libavfilter SELinux policy issue

Rahul Sundaram sundaram at fedoraproject.org
Fri Oct 17 20:10:29 UTC 2008 

Hi.

This makes Firefox crash if SELinux is in enforcing mode.

Summary:

SELinux is preventing ld-linux.so.2 from loading 
/usr/lib/libavfilter.so.0.1.0
which requires text relocation.

Detailed Description:

[SELinux is in permissive mode, the operation would have been denied but was
permitted due to permissive mode.]

The ld-linux.so.2 application attempted to load 
/usr/lib/libavfilter.so.0.1.0
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded 
incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libavfilter.so.0.1.0 to use relocation as a workaround, until the
library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust /usr/lib/libavfilter.so.0.1.0 to run correctly, you can 
change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libavfilter.so.0.1.0'" You must also change the default file 
context
files on the system in order to preserve them even on a full relabel. 
"semanage
fcontext -a -t textrel_shlib_t '/usr/lib/libavfilter.so.0.1.0'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib/libavfilter.so.0.1.0'

Additional Information:

Source Context                system_u:system_r:prelink_t:s0-s0:c0.c1023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/libavfilter.so.0.1.0 [ file ]
Source                        ld-linux.so.2
Source Path                   /lib/ld-2.8.90.so
Port                          <Unknown>
Host                          sundaram
Source RPM Packages           glibc-2.8.90-13
Target RPM Packages           ffmpeg-libs-0.4.9-0.50.20080908.fc10
Policy RPM                    selinux-policy-3.5.10-3.fc10
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Permissive
Plugin Name                   allow_execmod
Host Name                     sundaram
Platform                      Linux sundaram
                               2.6.25.14-108.fc9.i686 #1 SMP Mon Aug 4 
14:08:11
                               EDT 2008 i686 i686
Alert Count                   1
First Seen                    Fri 17 Oct 2008 04:05:58 AM IST
Last Seen                     Fri 17 Oct 2008 04:05:58 AM IST
Local ID                      5bf00553-84ae-49ea-a793-7977855b9541
Line Numbers

Raw Audit Messages

node=sundaram type=AVC msg=audit(1224196558.619:111): avc:  denied  { 
execmod } for  pid=27387 comm="ld-linux.so.2" 
path="/usr/lib/libavfilter.so.0.1.0" dev=dm-0 ino=68753 
scontext=system_u:system_r:prelink_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:lib_t:s0 tclass=file

node=sundaram type=SYSCALL msg=audit(1224196558.619:111): arch=40000003 
syscall=125 success=yes exit=0 a0=111000 a1=3000 a2=5 a3=bfbedde0 
items=0 ppid=27136 pid=27387 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 
egid=0 sgid=0 fsgid=0 tty=(none) ses=10 comm="ld-linux.so.2" 
exe="/lib/ld-2.8.90.so" subj=system_u:system_r:prelink_t:s0-s0:c0.c1023 
key=(null)

Rahul

More information about the selinux mailing list