Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 599096 - SELinux is preventing /home/ri/google-earth/googleearth-bin from loading /usr/lib/dri/fglrx_dri.so which requires text relocation.
SELinux is preventing /home/ri/google-earth/googleearth-bin from loading /usr...
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
12
x86_64 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Fedora Extras Quality Assurance
setroubleshoot_trace_hash:5a2e40bce7a...
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2010-06-02 13:07 EDT by vafr
Modified: 2010-07-19 09:03 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-07-19 09:03:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description vafr 2010-06-02 13:07:59 EDT
Samenvatting:

SELinux is preventing /home/ri/google-earth/googleearth-bin from loading
/usr/lib/dri/fglrx_dri.so which requires text relocation.

Gedetailleerde omschrijving:

The googleearth-bin application attempted to load /usr/lib/dri/fglrx_dri.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/dri/fglrx_dri.so to use relocation as a workaround, until the library
is fixed. Please file a bug report.

Teogang toestaan:

If you trust /usr/lib/dri/fglrx_dri.so to run correctly, you can change the file
context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/dri/fglrx_dri.so'" You must also change the default file context files
on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/usr/lib/dri/fglrx_dri.so'"

Commando repareren:

chcon -t textrel_shlib_t '/usr/lib/dri/fglrx_dri.so'

Additionele informatie:

Bron context                  unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Doel context                  system_u:object_r:lib_t:s0
Doel objecten                 /usr/lib/dri/fglrx_dri.so [ file ]
Bron                          googleearth-bin
Bron pad                      /home/ri/google-earth/googleearth-bin
Poort                         <Onbekend>
Host                          (removed)
Bron RPM pakketten            
Doel RPM pakketten            xorg-x11-drv-catalyst-libs-10.4-2.fc12
Gedragslijn RPM               selinux-policy-3.6.32-114.fc12
SELinux aangezet              True
Gedragslijn type              targeted
Enforcing modus               Enforcing
Pluginnaam                    allow_execmod
Hostnaam                      (removed)
Platform                      Linux localhost.localdomain
                              2.6.32.12-115.fc12.x86_64 #1 SMP Fri Apr 30
                              19:46:25 UTC 2010 x86_64 x86_64
Aantal waarschuwingen         4
Eerst gezien op               di 01 jun 2010 22:40:19 CEST
Laatst gezien op              di 01 jun 2010 22:40:19 CEST
Locale ID                     e3855828-4ab5-4cef-a12f-c3f2b199b60e
Regelnummers                  

Onbewerkte audit boodschappen 

node=localhost.localdomain type=AVC msg=audit(1275424819.623:91): avc:  denied  { execmod } for  pid=7566 comm="googleearth-bin" path="/usr/lib/dri/fglrx_dri.so" dev=dm-2 ino=396826 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1275424819.623:91): arch=40000003 syscall=125 success=no exit=-13 a0=ef14c000 a1=1976000 a2=5 a3=ffc21fb0 items=0 ppid=7386 pid=7566 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="googleearth-bin" exe="/home/ri/google-earth/googleearth-bin" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execmod,googleearth-bin,unconfined_execmem_t,lib_t,file,execmod
audit2allow suggests:

#============= unconfined_execmem_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow unconfined_execmem_t lib_t:file execmod;
Comment 1 Miroslav Grepl 2010-06-02 13:23:36 EDT
Execute

chcon -t textrel_shlib_t '/usr/lib/dri/fglrx_dri.so'

Will fix.
Comment 2 vafr 2010-07-07 15:45:39 EDT
Hi Miroslav,

your suggestion to;
 chcon -t textrel_shlib_t '/usr/lib/dri/fglrx_dri.so'

did fix it for a while and made google earth work without problems. But now google earth is messed up again for some reason. Not that important to me. I will try to fix it again.

But to be honest I think there might be an underlying problem as I get the following new alert which at first seems to be a nspluginwrapper / catalyst related thing but when the bug is reported turns out to be a google earth issue??? Sorry for the Dutch comments, I need to fix that sometime, reading between the lines should provide you with the necessary info. The bug is not accepted as 'it was already reported'. Perhaps a selinux or bug report issue instead of a google earth issue (never even used google earth during the last sessions).

This is the report (just ignore the Dutch parts)....


Samenvatting:

SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from loading
/usr/lib/catalyst/libatiadlxx.so which requires text relocation.

Gedetailleerde omschrijving:

The npviewer.bin application attempted to load /usr/lib/catalyst/libatiadlxx.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/catalyst/libatiadlxx.so to use relocation as a workaround, until the
library is fixed. Please file a bug report.

