Today's rawhide -- SELinux is preventing /usr/lib/firefox-2.0.0.3/firefox-bin from loading /usr/lib/mozilla/plugins/libvlcplugin.so which requires text relocation.
Daniel J Walsh
dwalsh at redhat.com
Wed May 16 01:23:36 UTC 2007
Miles Lane wrote:
> Summary
> SELinux is preventing /usr/lib/firefox-2.0.0.3/firefox-bin from
> loading
> /usr/lib/mozilla/plugins/libvlcplugin.so which requires text
> relocation.
>
> Detailed Description
> The /usr/lib/firefox-2.0.0.3/firefox-bin application attempted to load
> /usr/lib/mozilla/plugins/libvlcplugin.so which requires text
> relocation.
> This is a potential security problem. Most libraries do not need this
> permission. Libraries are sometimes coded incorrectly and request this
> permission. The http://people.redhat.com/drepper/selinux-mem.html
> web page
> explains how to remove this requirement. You can configure SELinux
> temporarily to allow /usr/lib/mozilla/plugins/libvlcplugin.so to use
> relocation as a workaround, until the library is fixed. Please file a
> http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
>
> Allowing Access
> If you trust /usr/lib/mozilla/plugins/libvlcplugin.so to run
> correctly, you
> can change the file context to textrel_shlib_t. "chcon -t
> textrel_shlib_t
> /usr/lib/mozilla/plugins/libvlcplugin.so"
>
> The following command will allow this access:
> chcon -t textrel_shlib_t /usr/lib/mozilla/plugins/libvlcplugin.so
>
> Additional Information
>
> Source Context user_u:system_r:unconfined_t
> Target Context system_u:object_r:lib_t
> Target Objects /usr/lib/mozilla/plugins/libvlcplugin.so
> [ file ]
> Affected RPM Packages firefox-2.0.0.3-4.fc7 [application]mozilla-
> vlc-0.8.6b-4.lvn7 [target]
> Policy RPM selinux-policy-2.6.1-1.fc7
> Selinux Enabled True
> Policy Type targeted
> MLS Enabled True
> Enforcing Mode Enforcing
> Plugin Name plugins.allow_execmod
> Host Name localhost.localdomain
> Platform Linux localhost.localdomain
> 2.6.21-1.3142.fc7 #1
> SMP Mon May 7 21:14:09 EDT 2007 i686 athlon
> Alert Count 2
> First Seen Tue 15 May 2007 04:45:15 PM PDT
> Last Seen Tue 15 May 2007 04:45:15 PM PDT
> Local ID 6c433235-3c30-4667-9fcb-fb442d89ded0
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execmod } for comm="firefox-bin" dev=sda5 egid=500 euid=500
> exe="/usr/lib/firefox-2.0.0.3/firefox-bin" exit=-13 fsgid=500
> fsuid=500 gid=500
> items=0 name="libvlcplugin.so"
> path="/usr/lib/mozilla/plugins/libvlcplugin.so"
> pid=4856 scontext=user_u:system_r:unconfined_t:s0 sgid=500
> subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=file
> tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=500
>
Where did this plugin come from. It should be reported as a bug to the
developers of the plugin.
We can change the file context to set it textrel, but it would be better
if the distributers fixed the library.
More information about the fedora-test-list
mailing list