Bug 743641 - SELinux is preventing /usr/lib/xulrunner-2/plugin-container from 'execmod' accesses on the file /usr/lib/flash-plugin/libflashplayer.so.
Summary: SELinux is preventing /usr/lib/xulrunner-2/plugin-container from 'execmod' ac...
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 16
Hardware: i686
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard: abrt_hash:75e9a29d22012442c87056bfdd1...
Keywords:
: 743634 743939 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-10-05 15:36 UTC by Tommy He
Modified: 2011-10-19 04:30 UTC (History)
12 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-10-19 04:30:45 UTC


Attachments (Terms of Use)

Description Tommy He 2011-10-05 15:36:39 UTC
libreport version: 2.0.6
executable:     /usr/bin/python
hashmarkername: setroubleshoot
kernel:         3.1.0-0.rc8.git0.1.fc16.i686
reason:         SELinux is preventing /usr/lib/xulrunner-2/plugin-container from 'execmod' accesses on the file /usr/lib/flash-plugin/libflashplayer.so.
time:           Wed Oct  5 23:35:40 2011

description:
:SELinux is preventing /usr/lib/xulrunner-2/plugin-container from 'execmod' accesses on the file /usr/lib/flash-plugin/libflashplayer.so.
:
:*****  Plugin allow_execmod (91.4 confidence) suggests  **********************
:
:If you want to allow plugin-container to have execmod access on the libflashplayer.so file
:Then you need to change the label on '/usr/lib/flash-plugin/libflashplayer.so'
:Do
:# semanage fcontext -a -t textrel_shlib_t '/usr/lib/flash-plugin/libflashplayer.so'
:# restorecon -v '/usr/lib/flash-plugin/libflashplayer.so'
:
:*****  Plugin catchall (9.59 confidence) suggests  ***************************
:
:If you believe that plugin-container should be allowed execmod access on the libflashplayer.so file by default.
:Then you should report this as a bug.
:You can generate a local policy module to allow this access.
:Do
:allow this access for now by executing:
:# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol
:# semodule -i mypol.pp
:
:Additional Information:
:Source Context                unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c
:                              0.c1023
:Target Context                system_u:object_r:lib_t:s0
:Target Objects                /usr/lib/flash-plugin/libflashplayer.so [ file ]
:Source                        plugin-containe
:Source Path                   /usr/lib/xulrunner-2/plugin-container
:Port                          <未知>
:Host                          (removed)
:Source RPM Packages           xulrunner-7.0.1-1.fc16
:Target RPM Packages           flash-plugin-11.0.1.152-release
:Policy RPM                    selinux-policy-3.10.0-36.fc16
:Selinux Enabled               True
:Policy Type                   targeted
:Enforcing Mode                Enforcing
:Host Name                     (removed)
:Platform                      Linux (removed)
:                              3.1.0-0.rc8.git0.1.fc16.i686 #1 SMP Tue Oct 4
:                              04:11:07 UTC 2011 i686 i686
:Alert Count                   4
:First Seen                    2011年10月05日 星期三 23时22分39秒
:Last Seen                     2011年10月05日 星期三 23时23分24秒
:Local ID                      59efa4e8-7bb3-4da0-9947-76a7fa3d540e
:
:Raw Audit Messages
:type=AVC msg=audit(1317828204.798:267): avc:  denied  { execmod } for  pid=8732 comm="plugin-containe" path="/usr/lib/flash-plugin/libflashplayer.so" dev=sda4 ino=272064 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
:
:
:type=SYSCALL msg=audit(1317828204.798:267): arch=i386 syscall=mprotect success=no exit=EACCES a0=448e000 a1=fc7000 a2=5 a3=bfcff0a0 items=0 ppid=8461 pid=8732 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=11 comm=plugin-containe exe=/usr/lib/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null)
:
:Hash: plugin-containe,mozilla_plugin_t,lib_t,file,execmod
:
:audit2allow
:
:#============= mozilla_plugin_t ==============
:allow mozilla_plugin_t lib_t:file execmod;
:
:audit2allow -R
:
:#============= mozilla_plugin_t ==============
:allow mozilla_plugin_t lib_t:file execmod;
:

Comment 1 Heiko Adams 2011-10-05 18:20:05 UTC
Same problem here. 

"dmesg|grep libflash" says
> [ 6724.467491] type=1400 audit(1317838108.214:6301): avc:  denied  { execmod } for  pid=2746 comm="plugin-containe" path="/usr/lib/flash-plugin/libflashplayer.so" dev=dm-1 ino=2363819 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

Comment 2 Daniel Walsh 2011-10-05 20:40:33 UTC
Is this an old libflash?

