Hide Forgot
Description of problem: Recently Quake Live, which is a browser based, free and online version of Quake 3 was updated with Linux support. I tried it out with Firefox and it causes setroubleshooter to throw many hundred of the same issue at me. Version-Release number of selected component (if applicable): selinux-policy-targeted-3.6.12-80.fc11.noarch selinux-policy-3.6.12-80.fc11.noarch How reproducible: Every time, just log-in to quakelive.com and it'll occur every time. Steps to Reproduce: 1. Go to quakelive.com 2. Install the game launcher in Firefox (happens automatically, just confirm) 3. Revisit quakelive.com and attempt to play. Full error message from setroubleshoot as follows (currently tallied at 529 occurences): Summary: SELinux is preventing firefox from loading /home/Jon/.quakelive/quakelive/home/pb/pbcl.so which requires text relocation. Detailed Description: The firefox application attempted to load /home/Jon/.quakelive/quakelive/home/pb/pbcl.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /home/Jon/.quakelive/quakelive/home/pb/pbcl.so to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /home/Jon/.quakelive/quakelive/home/pb/pbcl.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/home/Jon/.quakelive/quakelive/home/pb/pbcl.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/home/Jon/.quakelive/quakelive/home/pb/pbcl.so'" Fix Command: chcon -t textrel_shlib_t '/home/Jon/.quakelive/quakelive/home/pb/pbcl.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0- s0:c0.c1023 Target Context unconfined_u:object_r:user_home_dir_t:s0 Target Objects /home/Jon/.quakelive/quakelive/home/pb/pbcl.so [ file ] Source firefox Source Path /usr/lib/firefox-3.5.2/firefox Port <Unknown> Host Jon-Laptop Source RPM Packages firefox-3.5.2-2.fc11 Target RPM Packages Policy RPM selinux-policy-3.6.12-78.fc11 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmod Host Name Jon-Laptop Platform Linux Jon-Laptop 2.6.29.6-217.2.8.fc11.i686.PAE #1 SMP Sat Aug 15 01:07:59 EDT 2009 i686 i686 Alert Count 529 First Seen Mon 24 Aug 2009 22:25:07 BST Last Seen Mon 24 Aug 2009 22:25:33 BST Local ID 479ab8d7-3eef-42b2-a6a8-fc8b84c7dd9d Line Numbers Raw Audit Messages node=Jon-Laptop type=AVC msg=audit(1251149133.74:30653): avc: denied { execmod } for pid=6630 comm="firefox" path="/home/Jon/.quakelive/quakelive/home/pb/pbcl.so" dev=sda6 ino=131475 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=file node=Jon-Laptop type=SYSCALL msg=audit(1251149133.74:30653): arch=40000003 syscall=125 success=no exit=-13 a0=3bb4000 a1=d0000 a2=5 a3=17c3ab0 items=0 ppid=5950 pid=6630 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="firefox" exe="/usr/lib/firefox-3.5.2/firefox" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)
This indicates a bug in the way quakelives library was built, You can tell SELinux to ignore this by executing the command in the setroubleshoot message. Please report this as a bug to quakelive, to build thier library correctly. Include this link to help them understand what is going on. http://people.redhat.com/~drepper/selinux-mem.html It also look like your homedir might be mislabeled. Run restorecon -R -v /home/Jon