Bug 591854 - SELinux empêche /usr/bin/vlc de charger /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du texte.
Summary: SELinux empêche /usr/bin/vlc de charger /usr/lib/vlc/plugins/codec/libdmo_plu...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:d7317c57db0...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-05-13 11:15 UTC by maxime.tierre
Modified: 2010-12-27 09:55 UTC (History)
175 users (show)

Fixed In Version: selinux-policy-3.7.19-51.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-11-08 09:41:20 UTC


Attachments (Terms of Use)

Description maxime.tierre 2010-05-13 11:15:30 UTC
Résumé:

SELinux empêche /usr/bin/vlc de charger
/usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du
texte.

Description détaillée:

L'application vlc a essayé de charger
/usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du
texte. C'est un problème potentiel de sécurité . La plupart des
bibliothèques n'ont pas besoin de cette permission. Les bibliothèques sont
parfois programmées incorrectement et demandent cette permission. La page web
Essais de protection mémoire de SELinux
(http://people.redhat.com/drepper/selinux-mem.html) explique comment retirer ces
exigences. Vous pouvez configurer temporairement SELinux pour permettre à
/usr/lib/vlc/plugins/codec/libdmo_plugin.so d'utiliser le ré-adressage et
contourner cette protection, jusqu'à ce que la bibliothèque soit corrigée.
Merci de remplir un rapport de bogue
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) pour c

Autoriser l'accès:

Si vous autorisez /usr/lib/vlc/plugins/codec/libdmo_plugin.so à fonctionner
correctement, vous pouvez changer le contexte du fichier à textrel_shlib_t.
"chcon -t textrel_shlib_t /usr/lib/vlc/plugins/codec/libdmo_plugin.so" Vous
devez aussi changer le dossier par défaut des fichiers de contexte de votre
système, même lors d'un réétiquetage complet, de manière à les préserver.
"semanage fcontext -a -t textrel_shlib_t
'/usr/lib/vlc/plugins/codec/libdmo_plugin.so'"

Commande de correction:

chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/libdmo_plugin.so'

Informations complémentaires:

Contexte source               unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Contexte cible                system_u:object_r:lib_t:s0
Objets du contexte            /usr/lib/vlc/plugins/codec/libdmo_plugin.so [ file
                              ]
source                        vlc
Chemin de la source           /usr/bin/vlc
Port                          <Inconnu>
Hôte                         (supprimé)
Paquetages RPM source         vlc-core-1.1.0-0.6.pre3.fc14
Paquetages RPM cible          vlc-core-1.1.0-0.6.pre3.fc14
Politique RPM                 selinux-policy-3.7.19-10.fc13
Selinux activé               True
Type de politique             targeted
Mode strict                   Enforcing
Nom du plugin                 allow_execmod
Nom de l'hôte                (supprimé)
Plateforme                    Linux (supprimé) 2.6.33.3-85.fc13.i686.PAE #1
                              SMP Thu May 6 18:27:11 UTC 2010 i686 i686
Compteur d'alertes            2
Première alerte              jeu. 13 mai 2010 13:13:33 CEST
Dernière alerte              jeu. 13 mai 2010 13:13:33 CEST
ID local                      ac19f197-cee2-4fd7-b97f-fb4d2560fc8c
Numéros des lignes           

Messages d'audit bruts        

node=(supprimé) type=AVC msg=audit(1273749213.308:32053): avc:  denied  { execmod } for  pid=2303 comm="vlc" path="/usr/lib/vlc/plugins/codec/libdmo_plugin.so" dev=sda3 ino=536338 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=(supprimé) type=SYSCALL msg=audit(1273749213.308:32053): arch=40000003 syscall=125 success=no exit=-13 a0=273d000 a1=1e000 a2=5 a3=bfbffba0 items=0 ppid=1 pid=2303 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="vlc" exe="/usr/bin/vlc" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execmod,vlc,unconfined_t,lib_t,file,execmod
audit2allow suggests:

#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow unconfined_t lib_t:file execmod;

Comment 1 Daniel Walsh 2010-05-13 13:05:21 UTC
The sealert tells you what to do.  Either 

# chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/libdmo_plugin.so'

or

# setsebool -P allow_execmod 1


Labeling will be

Fixed in selinux-policy-3.7.19-16.fc13.noarch

Comment 2 Fedora Update System 2010-05-25 14:36:27 UTC
selinux-policy-3.7.19-21.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13

