Bug 560573 - SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loading shared libraries: /usr/lib/libqavcodec.so.51.
SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loadin...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: qffmpeg (Show other bugs)
5.5
All Linux
high Severity high
: rc
: ---
Assigned To: Monty
Desktop QE
VDI
: ZStream
: 545860 (view as bug list)
Depends On:
Blocks: 545860 545928 576564 618288 847650 854013 862822 864489 866391 869122 871540 877308
  Show dependency treegraph
 
Reported: 2010-02-01 03:25 EST by Omri Hochman
Modified: 2013-10-20 18:43 EDT (History)
10 users (show)

See Also:
Fixed In Version: qffmpeg-0.4.9-0.16.20080908.el5_5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 618288 (view as bug list)
Environment:
Last Closed: 2013-05-08 10:46:20 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
eliminate text relocations in hand-written i386 assembly (25.66 KB, patch)
2010-03-09 16:56 EST, Monty
no flags Details | Diff

  None (edit)
Description Omri Hochman 2010-02-01 03:25:04 EST
SPICE: RHEL54/55-i386 Client Cannot open spice session SELinux prevent loading shared libraries: /usr/lib/libqavcodec.so.51.

Client machine:RHEL54-32bit or RHEL55-32bit.
spice version : (qspice-0.3.0-0.el5.i686 , spice-xpi-2.2-0.el5.i386)

When attempting to run spice from command line: 
spicec red-vdsl.qa.lab.tlv.redhat.com 5912 5888 --ssl-channels=main,inputs --ca-file=certs/cacert.pem

The Following error: 
spicec: error while loading shared libraries: /usr/lib/libqavcodec.so.51: cannot restore segment prot after reloc: Permission denied



workaround:  disable SELinux
"setenforce 0"

"getenforce" should be --> : Permissive
Comment 1 Uri Lublin 2010-02-01 04:01:25 EST
Note that for x86_64 there is no such problem.
Comment 2 Uri Lublin 2010-02-01 04:29:14 EST
audit.log:
type=AVC msg=audit(1265015895.882:12): avc:  denied  { execmod } for  pid=3443 comm="spicec" path="/usr/lib/libqavcodec.so.51.71.0" dev=dm-3 ino=1780003 scontext=root:system_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1265015895.882:12): arch=40000003 syscall=125 success=no exit=-13 a0=3e1000 a1=78000 a2=5 a3=bfc27620 items=0 ppid=3411 pid=3443 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=1 comm="spicec" exe="/usr/bin/spicec" subj=root:system_r:unconfined_t:s0-s0:c0.c1023 key=(null)

setroubleshootd.log: empty


After disabling selinux (+ reboot) and re-enabling it (system-config-selinux -- Enforcing + reboot + labelling + reboot), there is no problem.

Then after "yum remove qffmpeg-libs qspice-client" + "yum localinstall qspice-client" (which also installs qffmpeg-libs), we again experience the permission problem.
Comment 3 Omri Hochman 2010-02-01 05:17:30 EST
Roni Luxenberg, found another workaround:

ELinux is preventing spicec from loading /usr/lib/libqavcodec.so.51.71.0 which
requires text relocation.

Detailed Description:

The spicec application attempted to load /usr/lib/libqavcodec.so.51.71.0 which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libqavcodec.so.51.71.0 to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib/libqavcodec.so.51.71.0 to run correctly, you can change
the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libqavcodec.so.51.71.0'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/usr/lib/libqavcodec.so.51.71.0'"
Comment 4 Uri Lublin 2010-02-01 05:31:58 EST
Following #c3 moving the bug to qffmpeg component of RHEL-5
Comment 5 Itamar Heim 2010-02-01 10:10:13 EST
*** Bug 545860 has been marked as a duplicate of this bug. ***
Comment 6 Uri Lublin 2010-02-01 12:28:15 EST
Some more information: following http://people.redhat.com/drepper/textrelocs.html (snipped lines that appear more than once):

# eu-findtextrel libqavcodec.so.51.71.0
either the file containing the function 'dsputil_init_pix_mmx' or the file containing the function 'ff_simple_idct_put_mmx' is not compiled with -fpic/-fPIC
the file containing the function 'ff_simple_idct_put_mmx' is not compiled with -fpic/-fPIC
the file containing the function 'ff_simple_idct_mmx' is not compiled with -fpic/-fPIC
the file containing the function 'ff_simple_idct_add_mmx' is not compiled with -fpic/-fPIC
Comment 7 Monty 2010-02-04 16:53:51 EST
"The tool is not able to distinguish compiler-generated code from assembler code written by the programmer. If the problem is indeed the result of hand-written assembler code the solution is not as simple as adding a compiler/assembler flag. The code needs to be rewritten. This is architecture specific and can vary widely between every single instance. We are not going into those details here. Find a person with sufficient assembly programming skills if this problem appears."

Unfortunately, the offending file is a hand-written i386 assembly file.  I don't understand the actual text relocation problem in enough detail to know how to go about fixing it.

However, I recall similar problems coming up in the Theora source at one point, I will go grovel through the bug logs at Xiph and see if there was a code pattern I can learn from.
Comment 8 Monty 2010-02-04 17:13:53 EST
Yes, OK, I did see this in the past and the patches were instructive.  I believe i have a fix; will need to test tomorrow though.
Comment 10 Monty 2010-03-08 13:45:39 EST
Note-- I sent a patch to Uri that should fix the issue.  If feedback is positive, I'll get it in distCVS and kick off a build immediately.
Comment 11 Monty 2010-03-09 16:56:17 EST
Created attachment 398949 [details]
eliminate text relocations in hand-written i386 assembly

FTR, this is the proposed patch.  Actual change is a few lines, it's larger only because I removed a chunk of dead code in an #if 0 while working on the fix.
Comment 12 Uri Lublin 2010-03-10 08:32:21 EST
Works for me.

Built a scratch build [1] and tested (with Haim Ateya) on a rhel-5.5 i386 machine. Did not test on rhel-5.4 i386 machine

[1] https://brewweb.devel.redhat.com/taskinfo?taskID=2306715
Comment 17 Monty 2010-03-23 18:18:46 EDT
patch committed to distCVS for RHEL-5
Comment 19 Omri Hochman 2010-06-15 10:07:08 EDT
verified: spice not blocked by selinux when qffmpeg-0.4.9-0.16.20080908.el5_5
installed.

Note You need to log in before you can comment on or make changes to this bug.