Bug 560573 - SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loading shared libraries: /usr/lib/libqavcodec.so.51.
Summary: SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loadin...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: qffmpeg
Version: 5.5
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Monty
QA Contact: Desktop QE
URL:
Whiteboard: VDI
: 545860 (view as bug list)
Depends On:
Blocks: 545860 545928 576564 618288 847650 854013 862822 864489 866391 869122 871540 877308
TreeView+ depends on / blocked
 
Reported: 2010-02-01 08:25 UTC by Omri Hochman
Modified: 2013-10-20 22:43 UTC (History)
10 users (show)

Fixed In Version: qffmpeg-0.4.9-0.16.20080908.el5_5
Doc Type: Bug Fix
Doc Text:
Clone Of:
: 618288 (view as bug list)
Environment:
Last Closed: 2013-05-08 14:46:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
eliminate text relocations in hand-written i386 assembly (25.66 KB, patch)
2010-03-09 21:56 UTC, Monty
no flags Details | Diff

Description Omri Hochman 2010-02-01 08:25:04 UTC
SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loading shared libraries: /usr/lib/libqavcodec.so.51.

Client machine:RHEL54-32bit or RHEL55-32bit.
spice version : (qspice-0.3.0-0.el5.i686 , spice-xpi-2.2-0.el5.i386)

When attempting to run spice from command line: 
spicec red-vdsl.qa.lab.tlv.redhat.com 5912 5888 --ssl-channels=main,inputs --ca-file=certs/cacert.pem

The Following error: 
spicec: error while loading shared libraries: /usr/lib/libqavcodec.so.51: cannot restore segment prot after reloc: Permission denied



workaround:  disable SELinux
"setenforce 0"

"getenforce" should be --> : Permissive

Comment 1 Uri Lublin 2010-02-01 09:01:25 UTC
Note that for x86_64 there is no such problem.

Comment 2 Uri Lublin 2010-02-01 09:29:14 UTC
audit.log:
type=AVC msg=audit(1265015895.882:12): avc:  denied  { execmod } for  pid=3443 comm="spicec" path="/usr/lib/libqavcodec.so.51.71.0" dev=dm-3 ino=1780003 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1265015895.882:12): arch=40000003 syscall=125 success=no exit=-13 a0=3e1000 a1=78000 a2=5 a3=bfc27620 items=0 ppid=3411 pid=3443 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="spicec" exe="/usr/bin/spicec" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)

setroubleshootd.log: empty


After disabling selinux (+ reboot) and re-enabling it (system-config-selinux -- Enforcing + reboot + labelling + reboot), there is no problem.

Then after "yum remove qffmpeg-libs qspice-client" + "yum localinstall qspice-client" (which also installs qffmpeg-libs), we again experience the permission problem.

Comment 3 Omri Hochman 2010-02-01 10:17:30 UTC
Roni Luxenberg, found another workaround:

ELinux is preventing spicec from loading /usr/lib/libqavcodec.so.51.71.0 which
requires text relocation.

Detailed Description:

The spicec application attempted to load /usr/lib/libqavcodec.so.51.71.0 which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libqavcodec.so.51.71.0 to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib/libqavcodec.so.51.71.0 to run correctly, you can change
the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libqavcodec.so.51.71.0'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/usr/lib/libqavcodec.so.51.71.0'"

Comment 4 Uri Lublin 2010-02-01 10:31:58 UTC
Following #c3 moving the bug to qffmpeg component of RHEL-5

Comment 5 Itamar Heim 2010-02-01 15:10:13 UTC
*** Bug 545860 has been marked as a duplicate of this bug. ***

Comment 6 Uri Lublin 2010-02-01 17:28:15 UTC
Some more information: following http://people.redhat.com/drepper/textrelocs.html (snipped lines that appear more than once):

# eu-findtextrel libqavcodec.so.51.71.0
either the file containing the function 'dsputil_init_pix_mmx' or the file containing the function 'ff_simple_idct_put_mmx' is not compiled with -fpic/-fPIC
the file containing the function 'ff_simple_idct_put_mmx' is not compiled with -fpic/-fPIC
the file containing the function 'ff_simple_idct_mmx' is not compiled with -fpic/-fPIC
the file containing the function 'ff_simple_idct_add_mmx' is not compiled with -fpic/-fPIC

Comment 7 Monty 2010-02-04 21:53:51 UTC
"The tool is not able to distinguish compiler-generated code from assembler code written by the programmer. If the problem is indeed the result of hand-written assembler code the solution is not as simple as adding a compiler/assembler flag. The code needs to be rewritten. This is architecture specific and can vary widely between every single instance. We are not going into those details here. Find a person with sufficient assembly programming skills if this problem appears."

Unfortunately, the offending file is a hand-written i386 assembly file.  I don't understand the actual text relocation problem in enough detail to know how to go about fixing it.

However, I recall similar problems coming up in the Theora source at one point, I will go grovel through the bug logs at Xiph and see if there was a code pattern I can learn from.

Comment 8 Monty 2010-02-04 22:13:53 UTC
Yes, OK, I did see this in the past and the patches were instructive.  I believe i have a fix; will need to test tomorrow though.

Comment 10 Monty 2010-03-08 18:45:39 UTC
Note-- I sent a patch to Uri that should fix the issue.  If feedback is positive, I'll get it in distCVS and kick off a build immediately.

Comment 11 Monty 2010-03-09 21:56:17 UTC
Created attachment 398949 [details]
eliminate text relocations in hand-written i386 assembly

FTR, this is the proposed patch.  Actual change is a few lines, it's larger only because I removed a chunk of dead code in an #if 0 while working on the fix.

Comment 12 Uri Lublin 2010-03-10 13:32:21 UTC
Works for me.

Built a scratch build [1] and tested (with Haim Ateya) on a rhel-5.5 i386 machine. Did not test on rhel-5.4 i386 machine

[1] https://brewweb.devel.redhat.com/taskinfo?taskID=2306715

Comment 17 Monty 2010-03-23 22:18:46 UTC
patch committed to distCVS for RHEL-5

Comment 19 Omri Hochman 2010-06-15 14:07:08 UTC
verified: spice not blocked by selinux when qffmpeg-0.4.9-0.16.20080908.el5_5
installed.


Note You need to log in before you can comment on or make changes to this bug.