Comment 3 Fedora Update System 2010-05-26 21:45:35 UTC
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-21.fc13

Comment 4 Fedora Update System 2010-05-28 18:01:08 UTC
selinux-policy-3.7.19-21.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Nicolas Chauvet (kwizart) 2010-06-13 20:26:43 UTC
Hello,

I have selinux-policy-3.7.19-23.fc13.noarch and the behaviour isn't fixed.
It might be a difference between vlc 1.0.x and vlc-1.1.x libdmo_plugin.so path. That version of vlc is aimed to be provided as an update for F-13.

Comment 6 Daniel Walsh 2010-06-14 23:05:19 UTC
What is the new path?

Comment 7 Peter H. Jones 2010-08-24 10:43:02 UTC
I have:
libselinux-devel-2.0.90-5.fc13.i686
libselinux-2.0.90-5.fc13.i686
selinux-policy-3.7.19-47.fc13.noarch
vlc-core-1.1.3-1.fc13.i686
vlc-1.1.3-1.fc13.i686
libselinux-python-2.0.90-5.fc13.i686
selinux-policy-targeted-3.7.19-47.fc13.noarch
libselinux-utils-2.0.90-5.fc13.i686

I presume the path is given in the beginning of the report below:


Summary:

SELinux is preventing /usr/bin/vlc from loading
/usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text
relocation.

Detailed Description:

The vlc application attempted to load
/usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/vlc/plugins/codec/librealvideo_plugin.so to use relocation as a
workaround, until the library is fixed. Please file a bug report.

Allowing Access:

If you trust /usr/lib/vlc/plugins/codec/librealvideo_plugin.so to run correctly,
you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'" You must also change the
default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/vlc/plugins/codec/librealvideo_plugin.so
                              [ file ]
Source                        vlc
Source Path                   /usr/bin/vlc
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           vlc-core-1.1.3-1.fc13
Target RPM Packages           vlc-core-1.1.3-1.fc13
Policy RPM                    selinux-policy-3.7.19-47.fc13
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux localhost.localdomain
                              2.6.33.6-147.2.4.fc13.i686.PAE #1 SMP Fri Jul 23
                              17:21:06 UTC 2010 i686 i686
Alert Count                   2
First Seen                    Mon 23 Aug 2010 12:17:44 PM EDT
Last Seen                     Mon 23 Aug 2010 12:17:44 PM EDT
Local ID                      6628583a-a80c-492c-84d9-1b6772b217aa
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1282580264.250:60): avc:  denied  { execmod } for  pid=7810 comm="vlc" path="/usr/lib/vlc/plugins/codec/librealvideo_plugin.so" dev=sda7 ino=1198999 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1282580264.250:60): arch=40000003 syscall=125 success=no exit=-13 a0=19f1000 a1=1b000 a2=5 a3=bf8b40e0 items=0 ppid=7724 pid=7810 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="vlc" exe="/usr/bin/vlc" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 8 Peter H. Jones 2010-08-24 10:47:51 UTC
I have

abrt-desktop-1.1.13-2.fc13.i686
abrt-plugin-logger-1.1.13-2.fc13.i686
abrt-plugin-runapp-1.1.13-2.fc13.i686
abrt-libs-1.1.13-2.fc13.i686
abrt-plugin-bugzilla-1.1.13-2.fc13.i686
abrt-addon-kerneloops-1.1.13-2.fc13.i686
abrt-addon-ccpp-1.1.13-2.fc13.i686
abrt-addon-python-1.1.13-2.fc13.i686
abrt-gui-1.1.13-2.fc13.i686
abrt-1.1.13-2.fc13.i686

The decision to add the vlc bug information to the existing bug report was made by abrt, even though I don't see a window to change the status of the this report from Closed Insufficient Data to Assigned. I hope there will be a response to the new information.

Comment 9 Filippo Racca 2010-08-24 11:23:30 UTC
I received the same troubleshooter message as Peter H. Jones. Same packet versions and arch.

