libreport version: 2.0.6 executable: /usr/bin/python hashmarkername: setroubleshoot kernel: 3.1.0-0.rc8.git0.1.fc16.i686 reason: SELinux is preventing /usr/lib/xulrunner-2/plugin-container from 'execmod' accesses on the file /usr/lib/flash-plugin/libflashplayer.so. time: Wed Oct 5 23:35:40 2011 description: :SELinux is preventing /usr/lib/xulrunner-2/plugin-container from 'execmod' accesses on the file /usr/lib/flash-plugin/libflashplayer.so. : :***** Plugin allow_execmod (91.4 confidence) suggests ********************** : :If you want to allow plugin-container to have execmod access on the libflashplayer.so file :Then you need to change the label on '/usr/lib/flash-plugin/libflashplayer.so' :Do :# semanage fcontext -a -t textrel_shlib_t '/usr/lib/flash-plugin/libflashplayer.so' :# restorecon -v '/usr/lib/flash-plugin/libflashplayer.so' : :***** Plugin catchall (9.59 confidence) suggests *************************** : :If you believe that plugin-container should be allowed execmod access on the libflashplayer.so file by default. :Then you should report this as a bug. :You can generate a local policy module to allow this access. :Do :allow this access for now by executing: :# grep plugin-containe /var/log/audit/audit.log | audit2allow -M mypol :# semodule -i mypol.pp : :Additional Information: :Source Context unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c : 0.c1023 :Target Context system_u:object_r:lib_t:s0 :Target Objects /usr/lib/flash-plugin/libflashplayer.so [ file ] :Source plugin-containe :Source Path /usr/lib/xulrunner-2/plugin-container :Port <未知> :Host (removed) :Source RPM Packages xulrunner-7.0.1-1.fc16 :Target RPM Packages flash-plugin-11.0.1.152-release :Policy RPM selinux-policy-3.10.0-36.fc16 :Selinux Enabled True :Policy Type targeted :Enforcing Mode Enforcing :Host Name (removed) :Platform Linux (removed) : 3.1.0-0.rc8.git0.1.fc16.i686 #1 SMP Tue Oct 4 : 04:11:07 UTC 2011 i686 i686 :Alert Count 4 :First Seen 2011年10月05日 星期三 23时22分39秒 :Last Seen 2011年10月05日 星期三 23时23分24秒 :Local ID 59efa4e8-7bb3-4da0-9947-76a7fa3d540e : :Raw Audit Messages :type=AVC msg=audit(1317828204.798:267): avc: denied { execmod } for pid=8732 comm="plugin-containe" path="/usr/lib/flash-plugin/libflashplayer.so" dev=sda4 ino=272064 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file : : :type=SYSCALL msg=audit(1317828204.798:267): arch=i386 syscall=mprotect success=no exit=EACCES a0=448e000 a1=fc7000 a2=5 a3=bfcff0a0 items=0 ppid=8461 pid=8732 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=11 comm=plugin-containe exe=/usr/lib/xulrunner-2/plugin-container subj=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 key=(null) : :Hash: plugin-containe,mozilla_plugin_t,lib_t,file,execmod : :audit2allow : :#============= mozilla_plugin_t ============== :allow mozilla_plugin_t lib_t:file execmod; : :audit2allow -R : :#============= mozilla_plugin_t ============== :allow mozilla_plugin_t lib_t:file execmod; :
Same problem here. "dmesg|grep libflash" says > [ 6724.467491] type=1400 audit(1317838108.214:6301): avc: denied { execmod } for pid=2746 comm="plugin-containe" path="/usr/lib/flash-plugin/libflashplayer.so" dev=dm-1 ino=2363819 scontext=unconfined_u:unconfined_r:mozilla_plugin_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file
Is this an old libflash?
Don't know. Timestamp says it from 24. Sep 03:45 so
I think this might only apply to i686 not x86_64 I have tried the flash 11 64bit and it does not need text relocation it seems. "anyone yet reported that the latest adobe flash player flash-plugin-11.0.1.152-release.i386 has text relocations in it?"
flash-plugin-11.0.1.152-release.i386 indeed contains text relocations. Shame on you Adobe SETroubleshoot denial follows Summary: SELinux is preventing /usr/lib/thunderbird-3.0/thunderbird-bin from loading /usr/lib/flash-plugin/libflashplayer.so which requires text relocation. Detailed Description: The thunderbird-bin application attempted to load /usr/lib/flash-plugin/libflashplayer.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/flash-plugin/libflashplayer.so to use relocation as a workaround, until the library is fixed. Please file a bug report. Allowing Access: If you trust /usr/lib/flash-plugin/libflashplayer.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/flash-plugin/libflashplayer.so'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/flash-plugin/libflashplayer.so'" Fix Command: chcon -t textrel_shlib_t '/usr/lib/flash-plugin/libflashplayer.so' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context system_u:object_r:lib_t:s0 Target Objects /usr/lib/flash-plugin/libflashplayer.so [ file ] Source thunderbird-bin Source Path /usr/lib/thunderbird-3.0/thunderbird-bin Port <Unknown> Host localhost.localdomain Source RPM Packages thunderbird-3.0.10-1.fc12 Target RPM Packages flash-plugin-11.0.1.152-release Policy RPM selinux-policy-3.6.32-127.fc12 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Plugin Name allow_execmod Host Name localhost.localdomain Platform Linux localhost.localdomain 2.6.32.26-175.fc12.i686.PAE #1 SMP Wed Dec 1 21:45:50 UTC 2010 i686 i686 Alert Count 119 First Seen Wed 05 Oct 2011 10:16:16 AM EDT Last Seen Wed 05 Oct 2011 04:54:52 PM EDT Local ID 43ec9ae9-ac25-4374-ace5-3bcb734f36ea Line Numbers Raw Audit Messages node=localhost.localdomain type=AVC msg=audit(1317848092.762:2780): avc: denied { execmod } for pid=6218 comm="thunderbird-bin" path="/usr/lib/flash-plugin/libflashplayer.so" dev=dm-0 ino=564221 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=localhost.localdomain type=SYSCALL msg=audit(1317848092.762:2780): arch=40000003 syscall=125 success=no exit=-13 a0=97691000 a1=fc7000 a2=5 a3=bfa01e80 items=0 ppid=6214 pid=6218 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=14 comm="thunderbird-bin" exe="/usr/lib/thunderbird-3.0/thunderbird-bin" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
(In reply to comment #2) > Is this an old libflash? Dan i get the same problem and i have the latest Flash 11 and im on F16 up to date also
Looks like adobe screwed up again. Looks like we need to turn on textrel_shlib_t again. Fixed in selinux-policy-3.10.0-39.fc16
*** Bug 743634 has been marked as a duplicate of this bug. ***
*** Bug 743939 has been marked as a duplicate of this bug. ***
selinux-policy-3.10.0-40.fc16 has been submitted as an update for Fedora 16. https://admin.fedoraproject.org/updates/selinux-policy-3.10.0-40.fc16
Package selinux-policy-3.10.0-40.fc16: * should fix your issue, * was pushed to the Fedora 16 testing repository, * should be available at your local mirror within two days. Update it with: # su -c 'yum update --enablerepo=updates-testing selinux-policy-3.10.0-40.fc16' as soon as you are able to. Please go to the following url: https://admin.fedoraproject.org/updates/FEDORA-2011-14363 then log in and leave karma (feedback).
selinux-policy-3.10.0-40.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.