libavformat and SELinux policy issue
Daniel J Walsh
dwalsh at redhat.com
Wed Nov 5 20:25:30 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Rahul Sundaram wrote:
> Hi,
>
> When using mplayer for the past few days, I am getting the following
> SELinux policy issue:
>
> ----
>
> Summary:
>
> SELinux is preventing totem-video-thu from loading
> /usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation.
>
> Detailed Description:
>
> The totem-video-thu application attempted to load
> /usr/lib/sse2/libavformat.so.52.22.1 which requires text relocation.
> This is a
> potential security problem. Most libraries do not need this permission.
> Libraries are sometimes coded incorrectly and request this permission. The
> SELinux Memory Protection Tests
> (http://people.redhat.com/drepper/selinux-mem.html) web page explains
> how to
> remove this requirement. You can configure SELinux temporarily to allow
> /usr/lib/sse2/libavformat.so.52.22.1 to use relocation as a workaround,
> until
> the library is fixed. Please file a bug report
> (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
>
> Allowing Access:
>
> If you trust /usr/lib/sse2/libavformat.so.52.22.1 to run correctly, you can
> change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
> '/usr/lib/sse2/libavformat.so.52.22.1'" You must also change the default
> file
> context files on the system in order to preserve them even on a full
> relabel.
> "semanage fcontext -a -t textrel_shlib_t
> '/usr/lib/sse2/libavformat.so.52.22.1'"
>
> Fix Command:
>
> chcon -t textrel_shlib_t '/usr/lib/sse2/libavformat.so.52.22.1'
>
> Additional Information:
>
> Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
> 023
> Target Context system_u:object_r:lib_t:s0
> Target Objects /usr/lib/sse2/libavformat.so.52.22.1 [ file ]
> Source totem-video-thu
> Source Path /usr/bin/totem-video-thumbnailer
> Port <Unknown>
> Host sundaram.redhat.com
> Source RPM Packages totem-2.24.3-1.fc10
> Target RPM Packages ffmpeg-libs-0.4.9-0.51.20080908.fc10
> Policy RPM selinux-policy-3.5.13-11.fc10
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name allow_execmod
> Host Name sundaram.redhat.com
> Platform Linux sundaram.redhat.com
> 2.6.27.4-68.fc10.i686 #1 SMP Thu Oct 30
> 00:49:42
> EDT 2008 i686 i686
> Alert Count 719
> First Seen Thu 06 Nov 2008 12:51:21 AM IST
> Last Seen Thu 06 Nov 2008 01:05:40 AM IST
> Local ID 7e3f9978-5247-4568-9b3b-f14b7db6643c
> Line Numbers
>
> Raw Audit Messages
>
> node=sundaram.redhat.com type=AVC msg=audit(1225913740.104:764): avc:
> denied { execmod } for pid=16396 comm="totem-video-thu"
> path="/usr/lib/sse2/libavformat.so.52.22.1" dev=dm-0 ino=70735
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:lib_t:s0 tclass=file
>
> node=sundaram.redhat.com type=SYSCALL msg=audit(1225913740.104:764):
> arch=40000003 syscall=125 success=no exit=-13 a0=15e2000 a1=ac000 a2=5
> a3=b735a350 items=0 ppid=2638 pid=16396 auid=500 uid=500 gid=500
> euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
> comm="totem-video-thu" exe="/usr/bin/totem-video-thumbnailer"
> subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
>
> ---
>
> Rahul
>
> --
> fedora-selinux-list mailing list
> fedora-selinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-selinux-list
Fixed in selinux-policy-3.5.13-16.fc10
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkkSAToACgkQrlYvE4MpobMv5wCfQALSgalWq7bYOyHIHJ+RO5/K
l+oAmgLFUAfFxTIB7zLXJbcmcAXltSGP
=DGbI
-----END PGP SIGNATURE-----
More information about the fedora-selinux-list
mailing list