Bug 520226 - Quake Live causes issues for selinux
Summary: Quake Live causes issues for selinux
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 11
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL: http://http://www.quakelive.com/
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-29 10:00 UTC by Jonathan Pritchard
Modified: 2009-08-31 13:05 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-08-31 13:05:19 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Jonathan Pritchard 2009-08-29 10:00:55 UTC
Description of problem:

Recently Quake Live, which is a browser based, free and online version of Quake 3 was updated with Linux support.

I tried it out with Firefox and it causes setroubleshooter to throw many hundred of the same issue at me.


Version-Release number of selected component (if applicable):
selinux-policy-targeted-3.6.12-80.fc11.noarch
selinux-policy-3.6.12-80.fc11.noarch


How reproducible:
Every time, just log-in to quakelive.com and it'll occur every time.


Steps to Reproduce:
1. Go to quakelive.com
2. Install the game launcher in Firefox (happens automatically, just confirm)
3. Revisit quakelive.com and attempt to play.

Full error message from setroubleshoot as follows (currently tallied at 529 occurences):


Summary:

SELinux is preventing firefox from loading
/home/Jon/.quakelive/quakelive/home/pb/pbcl.so which requires text relocation.

Detailed Description:

The firefox application attempted to load
/home/Jon/.quakelive/quakelive/home/pb/pbcl.so which requires text relocation.
This is a potential security problem. Most libraries do not need this
permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/home/Jon/.quakelive/quakelive/home/pb/pbcl.so to use relocation as a
workaround, until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /home/Jon/.quakelive/quakelive/home/pb/pbcl.so to run correctly,
you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/home/Jon/.quakelive/quakelive/home/pb/pbcl.so'" You must also change the
default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t textrel_shlib_t
'/home/Jon/.quakelive/quakelive/home/pb/pbcl.so'"

Fix Command:

chcon -t textrel_shlib_t '/home/Jon/.quakelive/quakelive/home/pb/pbcl.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Target Context                unconfined_u:object_r:user_home_dir_t:s0
Target Objects                /home/Jon/.quakelive/quakelive/home/pb/pbcl.so [
                              file ]
Source                        firefox
Source Path                   /usr/lib/firefox-3.5.2/firefox
Port                          <Unknown>
Host                          Jon-Laptop
Source RPM Packages           firefox-3.5.2-2.fc11
Target RPM Packages           
Policy RPM                    selinux-policy-3.6.12-78.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     Jon-Laptop
Platform                      Linux Jon-Laptop 2.6.29.6-217.2.8.fc11.i686.PAE #1
                              SMP Sat Aug 15 01:07:59 EDT 2009 i686 i686
Alert Count                   529
First Seen                    Mon 24 Aug 2009 22:25:07 BST
Last Seen                     Mon 24 Aug 2009 22:25:33 BST
Local ID                      479ab8d7-3eef-42b2-a6a8-fc8b84c7dd9d
Line Numbers                  

Raw Audit Messages            

node=Jon-Laptop type=AVC msg=audit(1251149133.74:30653): avc:  denied  { execmod } for  pid=6630 comm="firefox" path="/home/Jon/.quakelive/quakelive/home/pb/pbcl.so" dev=sda6 ino=131475 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file

node=Jon-Laptop type=SYSCALL msg=audit(1251149133.74:30653): arch=40000003 syscall=125 success=no exit=-13 a0=3bb4000 a1=d0000 a2=5 a3=17c3ab0 items=0 ppid=5950 pid=6630 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5.2/firefox" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)

Comment 1 Daniel Walsh 2009-08-31 13:05:19 UTC
This indicates a bug in the way quakelives library was built,  You can tell SELinux to ignore this by executing the command in the setroubleshoot message.

Please report this as a bug to quakelive, to build thier library correctly.

Include this link to help them understand what is going on.

http://people.redhat.com/~drepper/selinux-mem.html

It also look like your homedir might be mislabeled.  Run

restorecon -R -v /home/Jon


Note You need to log in before you can comment on or make changes to this bug.