Summary: SELinux is preventing /usr/bin/knotify4 from loading /usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text relocation. Detailed Description: The knotify4 application attempted to load /usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/plugins/codec/librealvideo_plugin.so to use relocation as a workaround, until the library is fixed. Please file a bug report. Allowing Access: If you trust /usr/lib/vlc/plugins/codec/librealvideo_plugin.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'" Fix Command: chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/vlc/plugins/codec/librealvideo_plugin.so [ file ] Source knotify4 Source Path /usr/bin/knotify4 Port <Unknown> Host (removed) Source RPM Packages kdebase-runtime-4.4.92-1.fc13 Target RPM Packages vlc-core-1.1.0-0.14.fc13 Policy RPM selinux-policy-3.7.19-37.fc13 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execmod Host Name (removed) Platform Linux (removed) 2.6.33.6-147.fc13.i686 #1 SMP Tue Jul 6 22:30:55 UTC 2010 i686 i686 Alert Count 4 First Seen Thu 22 Jul 2010 12:09:06 AM CEST Last Seen Thu 22 Jul 2010 12:09:11 AM CEST Local ID 72dff0a0-7d15-46e1-8b8c-038400b3977e Line Numbers Raw Audit Messages node=(removed) type=AVC msg=audit(1279750151.859:22626): avc: denied { execmod } for pid=12150 comm="knotify4" path="/usr/lib/vlc/plugins/codec/librealvideo_plugin.so" dev=dm-6 ino=407014 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=(removed) type=SYSCALL msg=audit(1279750151.859:22626): arch=40000003 syscall=125 success=no exit=-13 a0=4067000 a1=1b000 a2=5 a3=bfd789d0 items=0 ppid=1 pid=12150 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=73 comm="knotify4" exe="/usr/bin/knotify4" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Hash String generated from allow_execmod,knotify4,unconfined_t,lib_t,file,execmod audit2allow suggests: #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execmod' allow unconfined_t lib_t:file execmod;
Generally it started happening after installation of phonon-backend-vlc. It is annoying but doesn't make the system unusable, it just spews those problems often when the phonon engine is set to vlc backend and after that when kde must use the sound system. I understand the problem lies in vlc developers so i guess i will ask them what they can do about it.
The alert message tells you how to fix. Miroslav can you fix the label in libraries.fc /usr/lib(64)?/vlc/codec/librealvideo_plugin\.so -- gen_context(system_u:object_r:textrel_shlib_t,s0)
I am fully aware on how to fix it but i would be fixing just the message allowing the text relocation to happen and i understand that is a security hazard ? I don't mind that message to come up, i am more worried about possible security issues?
I would not be worried about the security implication of this. We have it labeled correctly for 64 bit machine but not 32 bit machines. Real built the libraries incorrectly and that is causing the error.
I see. In that case i volunteer to install test updates with a fix to this. Yhank You very much for such a great OS, and thank You for beeing such great developers of the best linux distro (at least in my opinion). Thank You!!
Fixed in selinux-policy-3.7.19-40.fc13.noarch
Thank You so much, i am going to test it and report back. Thanks!!
selinux-policy-3.7.19-41.fc13 has been submitted as an update for Fedora 13. http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update selinux-policy'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/selinux-policy-3.7.19-41.fc13
After applying this update the problem doesn't show up anymore. Thank You very much for your help. It is highly appreciated !! Thank You!!
selinux-policy-3.7.19-41.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.