks channel changing in Kaffeine DVB-T viewer

Status:	CLOSED CURRENTRELEASE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	9
Hardware:	i386 Linux

Priority	medium Severity urgent
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-11-23 19:05 EST by Tom
Modified:	2009-06-10 07:06 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2009-06-10 07:06:44 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Tom 2008-11-23 19:05:29 EST

Description of problem:aicks in and blocks channel changings soon as I open the dvbt in kaffeine selinux kicks in and blocks channel changing


Version-Release number of selected component (if applicable):Kaffeine dvb-t


How reproducible:open kaffeine 


Steps to Reproduce:see above
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Zusammenfassung:

SELinux hindert kaffeine (unconfined_t) "execmod" am Zugriff auf
/usr/lib/sse2/libpostproc.so.51.2.0 (lib_t).

Detaillierte Beschreibung:

SELinux verweigerte den von kaffeine angeforderten Zugriff. Da nicht davon
ausgegangen wird, dass dieser Zugriff von kaffeine benötigt wird, signalisiert
dies möglicherweise einen Einbruchsversuch. Es ist ausserdem möglich, dass
diese spezielle Version oder Konfiguration der Anwendung den zusätzlichen
Zugriff verursacht.

Zugriff erlauben:

Gelegentlich führen Probleme mit der Bezeichnung zu SELinux-Verweigerungen. Sie
können versuchen, den standardmässigen Systemdatei-Kontext für
/usr/lib/sse2/libpostproc.so.51.2.0 wiederherzustellen.

restorecon -v '/usr/lib/sse2/libpostproc.so.51.2.0'

Derzeit existiert keine Möglichkeit, diesen Zugriff zu automatisieren.
Alternativ können Sie eine lokales Richtlinien-Modul erstellen, um diesen
Zugriff zu gewähren - werfen Sie einen Blick auf FAQ
(http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385) - Sie können auch
den SELinux-Schutz für diese Anwendung komplett deaktivieren. Davon wird jedoch
abgeraten! Bitte reichen Sie einen Fehlerbericht
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) für dieses Paket ein.

Zusätzliche Informationen:

Quellkontext                  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Zielkontext                   system_u:object_r:lib_t:s0
Zielobjekte                   /usr/lib/sse2/libpostproc.so.51.2.0 [ file ]
Quelle                        kaffeine
Quellen-Pfad                  /usr/bin/kaffeine
Port                          <Unbekannt>
Host                          localhost.localdomain
Quellen-RPM-Pakete            kaffeine-0.8.7-2.fc10
Ziel-RPM-Pakete               ffmpeg-libs-0.4.9-0.52.20080908.fc10
RPM-Richtlinie                selinux-policy-3.5.13-18.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   catchall_file
Hostname                      localhost.localdomain
Plattform                     Linux localhost.localdomain 2.6.27.5-117.fc10.i686
                              #1 SMP Tue Nov 18 12:19:59 EST 2008 i686 i686
Anzahl der Alarme             2
Zuerst gesehen                Mo 24 Nov 2008 00:46:51 CET
Zuletzt gesehen               Mo 24 Nov 2008 00:46:51 CET
Lokale ID                     4b8288bf-2532-4825-b4cc-0f7713e8a762
Zeilennummern                 

Raw-Audit-Meldungen           

node=localhost.localdomain type=AVC msg=audit(1227484011.415:47): avc:  denied  { execmod } for  pid=28761 comm="kaffeine" path="/usr/lib/sse2/libpostproc.so.51.2.0" dev=dm-0 ino=3186707 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1227484011.415:47): arch=40000003 syscall=125 success=no exit=-13 a0=3c7f000 a1=9000 a2=5 a3=bffb55a0 items=0 ppid=1 pid=28761 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="kaffeine" exe="/usr/bin/kaffeine" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 1 Miroslav Grepl 2008-11-24 08:22:27 EST

Try to change the context of the file to textrel_shlib_t:

chcon -t textrel_shlib_t /usr/lib/sse2/libpostproc.so.51.2.0

Comment 2 Daniel Walsh 2008-11-24 09:04:16 EST

Fixed in selinux-policy-3.3.1-112.fc9.noarch

Comment 3 Tom 2008-11-24 09:20:40 EST

First of all: it is for a newbee very difficult, to find out the way to post a bug here, because clicking on new, nothing happens....
Second: the bug I posted appeared also after an update to fc10.
I only got rid of it by allowing almost all of the filters, not knowing, which one finally did it. Posting a code without explanation does not help much.. where do you insert it and how. Not everybody in the community is an expert in programming and linux. If you gus want the Linux community to grow, then always consider the newcomers...
I consider it as solved as my allowing almost all in the selinux settings did the job

Comment 4 Daniel Walsh 2008-11-24 09:49:16 EST

I believe you turned on the allow_execmod boolean?  The suggested fix was to label the file with the context textrel_shlib_t.  The problem here is the people who are packaging up /usr/lib/sse2/libpostproc.so.51.2.0, have built it with incorrect flags, so it is causing SELinux to complain.  If you label the file with textrel_shlib_t, SELinux will realize the file is built incorrectly and will no longer complain.  I have changed selinux-policy in selinux-policy-3.3.1-112.fc9.noarch to set this label automatically to prevent this error from happening to others.

Comment 5 Bug Zapper 2009-06-09 23:21:05 EDT

This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.