Bug 520526 - setroubleshoot: SELinux is preventing xine from loading /usr/lib/libavutil.so.49.15.0 which requires text relocation.
Summary: setroubleshoot: SELinux is preventing xine from loading /usr/lib/libavut...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:73198c0416b...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-08-31 22:43 UTC by Brian Harrington
Modified: 2009-09-01 12:36 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2009-09-01 12:36:17 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Brian Harrington 2009-08-31 22:43:42 UTC
The following was filed automatically by setroubleshoot:

Summary:

SELinux is preventing xine from loading /usr/lib/libavutil.so.49.15.0 which
requires text relocation.

Detailed Description:

The xine application attempted to load /usr/lib/libavutil.so.49.15.0 which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libavutil.so.49.15.0 to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib/libavutil.so.49.15.0 to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libavutil.so.49.15.0'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/usr/lib/libavutil.so.49.15.0'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib/libavutil.so.49.15.0'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/libavutil.so.49.15.0 [ file ]
Source                        vlc
Source Path                   /usr/bin/vlc
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           xine-ui-0.99.5-15.fc12
Target RPM Packages           libavutil49-0.5-30.fc10_92
Policy RPM                    selinux-policy-3.6.26-8.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed)
                              2.6.31-0.125.4.2.rc5.git2.fc12.i686 #1 SMP Tue Aug
                              11 21:20:05 EDT 2009 i686 i686
Alert Count                   19
First Seen                    Sun 23 Aug 2009 08:37:20 PM EDT
Last Seen                     Sun 30 Aug 2009 05:22:57 PM EDT
Local ID                      fe5ad7a3-5851-466a-a315-d7ee90d07d36
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1251667377.721:111): avc:  denied  { execmod } for  pid=3938 comm="xine" path="/usr/lib/libavutil.so.49.15.0" dev=dm-4 ino=61638 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1251667377.721:111): arch=40000003 syscall=125 success=no exit=-13 a0=812000 a1=d000 a2=5 a3=bf8c3a00 items=0 ppid=3727 pid=3938 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts3 ses=1 comm="xine" exe="/usr/bin/xine" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)


audit2allow suggests:

#============= unconfined_execmem_t ==============
allow unconfined_execmem_t lib_t:file execmod;

Comment 1 Daniel Walsh 2009-09-01 12:36:17 UTC
Fixed in selinux-policy-3.6.29-2.fc12.noarch


Note You need to log in before you can comment on or make changes to this bug.