Today's rawhide -- SELinux is preventing /usr/lib/firefox-2.0.0.3/firefox-bin from loading /usr/lib/mozilla/plugins/libvlcplugin.so which requires text relocation.

[Daniel J Walsh]

Miles Lane wrote:
> Summary
>    SELinux is preventing /usr/lib/firefox-2.0.0.3/firefox-bin from 
> loading
>    /usr/lib/mozilla/plugins/libvlcplugin.so which requires text 
> relocation.
>
> Detailed Description
>    The /usr/lib/firefox-2.0.0.3/firefox-bin application attempted to load
>    /usr/lib/mozilla/plugins/libvlcplugin.so which requires text 
> relocation.
>    This is a potential security problem. Most libraries do not need this
>    permission. Libraries are sometimes coded incorrectly and request this
>    permission.  The http://people.redhat.com/drepper/selinux-mem.html 
> web page
>    explains how to remove this requirement.  You can configure SELinux
>    temporarily to allow /usr/lib/mozilla/plugins/libvlcplugin.so to use
>    relocation as a workaround, until the library is fixed. Please file a
>    http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this 
> package.
>
> Allowing Access
>    If you trust /usr/lib/mozilla/plugins/libvlcplugin.so to run 
> correctly, you
>    can change the file context to textrel_shlib_t. "chcon -t 
> textrel_shlib_t
>    /usr/lib/mozilla/plugins/libvlcplugin.so"
>
>    The following command will allow this access:
>    chcon -t textrel_shlib_t /usr/lib/mozilla/plugins/libvlcplugin.so
>
> Additional Information
>
> Source Context                user_u:system_r:unconfined_t
> Target Context                system_u:object_r:lib_t
> Target Objects                /usr/lib/mozilla/plugins/libvlcplugin.so 
> [ file ]
> Affected RPM Packages         firefox-2.0.0.3-4.fc7 [application]mozilla-
>                              vlc-0.8.6b-4.lvn7 [target]
> Policy RPM                    selinux-policy-2.6.1-1.fc7
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.allow_execmod
> Host Name                     localhost.localdomain
> Platform                      Linux localhost.localdomain 
> 2.6.21-1.3142.fc7 #1
>                              SMP Mon May 7 21:14:09 EDT 2007 i686 athlon
> Alert Count                   2
> First Seen                    Tue 15 May 2007 04:45:15 PM PDT
> Last Seen                     Tue 15 May 2007 04:45:15 PM PDT
> Local ID                      6c433235-3c30-4667-9fcb-fb442d89ded0
> Line Numbers
>
> Raw Audit Messages
>
> avc: denied { execmod } for comm="firefox-bin" dev=sda5 egid=500 euid=500
> exe="/usr/lib/firefox-2.0.0.3/firefox-bin" exit=-13 fsgid=500 
> fsuid=500 gid=500
> items=0 name="libvlcplugin.so" 
> path="/usr/lib/mozilla/plugins/libvlcplugin.so"
> pid=4856 scontext=user_u:system_r:unconfined_t:s0 sgid=500
> subj=user_u:system_r:unconfined_t:s0 suid=500 tclass=file
> tcontext=system_u:object_r:lib_t:s0 tty=(none) uid=500
>

Where did this plugin come from.  It should be reported as a bug to the 
developers of the plugin.

We can change the file context to set it textrel, but it would be better 
if the distributers fixed the library.