Red Hat Bugzilla – Bug 560573
SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loading shared libraries: /usr/lib/libqavcodec.so.51.
Last modified: 2013-10-20 18:43:28 EDT
SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loading shared libraries: /usr/lib/libqavcodec.so.51. Client machine:RHEL54-32bit or RHEL55-32bit. spice version : (qspice-0.3.0-0.el5.i686 , spice-xpi-2.2-0.el5.i386) When attempting to run spice from command line: spicec red-vdsl.qa.lab.tlv.redhat.com 5912 5888 --ssl-channels=main,inputs --ca-file=certs/cacert.pem The Following error: spicec: error while loading shared libraries: /usr/lib/libqavcodec.so.51: cannot restore segment prot after reloc: Permission denied workaround: disable SELinux "setenforce 0" "getenforce" should be --> : Permissive
Note that for x86_64 there is no such problem.
audit.log: type=AVC msg=audit(1265015895.882:12): avc: denied { execmod } for pid=3443 comm="spicec" path="/usr/lib/libqavcodec.so.51.71.0" dev=dm-3 ino=1780003 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1265015895.882:12): arch=40000003 syscall=125 success=no exit=-13 a0=3e1000 a1=78000 a2=5 a3=bfc27620 items=0 ppid=3411 pid=3443 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="spicec" exe="/usr/bin/spicec" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null) setroubleshootd.log: empty After disabling selinux (+ reboot) and re-enabling it (system-config-selinux -- Enforcing + reboot + labelling + reboot), there is no problem. Then after "yum remove qffmpeg-libs qspice-client" + "yum localinstall qspice-client" (which also installs qffmpeg-libs), we again experience the permission problem.
Roni Luxenberg, found another workaround: ELinux is preventing spicec from loading /usr/lib/libqavcodec.so.51.71.0 which requires text relocation. Detailed Description: The spicec application attempted to load /usr/lib/libqavcodec.so.51.71.0 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/libqavcodec.so.51.71.0 to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust /usr/lib/libqavcodec.so.51.71.0 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/libqavcodec.so.51.71.0'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/libqavcodec.so.51.71.0'"
Following #c3 moving the bug to qffmpeg component of RHEL-5
*** Bug 545860 has been marked as a duplicate of this bug. ***
Some more information: following http://people.redhat.com/drepper/textrelocs.html (snipped lines that appear more than once): # eu-findtextrel libqavcodec.so.51.71.0 either the file containing the function 'dsputil_init_pix_mmx' or the file containing the function 'ff_simple_idct_put_mmx' is not compiled with -fpic/-fPIC the file containing the function 'ff_simple_idct_put_mmx' is not compiled with -fpic/-fPIC the file containing the function 'ff_simple_idct_mmx' is not compiled with -fpic/-fPIC the file containing the function 'ff_simple_idct_add_mmx' is not compiled with -fpic/-fPIC
"The tool is not able to distinguish compiler-generated code from assembler code written by the programmer. If the problem is indeed the result of hand-written assembler code the solution is not as simple as adding a compiler/assembler flag. The code needs to be rewritten. This is architecture specific and can vary widely between every single instance. We are not going into those details here. Find a person with sufficient assembly programming skills if this problem appears." Unfortunately, the offending file is a hand-written i386 assembly file. I don't understand the actual text relocation problem in enough detail to know how to go about fixing it. However, I recall similar problems coming up in the Theora source at one point, I will go grovel through the bug logs at Xiph and see if there was a code pattern I can learn from.
Yes, OK, I did see this in the past and the patches were instructive. I believe i have a fix; will need to test tomorrow though.
Note-- I sent a patch to Uri that should fix the issue. If feedback is positive, I'll get it in distCVS and kick off a build immediately.
Created attachment 398949 [details] eliminate text relocations in hand-written i386 assembly FTR, this is the proposed patch. Actual change is a few lines, it's larger only because I removed a chunk of dead code in an #if 0 while working on the fix.
Works for me. Built a scratch build [1] and tested (with Haim Ateya) on a rhel-5.5 i386 machine. Did not test on rhel-5.4 i386 machine [1] https://brewweb.devel.redhat.com/taskinfo?taskID=2306715
patch committed to distCVS for RHEL-5
verified: spice not blocked by selinux when qffmpeg-0.4.9-0.16.20080908.el5_5 installed.