Comment 10 Nicolas Chauvet (kwizart) 2010-08-24 12:09:57 UTC
There is indeed a redesign in the module path from vlc 1.0.x to vlc 1.1.x
What's in the current selinux-policy-targeted is :
/usr/lib(64)?/vlc/codec/librealvideo_plugin\.so
But the new path in vlc 1.1.x is
/usr/lib(64)?/vlc/codec/plugins/librealvideo_plugin\.so

Same for libdmo_plugin\.so which is 32bit only:
from:
/usr/lib/vlc/codec/libdmo_plugin\.so
to 
:/usr/lib/vlc/codec/plugins/libdmo_plugin\.so

and 
/usr/lib/vlc/video_chroma/libi420_rgb_mmx_plugin\.so
to
/usr/lib64/vlc/plugins/mmx/libi420_rgb_mmx_plugin.so

The mozilla plugin hasn't changed.


Thx

Side note: Thx for adding /usr/lib(64)?/libpostproc4vlc\.so.* . I wasn't aware such context is still needed. Is it possible to add a wildcard instead as libprostproc\*.so so it can be used by any implementation specially as libpostproc4fedora.so could be in the work.

Comment 11 Miroslav Grepl 2010-08-24 12:29:03 UTC
Fixed in selinux-policy-3.7.19-50.fc13

Comment 12 Fedora Update System 2010-08-25 15:36:16 UTC
selinux-policy-3.7.19-51.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13

Comment 13 Fedora Update System 2010-08-26 00:59:02 UTC
selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-51.fc13

Comment 14 Fedora Update System 2010-08-31 06:38:10 UTC
selinux-policy-3.7.19-51.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Michael Aeschbach 2010-08-31 18:01:17 UTC
I still have the same security alert with selinux-policy-3.7.19-51.fc13.

Comment 16 Miroslav Grepl 2010-09-01 09:40:05 UTC
Fixed in selinux-policy-3.7.19-52.fc13.

Comment 17 John Drinkwater 2010-09-11 11:01:02 UTC
I just had this trigger with selinux-policy-3.7.19-54.fc13.noarch

The vlc application attempted to load /usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/plugins/codec/librealvideo_plugin.so to use relocation as a workaround, until the library is fixed. Please file a bug report.

Comment 18 TK009 2010-09-12 17:44:16 UTC
selinux-policy-3.7.19-54.fc13.noarch

The problem persists.

Comment 19 MotherDawg 2010-09-13 09:28:29 UTC
I feel for you guys...

I'm just posting to say that it actually stop for me :
From every use of VLC to none what so ever.

Linux T42.mobile1 2.6.34.6-54.fc13.i686 #1 SMP Sun Sep 5 17:52:31 UTC 2010 i686 i686 i386 GNU/Linux

Comment 20 Miroslav Grepl 2010-09-13 10:15:58 UTC
Execute the chcon command from the alert. Will fix for now. The policy doesn't define label for 

