SElinux

Leon sdl.web at gmail.com
Sun Apr 2 11:22:44 UTC 2006 

Antonio Olivares <olivares14031 at yahoo.com> writes:

> --- Craig White <craigwhite at azapple.com> wrote:
>
>> On Sun, 2006-04-02 at 03:05 +0100, Leon wrote:
>> > Thank you Craig and Kam. However selinux will
>> disable flash plugin for
>> > firefox, prevent mplayer from playing .mkv files,
>> etc. All of these
>> > are quite essential for desktop users.
>>
>
> For flashplayer troubles, all you need to do is the
> following as Justin told me to do on the
> fedora-test-list 
>
>
> Check the context of it with "ls -Z" the change it
> to whats i'm my example
> below with "chcon"
>
> ls -Z
> -rwxr-xr-x olivares olivares 
> user_u:object_r:user_home_t
> flashplayer.xpt
> -rwxr-xr-x olivares olivares
> user_u:object_r:user_home_t
> libflashplayer.so
>
> Changed to
>
> chcon system_u:object_r:texrel_shlib_t
> flashplayer.xpt libflashplayer.so 
>
> And flashplayer worked!!  For mplayer, I have not had
> any problems with it.  I can view yahoo movie clips
> and all with the mplayer plugin.  
>
> Selinux should not be disabled for little things like
> this.  You can find workarounds.  Selinux is here to
> help you and protect you from unwanted stuff as Craig
> and others have pointed out to you.  Java is also
> tricky with selinux, but look for the
> workarounds/solutions.  
>
> Regards,
>
> Antonio

Mplayer can play the file. But I can only hear sound no video. This
file plays fine when I set selinux to permissive. But I'm not sure if
this is an issue because the file is located in a reiserfs partition.

,------[ audictd log ]
| type=PATH msg=audit(1143975729.532:53): item=0 name="/mnt" flags=1  inode=2 dev=03:07 mode=040755 ouid=0 ogid=0 rdev=00:00
| type=AVC msg=audit(1143975745.489:54): avc:  denied  { execmod } for  pid=2726 comm="mplayer" name="drvc.so" dev=hda1 ino=738032 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
| type=SYSCALL msg=audit(1143975745.489:54): arch=40000003 syscall=125 success=no exit=-13 a0=18b000 a1=4d000 a2=5 a3=bfaf7180 items=0 pid=2726 auid=501 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 fsgid=500 comm="mplayer" exe="/usr/bin/mplayer"
| type=AVC_PATH msg=audit(1143975745.489:54):  path="/usr/lib/win32/drvc.so"
| type=AVC msg=audit(1143975745.601:55): avc:  denied  { execmod } for  pid=2726 comm="mplayer" name="drv4.so.6.0" dev=hda1 ino=738031 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
| type=SYSCALL msg=audit(1143975745.601:55): arch=40000003 syscall=125 success=no exit=-13 a0=dfd000 a1=49000 a2=5 a3=bfaf7180 items=0 pid=2726 auid=501 uid=501 gid=500 euid=501 suid=501 fsuid=501 egid=500 sgid=500 fsgid=500 comm="mplayer" exe="/usr/bin/mplayer"
| type=AVC_PATH msg=audit(1143975745.601:55):  path="/usr/lib/win32/drv4.so.6.0"
`------------------------------------------------------------------------

I have read that "File context are stored with the Inode in an
extended attribute on systems that support extended attributes."

Do I need to add user_xattr to /etc/fstab to be something like this:

LABEL=/home /home ext3 defaults,user_xattr 1 2

>
>> ----
>> The point of security is to stop all non approved
>> actions.
>> 
>> If you install the flash plugin and the flash plugin
>> doesn't provide
>> security contexts for its use, then you will have to
>> fix that issue...I
>> believe the answers to flash plugin problems with
>> SELinux are asily
>> solvable.
>> 
>> I don't know anything about mplayer issues with
>> SELinux but I would
>> assume that if a user posts the errors caused by
>> using mplayer as you
>> suggest, he will find out that a fix is again a
>> relatively simple
>> process.
>> 
>> If you wish to disable SELinux because you don't
>> have the enthusiasm for
>> learning a technology that is incorporated as a
>> layer of security for
>> your protection, you would not be the first or the
>> last to do so, but
>> please recognize that what you are doing is
>> depriving your system of a
>> layer of security because you have found means to
>> justify not learning
>> how to live with it.
>> 
>> Some effort has been spent to educate and provide
>> better tools for the
>> system user - you may wish to start here...
>> 
>> http://fedoraproject.org/wiki/SELinux
>> 
>> or of course, disable it, be done with it and just
>> remember, the next
>> time you tell your friends that Linux is more secure
>> than Windows...that
>> you have opted out of some of those security layers.
>> 
>> Craig

-- 
Leon

More information about the fedora-list mailing list