Bug 631060 - O SELinux está impedindo que o /usr/lib/vlc/vlc-cache-gen carregue /usr/lib/vlc/plugins/codec/librealvideo_plugin.so, o que requer deslocamento de texto.
Summary: O SELinux está impedindo que o /usr/lib/vlc/vlc-cache-gen carregue /usr/lib/v...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 13
Hardware: i386
OS: Linux
low
medium
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: setroubleshoot_trace_hash:fe803a37a6c...
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-09-07 16:25 UTC by Artemio
Modified: 2011-02-01 18:22 UTC (History)
12 users (show)

Fixed In Version: selinux-policy-3.7.19-62.fc13
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-10-05 09:35:43 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Artemio 2010-09-07 16:25:10 UTC
Sumário:

O SELinux está impedindo que o /usr/lib/vlc/vlc-cache-gen carregue
/usr/lib/vlc/plugins/codec/librealvideo_plugin.so, o que requer deslocamento de
texto.

Descrição detalhada:

The vlc-cache-gen application attempted to load
/usr/lib/vlc/plugins/codec/librealvideo_plugin.so which requires text
relocation. This is a potential security problem. Most libraries do not need
this permission. Libraries are sometimes coded incorrectly and request this
permission. The SELinux Memory Protection Tests
(http://www.akkadia.org/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/vlc/plugins/codec/librealvideo_plugin.so to use relocation as a
workaround, until the library is fixed. Please file a bug report.

Permitindo acesso:

Se você confiar que o /usr/lib/vlc/plugins/codec/librealvideo_plugin.so irá
rodar corretamente, você pode mudar o contexto do arquivo para textrel_shlib_t.
"chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'"
Você deve também alterar o arquivo padrão dos arquivos de contexto no sistema
para preservá-los mesmo em uma reetiquetagem completa. "semanage fcontext -a -t
textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'"

Comando de correção:

chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'

Informações adicionais:

Contexto de origem            system_u:system_r:rpm_script_t:s0-s0:c0.c1023
Contexto de destino           system_u:object_r:lib_t:s0
Objetos de destino            /usr/lib/vlc/plugins/codec/librealvideo_plugin.so
                              [ file ]
Origem                        vlc-cache-gen
Caminho da origem             /usr/lib/vlc/vlc-cache-gen
Porta                         <Desconhecido>
Máquina                       (removido)
Pacotes RPM de origem         vlc-core-1.1.4-2.fc13
Pacotes RPM de destino        vlc-core-1.1.4-2.fc13
RPM da política               selinux-policy-3.7.19-54.fc13
Selinux habilitado            True
Tipo de política              targeted
Modo reforçado                Enforcing
Nome do plugin                allow_execmod
Nome da máquina               (removido)
Plataforma                    Linux (removido) 2.6.34.6-47.fc13.i686 #1 SMP Fri Aug
                              27 09:48:44 UTC 2010 i686 i686
Contador de alertas           2
Visto pela primeira vez em    Ter 07 Set 2010 12:55:13 BRT
Visto pela última vez em      Ter 07 Set 2010 12:55:15 BRT
ID local                      3b07f8b9-ca0c-40ec-a29e-73187d092b7d
Números de linha              

Mensagens de auditoria não pr 

node=(removido) type=AVC msg=audit(1283874915.431:24): avc:  denied  { execmod } for  pid=2431 comm="vlc-cache-gen" path="/usr/lib/vlc/plugins/codec/librealvideo_plugin.so" dev=dm-0 ino=920091 scontext=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=(removido) type=SYSCALL msg=audit(1283874915.431:24): arch=40000003 syscall=125 success=no exit=-13 a0=4c4d000 a1=1b000 a2=5 a3=bfb8ca90 items=0 ppid=2430 pid=2431 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="vlc-cache-gen" exe="/usr/lib/vlc/vlc-cache-gen" subj=system_u:system_r:rpm_script_t:s0-s0:c0.c1023 key=(null)



Hash String generated from  allow_execmod,vlc-cache-gen,rpm_script_t,lib_t,file,execmod
audit2allow suggests:

#============= rpm_script_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execmod'

allow rpm_script_t lib_t:file execmod;

Comment 1 Daniel Walsh 2010-09-07 18:22:14 UTC
restorecon -R -v /var/lib/vlc

Should fix.

Comment 2 Jerry Amundson 2010-09-23 03:15:24 UTC
(In reply to comment #1)
> restorecon -R -v /var/lib/vlc
> 
> Should fix.

# restorecon -R -v /var/lib/vlc
#

Would the lack of output to my command indicate nothing was fixed?

Comment 3 Miroslav Grepl 2010-09-23 11:43:26 UTC
The label is fixed in selinux-policy-3.7.19-61.fc13.

chcon -t textrel_shlib_t '/usr/lib/vlc/plugins/codec/librealvideo_plugin.so'

will fix for now.

Comment 4 Fedora Update System 2010-09-24 13:58:12 UTC
selinux-policy-3.7.19-62.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-62.fc13

Comment 5 Fedora Update System 2010-09-26 04:32:11 UTC
selinux-policy-3.7.19-62.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update selinux-policy'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/selinux-policy-3.7.19-62.fc13

Comment 6 Mircea Sava 2010-09-26 10:29:43 UTC
These spanish people are incredible rude these days.

Comment 7 Laurent Jacquot 2010-10-02 16:57:56 UTC
the label is fixed with selinux-policy-3.7.19-61.fc13 for me.
As far as I am concerned, bug is FIXED

Comment 8 Daniel Walsh 2010-10-03 10:57:03 UTC
Update the karma.

Comment 9 Fedora Update System 2010-10-05 09:35:01 UTC
selinux-policy-3.7.19-62.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.