-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello!
I would like to solve the Selinux context issue with vlc x86 It is supposed to do the same purpose as mplayer do with 32bit codecs dll if there are present on the end-user system.
This affect vlc for Fedora release 5, 6 and devel only for x86 (not ppc or x86_64)
from https://bugzilla.livna.org/show_bug.cgi?id=1404 - ---- SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation.
SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation.
I'm not sure if this can be fixed in the vlc package or if it would need to be fixed in the selinux policy package.
I'll attach the saved output from setroubleshoot for these denials. - ---- libdmo_plugin denial - ----- Summary SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation.
Detailed Description The /usr/bin/vlc application attempted to load /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/codec/libdmo_plugin.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access If you trust /usr/lib/vlc/codec/libdmo_plugin.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /usr/lib/vlc/codec/libdmo_plugin.so"
The following command will allow this access: chcon -t textrel_shlib_t /usr/lib/vlc/codec/libdmo_plugin.so
Additional Information:
Source Context: user_u:system_r:unconfined_t Target Context: system_u:object_r:lib_t Target Objects: /usr/lib/vlc/codec/libdmo_plugin.so [ file ] Affected RPM Packages: vlc-0.8.6a-1.lvn6.1 [application]vlc-0.8.6a-1.lvn6.1 [target] Policy RPM: selinux-policy-2.4.6-27.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.allow_execmod Host Name: rusharri-lnx2 Platform: Linux rusharri-lnx2 2.6.19-1.2895.fc6 #1 SMP Wed Jan 10 19:28:18 EST 2007 i686 i686 Alert Count: 1 Line Numbers:
Raw Audit Messages:
avc: denied { execmod } for comm="vlc" dev=dm-0 egid=162433 euid=162433 exe="/usr/bin/vlc" exit=-13 fsgid=162433 fsuid=162433 gid=162433 items=0 name="libdmo_plugin.so" path="/usr/lib/vlc/codec/libdmo_plugin.so" pid=10856 scontext=user_u:system_r:unconfined_t:s0 sgid=162433 subj=user_u:system_r:unconfined_t:s0 suid=162433 tclass=file tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=162433 - -------- librealaudio_plugin denial - -------- Summary SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation.
Detailed Description The /usr/bin/vlc application attempted to load /usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/vlc/codec/librealaudio_plugin.so to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access If you trust /usr/lib/vlc/codec/librealaudio_plugin.so to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /usr/lib/vlc/codec/librealaudio_plugin.so"
The following command will allow this access: chcon -t textrel_shlib_t /usr/lib/vlc/codec/librealaudio_plugin.so
Additional Information:
Source Context: user_u:system_r:unconfined_t Target Context: system_u:object_r:lib_t Target Objects: /usr/lib/vlc/codec/librealaudio_plugin.so [ file ] Affected RPM Packages: vlc-0.8.6a-1.lvn6.1 [application]vlc-0.8.6a-1.lvn6.1 [target] Policy RPM: selinux-policy-2.4.6-27.fc6 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: plugins.allow_execmod Host Name: rusharri-lnx2 Platform: Linux rusharri-lnx2 2.6.19-1.2895.fc6 #1 SMP Wed Jan 10 19:28:18 EST 2007 i686 i686 Alert Count: 1 Line Numbers:
Raw Audit Messages:
avc: denied { execmod } for comm="vlc" dev=dm-0 egid=162433 euid=162433 exe="/usr/bin/vlc" exit=-13 fsgid=16243 - ----------
Thx for your advices:
Nicolas (kwizart)
On 2007-04-17, kwizart kwizart@gmail.com wrote:
This affect vlc for Fedora release 5, 6 and devel only for x86 (not ppc or x86_64)
from https://bugzilla.livna.org/show_bug.cgi?id=1404
SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation.
SELinux is preventing /usr/bin/vlc from loading /usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation.
I'm not sure if this can be fixed in the vlc package or if it would need to be fixed in the selinux policy package.
It can be fixed in the vlc package's RPM %post section by running:
# Add new labeling rules for libraries requiring text relocation: /usr/sbin/semanage fcontext -a -t textrel_shlib_t /usr/lib/vlc/codec/libdmo_plugin.so /usr/sbin/semanage fcontext -a -t textrel_shlib_t /usr/lib/vlc/codec/librealaudio_plugin.so # Set correct SELinux security contexts: restorecon /usr/lib/vlc/codec/libdmo_plugin.so /usr/lib/vlc/codec/librealaudio_plugin.so
The semanage-commands will add these rules to /etc/selinux/targeted/contexts/files/file_contexts.local.
-jf
selinux@lists.fedoraproject.org