Bug 505164 - SELinux is preventing midori from loading /usr/lib/midori/libcolorful-tabs.so which requires text relocation
SELinux is preventing midori from loading /usr/lib/midori/libcolorful-tabs.so...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
11
All Linux
low Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-06-10 16:40 EDT by Sam Tygier
Modified: 2009-11-18 08:09 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-11-18 08:09:55 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Sam Tygier 2009-06-10 16:40:07 EDT
Summary:

SELinux is preventing midori from loading /usr/lib/midori/libcolorful-tabs.so
which requires text relocation.

Detailed Description:

The midori application attempted to load /usr/lib/midori/libcolorful-tabs.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/midori/libcolorful-tabs.so to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib/midori/libcolorful-tabs.so to run correctly, you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/midori/libcolorful-tabs.so'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t textrel_shlib_t '/usr/lib/midori/libcolorful-tabs.so'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib/midori/libcolorful-tabs.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/midori/libcolorful-tabs.so [ file ]
Source                        midori
Source Path                   /usr/bin/midori
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           midori-0.1.5-1.fc11
Target RPM Packages           midori-0.1.5-1.fc11
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain 2.6.29.4-167.fc11.i586
                              #1 SMP Wed May 27 17:14:37 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 10 Jun 2009 09:35:58 PM BST
Last Seen                     Wed 10 Jun 2009 09:35:58 PM BST
Local ID                      69411c02-b573-4fe0-bd7e-d64b5adbc4bf
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1244666158.223:62): avc:  denied  { execmod } for  pid=11878 comm="midori" path="/usr/lib/midori/libcolorful-tabs.so" dev=sda7 ino=75991 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1244666158.223:62): arch=40000003 syscall=125 success=no exit=-13 a0=4a3000 a1=a000 a2=5 a3=bfc08c70 items=0 ppid=1 pid=11878 auid=501 uid=501 gid=502 euid=501 suid=501 fsuid=501 egid=502 sgid=502 fsgid=502 tty=(none) ses=1 comm="midori" exe="/usr/bin/midori" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Sam Tygier 2009-06-10 16:43:30 EDT
i get the same error about
/usr/lib/midori/libmouse-gestures.so
/usr/lib/midori/libtab-panel.so
/usr/lib/midori/libstatusbar-features.so
/usr/lib/midori/libpage-holder.so
Comment 2 Daniel Walsh 2009-06-11 11:45:45 EDT
Please report this as a bug to the midori people to build their shared libraries with -PIC flag.  Badly built libraries can cause the access.

Include this link

http://people.redhat.com/drepper/selinux-mem.html

chcon -t textrel_shlib_t '/usr/lib/midori/*so*'

Should fix the labels for now and allow this to work.

I will update selinux policy to add this label.
Comment 3 Daniel Walsh 2009-06-11 11:49:40 EDT
Fixed in selinux-policy-3.6.12-49.fc11

Note You need to log in before you can comment on or make changes to this bug.