/usr/lib/vlc/plugins/codec/librealvideo_plugin.so

Comment 21 Daniel Walsh 2010-09-13 14:10:14 UTC
restorecon -R -v /usr/lib/vlc

Or turn the check off altogether as I said in comment 1

Comment 22 Mircea Sava 2010-09-26 14:08:33 UTC
(In reply to comment #0)
> Résumé:
> 
> SELinux empêche /usr/bin/vlc de charger
> /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du
> texte.
> 
> Description détaillée:
> 
> L'application vlc a essayé de charger
> /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du
> texte. C'est un problème potentiel de sécurité . La plupart des
> bibliothèques n'ont pas besoin de cette permission. Les bibliothèques sont
> parfois programmées incorrectement et demandent cette permission. La page web
> Essais de protection mémoire de SELinux
> (http://people.redhat.com/drepper/selinux-mem.html) explique comment retirer
> ces
> exigences. Vous pouvez configurer temporairement SELinux pour permettre à
> /usr/lib/vlc/plugins/codec/libdmo_plugin.so d'utiliser le ré-adressage et
> contourner cette protection, jusqu'à ce que la bibliothèque soit corrigée.
> Merci de remplir un rapport de bogue
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) pour c
> 
> Autoriser l'accès:
> 
> Si vous autorisez /usr/lib/vlc/plugins/codec/libdmo_plugin.so à fonctionner
> correctement, vous pouvez changer le contexte du fichier à textrel_shlib_t.
> "chcon -t textrel_shlib_t /usr/lib/vlc/plugins/codec/libdmo_plugin.so" Vous
> devez aussi changer le dossier par défaut des fichiers de contexte de votre
> système, même lors d'un réétiquetage complet, de manière à les préserver.
> "semanage fcontext -a -t textrel_shlib_t
> '/usr/lib/vlc/plugins/codec/libdmo_plugin.so'"
> 
> Commande de correction:
> 
> chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/libdmo_plugin.so'
> 
> Informations complémentaires:
> 
> Contexte source              
> unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
>                               023
> Contexte cible                system_u:object_r:lib_t:s0
> Objets du contexte            /usr/lib/vlc/plugins/codec/libdmo_plugin.so [
> file
>                               ]
> source                        vlc
> Chemin de la source           /usr/bin/vlc
> Port                          <Inconnu>
> Hôte                         (supprimé)
> Paquetages RPM source         vlc-core-1.1.0-0.6.pre3.fc14
> Paquetages RPM cible          vlc-core-1.1.0-0.6.pre3.fc14
> Politique RPM                 selinux-policy-3.7.19-10.fc13
> Selinux activé               True
> Type de politique             targeted
> Mode strict                   Enforcing
> Nom du plugin                 allow_execmod
> Nom de l'hôte                (supprimé)
> Plateforme                    Linux (supprimé) 2.6.33.3-85.fc13.i686.PAE #1
>                               SMP Thu May 6 18:27:11 UTC 2010 i686 i686
> Compteur d'alertes            2
> Première alerte              jeu. 13 mai 2010 13:13:33 CEST
> Dernière alerte              jeu. 13 mai 2010 13:13:33 CEST
> ID local                      ac19f197-cee2-4fd7-b97f-fb4d2560fc8c
> Numéros des lignes           
> 
> Messages d'audit bruts        
> 
> node=(supprimé) type=AVC msg=audit(1273749213.308:32053): avc:  denied  {
> execmod } for  pid=2303 comm="vlc"
> path="/usr/lib/vlc/plugins/codec/libdmo_plugin.so" dev=sda3 ino=536338
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> 
> node=(supprimé) type=SYSCALL msg=audit(1273749213.308:32053): arch=40000003
> syscall=125 success=no exit=-13 a0=273d000 a1=1e000 a2=5 a3=bfbffba0 items=0
> ppid=1 pid=2303 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> sgid=500 fsgid=500 tty=(none) ses=1 comm="vlc" exe="/usr/bin/vlc"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> 
> 
> 
> Hash String generated from  allow_execmod,vlc,unconfined_t,lib_t,file,execmod
> audit2allow suggests:
> 
> #============= unconfined_t ==============
> #!!!! This avc can be allowed using the boolean 'allow_execmod'
> 
> allow unconfined_t lib_t:file execmod;

Learn some English dude!

Comment 23 John Drinkwater 2010-09-26 14:19:35 UTC
(In reply to comment #22)
> Learn some English dude!

I don’t wish to be a hypocrite, but please avoid making pointless comments, everyone attached to the bug will be sent them.