Teogang toestaan:

If you trust /usr/lib/catalyst/libatiadlxx.so to run correctly, you can change
the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/catalyst/libatiadlxx.so'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'"

Commando repareren:

chcon -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'

Additionele informatie:

Bron context                  unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Doel context                  system_u:object_r:lib_t:s0
Doel objecten                 /usr/lib/catalyst/libatiadlxx.so [ file ]
Bron                          googleearth-bin
Bron pad                      /home/ri/google-earth/googleearth-bin
Poort                         <Onbekend>
Host                          localhost.localdomain
Bron RPM pakketten            nspluginwrapper-1.3.0-10.fc12
Doel RPM pakketten            xorg-x11-drv-catalyst-libs-10.4-2.fc12
Gedragslijn RPM               selinux-policy-3.6.32-114.fc12
SELinux aangezet              True
Gedragslijn type              targeted
Enforcing modus               Enforcing
Pluginnaam                    allow_execmod
Hostnaam                      localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.32.12-115.fc12.x86_64 #1 SMP Fri Apr 30
                              19:46:25 UTC 2010 x86_64 x86_64
Aantal waarschuwingen         5
Eerst gezien op               di 01 jun 2010 22:40:19 CEST
Laatst gezien op              do 03 jun 2010 23:00:28 CEST
Locale ID                     e3855828-4ab5-4cef-a12f-c3f2b199b60e
Regelnummers                  

Onbewerkte audit boodschappen 

node=localhost.localdomain type=AVC msg=audit(1275598828.999:32829): avc:  denied  { execmod } for  pid=4407 comm="npviewer.bin" path="/usr/lib/catalyst/libatiadlxx.so" dev=dm-2 ino=396814 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1275598828.999:32829): arch=40000003 syscall=125 per=8 success=no exit=-13 a0=7c5d000 a1=2e000 a2=5 a3=ff8b7c60 items=0 ppid=3049 pid=4407 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)
Comment 3 Daniel Walsh 2010-07-12 16:29:59 EDT
If you run restorecon '/usr/lib/catalyst/libatiadlxx.so' -v does it change the label?
Comment 4 vafr 2010-07-15 17:09:25 EDT
I ran restorecon '/usr/lib/catalyst/libatiadlxx.so' -v but there was no feedback and I'm not sure as to what it actually did/does.
Comment 5 Carl G. 2010-07-15 17:47:20 EDT
Do you still see those AVCs or changing the label fixed it?
Comment 6 vafr 2010-07-18 09:44:47 EDT
No, have not seen them again. 

Has the SELinux user interface changed? I believe we had a log file like history list in earlier versions of the troubleshooter which was very clear. The current trouble shooter screen does not show the warnings in chronological order (at least it seems so and I do not know how to make it do that). Just a matter of getting used to I guess. 

Upon a recent, more detailed inspection of the SELinux troubleshooter reports I wondered if the problem wasn't already solved in some other way as the report of this error at the moment says (see below) that it occurred only 5 times from 1 June to  3 June. I assume I must have been confused by the troubleshooter reports. I will keep a close watch on new alerts... 



Samenvatting:

SELinux is preventing /usr/lib/nspluginwrapper/npviewer.bin from loading
/usr/lib/catalyst/libatiadlxx.so which requires text relocation.

Gedetailleerde omschrijving:

The npviewer.bin application attempted to load /usr/lib/catalyst/libatiadlxx.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/catalyst/libatiadlxx.so to use relocation as a workaround, until the
library is fixed. Please file a bug report.

Toegang toestaan:

If you trust /usr/lib/catalyst/libatiadlxx.so to run correctly, you can change
the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/catalyst/libatiadlxx.so'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'"

Commando repareren:

chcon -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'

Additionele informatie:

Bron context                  unconfined_u:unconfined_r:unconfined_execmem_t:s0-
                              s0:c0.c1023
Doel context                  system_u:object_r:lib_t:s0
Doel objecten                 /usr/lib/catalyst/libatiadlxx.so [ file ]
Bron                          googleearth-bin
Bron pad                      /home/ri/google-earth/googleearth-bin
Poort                         <Onbekend>
Host                          localhost.localdomain
Bron RPM pakketten            nspluginwrapper-1.3.0-10.fc12
Doel RPM pakketten            xorg-x11-drv-catalyst-libs-10.4-2.fc12
Gedragslijn RPM               selinux-policy-3.6.32-114.fc12
SELinux aangezet              True
Gedragslijn type              targeted
Enforcing modus               Enforcing
Pluginnaam                    allow_execmod
Hostnaam                      localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.32.12-115.fc12.x86_64 #1 SMP Fri Apr 30
                              19:46:25 UTC 2010 x86_64 x86_64
Aantal waarschuwingen         5
Eerst gezien op               di 01 jun 2010 22:40:19 CEST
Laatst gezien op              do 03 jun 2010 23:00:28 CEST
Locale ID                     e3855828-4ab5-4cef-a12f-c3f2b199b60e
Regelnummers                  

Onbewerkte audit boodschappen 

node=localhost.localdomain type=AVC msg=audit(1275598828.999:32829): avc:  denied  { execmod } for  pid=4407 comm="npviewer.bin" path="/usr/lib/catalyst/libatiadlxx.so" dev=dm-2 ino=396814 scontext=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1275598828.999:32829): arch=40000003 syscall=125 per=8 success=no exit=-13 a0=7c5d000 a1=2e000 a2=5 a3=ff8b7c60 items=0 ppid=3049 pid=4407 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="npviewer.bin" exe="/usr/lib/nspluginwrapper/npviewer.bin" subj=unconfined_u:unconfined_r:unconfined_execmem_t:s0-s0:c0.c1023 key=(null)
Comment 7 Miroslav Grepl 2010-07-19 06:44:35 EDT
Just execute

chcon -t textrel_shlib_t '/usr/lib/catalyst/libatiadlxx.so'

Will fix for now.

Note You need to log in before you can comment on or make changes to this bug.