Bug 777

Summary:	selinux screamed at me after installing mplayer/xvidcore.
Product:	Fedora	Reporter:	Joel Andres Granados <joel.granados>
Component:	xvidcore	Assignee:	Dominik 'Rathann' Mierzejewski <dominik>
Status:	RESOLVED FIXED
Severity:	normal	CC:	hans
Priority:	P5
Version:	14
Hardware:	All
OS:	GNU/Linux
namespace:

Description Joel Andres Granados 2009-08-20 16:20:44 CEST

Summary:

After installing mplayer/xvidcore I could not see an ogv file. After some meddling around I found out that it was because of selinux.

Long story:
[root@dhcp-lab-139 ~]# mplayer /home/joel/Misc/out.ogv
mplayer: error while loading shared libraries: /usr/lib64/libxvidcore.so.4: cannot restore segment prot after reloc: Permission denied
[root@dhcp-lab-139 ~]# setenforce 0
[root@dhcp-lab-139 ~]# mplayer /home/joel/Misc/out.ogv
MPlayer 29092-4.4.0 (C) 2000-2009 MPlayer Team
mplayer: could not connect to socket
mplayer: No such file or directory
Failed to open LIRC support. You will not be able to use your remote control.

Playing /home/joel/Misc/out.ogv.
.
.
It works....
.
.

Exiting... (End of file)
[root@dhcp-lab-139 ~]# tail /var/log/messages
.
.
.
Aug 20 15:54:05 dhcp-lab-139 setroubleshoot: SELinux is preventing mplayer from loading /usr/lib64/libxvidcore.so.4.2 which requires text relocation. For complete SELinux messages. run sealert -l 8dfda1ce-03c0-4b8e-9a25-9e11bc1cf

[root@dhcp-lab-139 ~]# sealert -l 8dfda1ce-03c0-4b8e-9a25-9e11bc1cf05f

Summary:

SELinux is preventing mplayer from loading /usr/lib64/libxvidcore.so.4.2 which
requires text relocation.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The mplayer application attempted to load /usr/lib64/libxvidcore.so.4.2 which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib64/libxvidcore.so.4.2 to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib64/libxvidcore.so.4.2 to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib64/libxvidcore.so.4.2'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/usr/lib64/libxvidcore.so.4.2'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib64/libxvidcore.so.4.2'

Additional Information:

Source Context unconfined_u:unconfined_r:unconfined_execmem_t:s0-
s0:c0.c1023
Target Context system_u:object_r:lib_t:s0
Target Objects /usr/lib64/libxvidcore.so.4.2 [ file ]
Source mplayer
Source Path <Unknown>
Port <Unknown>
Host ###########################
Source RPM Packages
Target RPM Packages xvidcore-1.2.1-2.fc11
Policy RPM selinux-policy-3.6.26-8.fc12
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Permissive
Plugin Name allow_execmod
Host Name #############################
Platform Linux ################################/
2.6.31-0.125.rc5.git2.fc12.x86_64 #1 SMP Tue Aug 4
02:59:17 EDT 2009 x86_64 x86_64
Alert Count 12
First Seen Thu Aug 20 15:37:59 2009
Last Seen Thu Aug 20 15:54:05 2009
Local ID 8dfda1ce-03c0-4b8e-9a25-9e11bc1cf05f
Line Numbers

Raw Audit Messages

node=########################### type=AVC msg=audit(1250776445.807:21836): avc: denied { execmod } for pid=8867 comm="mplayer" path="/usr/lib64/libxvidcore.so.4.2" dev=dm-1 ino=37460 scontext=unconfined_u:unconfined_r:u
_u:object_r:lib_t:s0 tclass=file

Comment 1 Hans de Goede 2009-09-21 12:30:48 CEST

This is caused by xvidcore using inline asm on x86_64 too now a days. This has been fixed in Fedora's selinux policy, so I'm closing this.