Bug 1548

Summary: selinux AVC execstack using phonon-backend-vlc
Product: Fedora Reporter: Gabriel Ramirez <gabriello.ramirez>
Component: vlcAssignee: Nicolas Chauvet <kwizart>
Status: RESOLVED FIXED    
Severity: normal CC: rdieter
Priority: P5    
Version: 14   
Hardware: i386   
OS: GNU/Linux   
namespace:

Description Gabriel Ramirez 2010-12-09 20:24:42 CET 
Fedora 14 Release i686 KDE 4.5.4
phonon-backend-vlc-0.3.1-0.1.fc14.i686
vlc-core-1.1.5-1.fc14.i686
vlc-1.1.5-1.fc14.i686

using phonon-backend-vlc in KDE 4.5.4 (too occurs in 4.5.3) triggers selinux AVC execstack in knotify, systemsettings, firefox, rekonq, amarok

because the following libraries have set the executable stack flag:

find /usr/lib -exec execstack -q {} \; -print 2> /dev/null | grep ^X
X /usr/lib/vlc/plugins/codec/libdmo_plugin.so
X /usr/lib/vlc/plugins/codec/librealvideo_plugin.so

clearing the flag with:

execstack -c /usr/lib/vlc/plugins/codec/libdmo_plugin.so
execstack -c /usr/lib/vlc/plugins/codec/librealvideo_plugin.so

and after reboot, No selinux AVC is triggered or logged in /var/lib/audit/audit.log

Testcase:

install phonon-backend-vlc
restart
select kde session
open konsole
tailf /var/log/audit/audit.log
open system settings/Multimedia/Phonon/Backendgive preference to the VLC backend
after that a selinux AVC will be logged execstack comm systesettings
close system settings
restart the machine

after login in kde
some selinux AVC fro knotify4 will be logged
type=AVC msg=audit(1291789096.454:27717): avc:  denied  { execstack } for  pid=1979 co
mm="knotify4" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

in a konsole
sudo tailf /var/log/audit/audit.log

open system settings/Multimedia/Phonon/Backendsome selinux AVC will be generated
type=AVC msg=audit(1291789411.208:27737): avc:  denied  { execstack } for  pid=2423 comm="systemsettings" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

open amarok play music some selinux AVC will be loged
type=AVC msg=audit(1291792951.938:27787): avc:  denied  { execstack } for  pid=3059 comm="amarok" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

clear the executable stack flag from the above two libraries reboot, no more selinux AVCs

Gabriel
Comment 1 Rex Dieter 2010-12-09 20:31:07 CET 
I can confirm this occurs (on i686 only, x86_64 was free of execstack)
Comment 2 Nicolas Chauvet 2010-12-14 23:23:28 CET 
Is it possible for someone to track this issue ?
I've tried to rebuild vlc with -fPIC previously so the problem disappeared, but now it's there again...
Comment 3 Gabriel Ramirez 2011-01-13 06:56:48 CET 
maybe the following link can be used to build the package without execstack

https://bugzilla.redhat.com/show_bug.cgi?id=652297#c66

Gabriel
Comment 4 Nicolas Chauvet 2011-02-04 14:48:56 CET 
Fixed with vlc-1.1.7-1.fc14 despite the root cause still need to be tracked upstream.
(probably raised by an invalid mprotect call).

Please give a try on:
yum update --enablerepo=rpmfusion-free-updates-testing vlc\*
Comment 5 Gabriel Ramirez 2011-02-05 20:06:13 CET 
thanks the update vlc-1.1.7-1.fc14.i686 fixes the selinux issue

but maybe phonon-backend-vlc-0.3.1-0.1.fc14.i686 requires be recompiled against the new vlc because at the moment I have sound glitches playing music in amarok and before the update to 1.1.7 amarok didn't hava any sound glitches, but vlc 1.1.7 play videos without problems