Comment 24 luke walton 2010-09-26 15:51:04 UTC
(In reply to comment #22)
> (In reply to comment #0)
> > Résumé:
> > 
> > SELinux empêche /usr/bin/vlc de charger
> > /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du
> > texte.
> > 
> > Description détaillée:
> > 
> > L'application vlc a essayé de charger
> > /usr/lib/vlc/plugins/codec/libdmo_plugin.so qui exige une réinstallation du
> > texte. C'est un problème potentiel de sécurité . La plupart des
> > bibliothèques n'ont pas besoin de cette permission. Les bibliothèques sont
> > parfois programmées incorrectement et demandent cette permission. La page web
> > Essais de protection mémoire de SELinux
> > (http://people.redhat.com/drepper/selinux-mem.html) explique comment retirer
> > ces
> > exigences. Vous pouvez configurer temporairement SELinux pour permettre à
> > /usr/lib/vlc/plugins/codec/libdmo_plugin.so d'utiliser le ré-adressage et
> > contourner cette protection, jusqu'à ce que la bibliothèque soit corrigée.
> > Merci de remplir un rapport de bogue
> > (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) pour c
> > 
> > Autoriser l'accès:
> > 
> > Si vous autorisez /usr/lib/vlc/plugins/codec/libdmo_plugin.so à fonctionner
> > correctement, vous pouvez changer le contexte du fichier à textrel_shlib_t.
> > "chcon -t textrel_shlib_t /usr/lib/vlc/plugins/codec/libdmo_plugin.so" Vous
> > devez aussi changer le dossier par défaut des fichiers de contexte de votre
> > système, même lors d'un réétiquetage complet, de manière à les préserver.
> > "semanage fcontext -a -t textrel_shlib_t
> > '/usr/lib/vlc/plugins/codec/libdmo_plugin.so'"
> > 
> > Commande de correction:
> > 
> > chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/libdmo_plugin.so'
> > 
> > Informations complémentaires:
> > 
> > Contexte source              
> > unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> >                               023
> > Contexte cible                system_u:object_r:lib_t:s0
> > Objets du contexte            /usr/lib/vlc/plugins/codec/libdmo_plugin.so [
> > file
> >                               ]
> > source                        vlc
> > Chemin de la source           /usr/bin/vlc
> > Port                          <Inconnu>
> > Hôte                         (supprimé)
> > Paquetages RPM source         vlc-core-1.1.0-0.6.pre3.fc14
> > Paquetages RPM cible          vlc-core-1.1.0-0.6.pre3.fc14
> > Politique RPM                 selinux-policy-3.7.19-10.fc13
> > Selinux activé               True
> > Type de politique             targeted
> > Mode strict                   Enforcing
> > Nom du plugin                 allow_execmod
> > Nom de l'hôte                (supprimé)
> > Plateforme                    Linux (supprimé) 2.6.33.3-85.fc13.i686.PAE #1
> >                               SMP Thu May 6 18:27:11 UTC 2010 i686 i686
> > Compteur d'alertes            2
> > Première alerte              jeu. 13 mai 2010 13:13:33 CEST
> > Dernière alerte              jeu. 13 mai 2010 13:13:33 CEST
> > ID local                      ac19f197-cee2-4fd7-b97f-fb4d2560fc8c
> > Numéros des lignes           
> > 
> > Messages d'audit bruts        
> > 
> > node=(supprimé) type=AVC msg=audit(1273749213.308:32053): avc:  denied  {
> > execmod } for  pid=2303 comm="vlc"
> > path="/usr/lib/vlc/plugins/codec/libdmo_plugin.so" dev=sda3 ino=536338
> > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> > tcontext=system_u:object_r:lib_t:s0 tclass=file
> > 
> > node=(supprimé) type=SYSCALL msg=audit(1273749213.308:32053): arch=40000003
> > syscall=125 success=no exit=-13 a0=273d000 a1=1e000 a2=5 a3=bfbffba0 items=0
> > ppid=1 pid=2303 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500
> > sgid=500 fsgid=500 tty=(none) ses=1 comm="vlc" exe="/usr/bin/vlc"
> > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
> > 
> > 
> > 
> > Hash String generated from  allow_execmod,vlc,unconfined_t,lib_t,file,execmod
> > audit2allow suggests:
> > 
> > #============= unconfined_t ==============
> > #!!!! This avc can be allowed using the boolean 'allow_execmod'
> > 
> > allow unconfined_t lib_t:file execmod;
> 
> Learn some English dude!

I thought you was having a go at me then. I agree with the previous Comment its not fair to make comments like that.

Comment 25 Daniel Walsh 2010-09-27 14:10:03 UTC
The tool reports in the native language, it is not the reporters fault.  And we do not even look at the report but just the raw data at the bottom anyways.  We are working on a rewrite of the tool for F15 that will not report in the native lang.

Comment 26 Rodolfo 2010-09-27 16:54:30 UTC
I have the same problem

Comment 27 Daniel Walsh 2010-09-27 17:04:20 UTC
You can turn this check off altogether by executing

# setsebool -P allow_execmod 1

Comment 28 Nicolas Chauvet (kwizart) 2010-11-07 16:20:50 UTC
Does the problem still apply with current f13 x86 and vlc 1.1.4-4.fc13 ?

I've forced the related modules to be built with -fPIC which is explicitely avoided in the upstream vlc sources, specially for some modules (real, dmo). 

If thoses modules still works, I would consider the problem solved.

Comment 29 Miroslav Grepl 2010-11-08 09:41:20 UTC
Let's close the bug.


Note You need to log in before you can comment on or make changes to this bug.