vlc x86 libs requires text relocation.

kwizart kwizart at gmail.com
Tue Apr 17 20:02:10 UTC 2007 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello!

I would like to solve the Selinux context issue with vlc x86
It is supposed to do the same purpose as mplayer do with 32bit codecs
dll if there are present on the end-user system.

This affect vlc for Fedora release 5, 6 and devel only for x86 (not ppc
or x86_64)

from https://bugzilla.livna.org/show_bug.cgi?id=1404
- ----
SELinux is preventing /usr/bin/vlc from loading
/usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation.

SELinux is preventing /usr/bin/vlc from loading
/usr/lib/vlc/codec/librealaudio_plugin.so which requires text relocation.

I'm not sure if this can be fixed in the vlc package or if it would need
to be
fixed in the selinux policy package.

I'll attach the saved output from setroubleshoot for these denials.
- ----
libdmo_plugin denial
- -----
Summary
    SELinux is preventing /usr/bin/vlc from loading
    /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation.

Detailed Description
    The /usr/bin/vlc application attempted to load
    /usr/lib/vlc/codec/libdmo_plugin.so which requires text relocation.
 This is
    a potential security problem. Most libraries do not need this
permission.
    Libraries are sometimes coded incorrectly and request this
permission.  The
    http://people.redhat.com/drepper/selinux-mem.html web page explains
how to
    remove this requirement.  You can configure SELinux temporarily to allow
    /usr/lib/vlc/codec/libdmo_plugin.so to use relocation as a
workaround, until
    the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /usr/lib/vlc/codec/libdmo_plugin.so to run correctly,
you can
    change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
    /usr/lib/vlc/codec/libdmo_plugin.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t /usr/lib/vlc/codec/libdmo_plugin.so

Additional Information:

Source Context:               user_u:system_r:unconfined_t
Target Context:               system_u:object_r:lib_t
Target Objects:               /usr/lib/vlc/codec/libdmo_plugin.so [ file ]
Affected RPM Packages:        vlc-0.8.6a-1.lvn6.1
[application]vlc-0.8.6a-1.lvn6.1 [target]
Policy RPM:                   selinux-policy-2.4.6-27.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.allow_execmod
Host Name:                    rusharri-lnx2
Platform:                     Linux rusharri-lnx2 2.6.19-1.2895.fc6 #1
SMP Wed Jan 10 19:28:18 EST 2007 i686 i686
Alert Count:                  1
Line Numbers:

Raw Audit Messages:

avc: denied { execmod } for comm="vlc" dev=dm-0 egid=162433 euid=162433
exe="/usr/bin/vlc" exit=-13 fsgid=162433 fsuid=162433 gid=162433 items=0
name="libdmo_plugin.so" path="/usr/lib/vlc/codec/libdmo_plugin.so"
pid=10856 scontext=user_u:system_r:unconfined_t:s0 sgid=162433
subj=user_u:system_r:unconfined_t:s0 suid=162433 tclass=file
tcontext=system_u:object_r:lib_t:s0 tty=pts1 uid=162433
- --------
librealaudio_plugin denial
- --------
Summary
    SELinux is preventing /usr/bin/vlc from loading
    /usr/lib/vlc/codec/librealaudio_plugin.so which requires text
relocation.

Detailed Description
    The /usr/bin/vlc application attempted to load
    /usr/lib/vlc/codec/librealaudio_plugin.so which requires text
relocation.
    This is a potential security problem. Most libraries do not need this
    permission. Libraries are sometimes coded incorrectly and request this
    permission.  The http://people.redhat.com/drepper/selinux-mem.html
web page
    explains how to remove this requirement.  You can configure SELinux
    temporarily to allow /usr/lib/vlc/codec/librealaudio_plugin.so to use
    relocation as a workaround, until the library is fixed. Please file a
    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.

Allowing Access
    If you trust /usr/lib/vlc/codec/librealaudio_plugin.so to run
correctly, you
    can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
    /usr/lib/vlc/codec/librealaudio_plugin.so"

    The following command will allow this access:
    chcon -t textrel_shlib_t /usr/lib/vlc/codec/librealaudio_plugin.so

Additional Information:

Source Context:               user_u:system_r:unconfined_t
Target Context:               system_u:object_r:lib_t
Target Objects:               /usr/lib/vlc/codec/librealaudio_plugin.so
[ file ]
Affected RPM Packages:        vlc-0.8.6a-1.lvn6.1
[application]vlc-0.8.6a-1.lvn6.1 [target]
Policy RPM:                   selinux-policy-2.4.6-27.fc6
Selinux Enabled:              True
Policy Type:                  targeted
MLS Enabled:                  True
Enforcing Mode:               Enforcing
Plugin Name:                  plugins.allow_execmod
Host Name:                    rusharri-lnx2
Platform:                     Linux rusharri-lnx2 2.6.19-1.2895.fc6 #1
SMP Wed Jan 10 19:28:18 EST 2007 i686 i686
Alert Count:                  1
Line Numbers:

Raw Audit Messages:

avc: denied { execmod } for comm="vlc" dev=dm-0 egid=162433 euid=162433
exe="/usr/bin/vlc" exit=-13 fsgid=16243
- ----------

Thx for your advices:

Nicolas (kwizart)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFGJSfBlNdbIlsB+AERAgqAAKCAe3oBN3TvicHhQCVkJGpclzNNPwCdFIRv
BfH3xDwe78OSJyOwd/rQ6Yk=
=8pOY
-----END PGP SIGNATURE-----

More information about the selinux mailing list