[gstreamer-bugs] [Bug 607112] New: [SECURITY - SELinux - execmod] libgstffmpeg.so requires text relocation
GStreamer (bugzilla.gnome.org)
bugzilla at gnome.org
Fri Jan 15 15:04:06 PST 2010
https://bugzilla.gnome.org/show_bug.cgi?id=607112
GStreamer | gst-ffmpeg | 0.10.6
Summary: [SECURITY - SELinux - execmod] libgstffmpeg.so
requires text relocation
Classification: Desktop
Product: GStreamer
Version: 0.10.6
OS/Version: Linux
Status: UNCONFIRMED
Severity: major
Priority: Normal
Component: gst-ffmpeg
AssignedTo: gstreamer-bugs at lists.sourceforge.net
ReportedBy: havard at sorli.no
QAContact: gstreamer-bugs at lists.sourceforge.net
GNOME target: ---
GNOME version: ---
SELinux is preventing mixer_applet2 from loading
/usr/lib64/gstreamer-0.10/libgstffmpeg.so which requires text relocation.
Detailed Description:
The mixer_applet2 application attempted to load
/usr/lib64/gstreamer-0.10/libgstffmpeg.so which requires text relocation. This
is a potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission. The
SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib64/gstreamer-0.10/libgstffmpeg.so to use relocation as a workaround,
until the library is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.
Allowing Access:
If you trust /usr/lib64/gstreamer-0.10/libgstffmpeg.so to run correctly, you
can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib64/gstreamer-0.10/libgstffmpeg.so'" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/lib64/gstreamer-0.10/libgstffmpeg.so'"
The following command will allow this access:
chcon -t textrel_shlib_t '/usr/lib64/gstreamer-0.10/libgstffmpeg.so'
Additional Information:
Source Context user_u:system_r:unconfined_t
Target Context system_u:object_r:lib_t
Target Objects /usr/lib64/gstreamer-0.10/libgstffmpeg.so [ file
]
Source mixer_applet2
Source Path /usr/libexec/mixer_applet2
Port <Unknown>
Host localhost.localdomain
Source RPM Packages gnome-applets-2.16.0.1-19.el5
Target RPM Packages gstreamer-ffmpeg-0.10.6-1.el5.rf
Policy RPM selinux-policy-2.4.6-255.el5_4.3
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name allow_execmod
Host Name localhost.localdomain
Platform Linux localhost.localdomain 2.6.18-164.10.1.el5
#1
SMP Thu Jan 7 19:54:26 EST 2010 x86_64 x86_64
Alert Count 1
First Seen fre 15-01-2010 22:39:36 CET
Last Seen fre 15-01-2010 22:39:36 CET
Local ID b1346351-a6d4-4d45-a638-58a1769e1dfb
Line Numbers
Raw Audit Messages
host=localhost.localdomain type=AVC msg=audit(1263591576.855:17): avc: denied
{ execmod } for pid=4075 comm="mixer_applet2"
path="/usr/lib64/gstreamer-0.10/libgstffmpeg.so" dev=md1 ino=8539950
scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0
tclass=file
host=localhost.localdomain type=SYSCALL msg=audit(1263591576.855:17):
arch=c000003e syscall=10 success=no exit=-13 a0=2b4589c43000 a1=499000 a2=5
a3=2b4589c45148 items=0 ppid=4065 pid=4075 auid=500 uid=500 gid=500 euid=500
suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1
comm="mixer_applet2" exe="/usr/libexec/mixer_applet2"
subj=user_u:system_r:unconfined_t:s0 key=(null)
---------------
# rpm -qi gstreamer-ffmpeg-0.10.6-1.el5.rf
Name : gstreamer-ffmpeg Relocations: (not relocatable)
Version : 0.10.6 Vendor: Dag Apt Repository,
http://dag.wieers.com/apt/
Release : 1.el5.rf Build Date: man 23-11-2009 00:23:17
CET
Install Date: fre 15-01-2010 14:57:23 CET Build Host:
lisse.hasselt.wieers.com
Group : Applications/Multimedia Source RPM:
gstreamer-ffmpeg-0.10.6-1.el5.rf.src.rpm
Size : 20711110 License: LGPL
Signature : DSA/SHA1, ons 25-11-2009 12:47:25 CET, Key ID a20e52146b8d79e6
Packager : Dag Wieers <dag at wieers.com>
URL : http://gstreamer.net/
Summary : GStreamer streaming media framework FFmpeg-based plugin
--------------
# rpm -qi gnome-applets-2.16.0.1-19.el5
Name : gnome-applets Relocations: (not relocatable)
Version : 2.16.0.1 Vendor: CentOS
Release : 19.el5 Build Date: ons 14-03-2007 16:56:45
CET
Install Date: tor 14-01-2010 20:44:37 CET Build Host: builder5.centos.org
Group : User Interface/Desktops Source RPM:
gnome-applets-2.16.0.1-19.el5.src.rpm
Size : 33105695 License: GPL
Signature : DSA/SHA1, ons 04-04-2007 02:23:32 CEST, Key ID a8a447dce8562897
URL : http://www.gnome.org/
Summary : Small applications for the GNOME panel
------------
# cat /etc/redhat-release
CentOS release 5.4 (Final)
# uname -a
Linux localhost.localdomain 2.6.18-164.10.1.el5 #1 SMP Thu Jan 7 19:54:26 EST
2010 x86_64 x86_64 x86_64 GNU/Linux
------------
The "trigger": Centos 5.4 install with Gnome Desktop. (x86_64)
Enable RPMforge
yum -y install gstreamer-plugins-bad gstreamer-plugins-ugly gstreamer-ffmpeg
Restart and login as a normal user.
--
Configure bugmail: https://bugzilla.gnome.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the QA contact for the bug.
You are the assignee for the bug.
More information about the Gstreamer-bugs
mailing list