Comment 3 Heiko Adams 2011-10-05 20:53:01 UTC
Don't know. Timestamp says it from 24. Sep 03:45 so

Comment 4 Dominick Grift 2011-10-05 21:08:04 UTC
I think this might only apply to i686 not x86_64

I have tried the flash 11 64bit and it does not need text relocation it seems.

"anyone yet reported that the latest adobe flash player flash-plugin-11.0.1.152-release.i386 has text relocations in it?"

Comment 5 Scott R. Godin 2011-10-05 22:13:07 UTC
flash-plugin-11.0.1.152-release.i386 indeed contains text relocations. Shame on you Adobe

SETroubleshoot denial follows

Summary:

SELinux is preventing /usr/lib/thunderbird-3.0/thunderbird-bin from loading
/usr/lib/flash-plugin/libflashplayer.so which requires text relocation.

Detailed Description:

The thunderbird-bin application attempted to load
/usr/lib/flash-plugin/libflashplayer.so which requires text relocation. This is
a potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission. The
SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/flash-plugin/libflashplayer.so to use relocation as a workaround, until
the library is fixed. Please file a bug report.

Allowing Access:

If you trust /usr/lib/flash-plugin/libflashplayer.so to run correctly, you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/flash-plugin/libflashplayer.so'" You must also change the default file
context files on the system in order to preserve them even on a full relabel.
"semanage fcontext -a -t textrel_shlib_t
'/usr/lib/flash-plugin/libflashplayer.so'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib/flash-plugin/libflashplayer.so'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/flash-plugin/libflashplayer.so [ file ]
Source                        thunderbird-bin
Source Path                   /usr/lib/thunderbird-3.0/thunderbird-bin
Port                          <Unknown>
Host                          localhost.localdomain
Source RPM Packages           thunderbird-3.0.10-1.fc12
Target RPM Packages           flash-plugin-11.0.1.152-release
Policy RPM                    selinux-policy-3.6.32-127.fc12
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     localhost.localdomain
Platform                      Linux localhost.localdomain
                              2.6.32.26-175.fc12.i686.PAE #1 SMP Wed Dec 1
                              21:45:50 UTC 2010 i686 i686
Alert Count                   119
First Seen                    Wed 05 Oct 2011 10:16:16 AM EDT
Last Seen                     Wed 05 Oct 2011 04:54:52 PM EDT
Local ID                      43ec9ae9-ac25-4374-ace5-3bcb734f36ea
Line Numbers                  

Raw Audit Messages            

node=localhost.localdomain type=AVC msg=audit(1317848092.762:2780): avc:  denied  { execmod } for  pid=6218 comm="thunderbird-bin" path="/usr/lib/flash-plugin/libflashplayer.so" dev=dm-0 ino=564221 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=localhost.localdomain type=SYSCALL msg=audit(1317848092.762:2780): arch=40000003 syscall=125 success=no exit=-13 a0=97691000 a1=fc7000 a2=5 a3=bfa01e80 items=0 ppid=6214 pid=6218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=14 comm="thunderbird-bin" exe="/usr/lib/thunderbird-3.0/thunderbird-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 6 Greg` 2011-10-05 22:20:29 UTC
(In reply to comment #2)
> Is this an old libflash?

Dan  i get the same problem and i have the latest Flash 11 and im on F16 up to date also

Comment 7 Daniel Walsh 2011-10-06 13:59:30 UTC
Looks like adobe screwed up again.  Looks like we need to turn on textrel_shlib_t again.

Fixed in selinux-policy-3.10.0-39.fc16

Comment 8 Daniel Walsh 2011-10-06 14:20:18 UTC
*** Bug 743634 has been marked as a duplicate of this bug. ***

Comment 9 Daniel Walsh 2011-10-06 14:32:13 UTC
*** Bug 743939 has been marked as a duplicate of this bug. ***

Comment 10 Fedora Update System 2011-10-14 16:17:35 UTC
selinux-policy-3.10.0-40.fc16 has been submitted as an update for Fedora 16.
https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-40.fc16

Comment 11 Fedora Update System 2011-10-15 14:31:17 UTC
Package selinux-policy-3.10.0-40.fc16:
* should fix your issue,
* was pushed to the Fedora 16 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-40.fc16'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2011-14363
then log in and leave karma (feedback).

Comment 12 Fedora Update System 2011-10-19 04:30:45 UTC
selinux-policy-3.10.0-40.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.