Bug 12175 – SELinux is preventing squeezecenter-s from loading /usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so which requires text relocation.

Bug 12175 - SELinux is preventing squeezecenter-s from loading /usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so which requires text relocation.

Summary:

SELinux is preventing squeezecenter-s from loading /usr/share/squeezecenter/C...

Status:	RESOLVED WONTFIX

Product:	Logitech Media Server
Classification:	Unclassified
Component:	RPM
Version:	7.3.2
Platform:	PC Fedora

Importance:	-- normal (vote)
Target Milestone:	8.0.0
Assigned To:	Andy Grundman

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2009-05-27 00:55 UTC by Pat McDonough
Modified:	2019-01-25 10:41 UTC (History)
CC List:	1 user (show)

See Also:
Category:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Pat McDonough 2009-05-27 00:55:14 UTC

this is an SELinux dump...

Summary:

SELinux is preventing squeezecenter-s from loading
/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so
which requires text relocation.

Detailed Description:

The squeezecenter-s application attempted to load
/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so
to use relocation as a workaround, until the library is fixed. Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust
/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so
to run correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
'/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so'"

Fix Command:

chcon -t textrel_shlib_t
'/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so'

Additional Information:

Source Context                system_u:system_r:initrc_t:s0
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/share/squeezecenter/CPAN/arch/5.10/i386
                              -linux-thread-multi/auto/DBD/mysql/mysql.so [ file
                              ]
Source                        squeezecenter-s
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          pmcdonou.f11
Source RPM Packages           perl-5.10.0-68.fc11
Target RPM Packages           squeezecenter-7.3.2-1
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     pmcdonou.fc11
Platform                      Linux pmcdonou.fc11 2.6.29.3-155.fc11.i686.PAE #1
                              SMP Wed May 20 17:31:09 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Wed 27 May 2009 12:47:31 AM PDT
Last Seen                     Wed 27 May 2009 12:47:31 AM PDT
Local ID                      5e36dae4-67b6-4762-9d9b-f2e8031f94d5
Line Numbers                  

Raw Audit Messages            

node=pmcdonou.f11 type=AVC msg=audit(1243410451.270:43): avc:  denied  { execmod } for  pid=6709 comm="squeezecenter-s" path="/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/DBD/mysql/mysql.so" dev=dm-4 ino=360688 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=pmcdonou.f11 type=SYSCALL msg=audit(1243410451.270:43): arch=40000003 syscall=125 success=no exit=-13 a0=dbc000 a1=19a000 a2=5 a3=bff25950 items=0 ppid=6675 pid=6709 auid=4294967295 uid=489 gid=482 euid=489 suid=489 fsuid=489 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="squeezecenter-s" exe="/usr/bin/perl" subj=system_u:system_r:initrc_t:s0 key=(null)

Comment 1 James Richardson 2009-06-08 13:58:23 UTC

Please retest with the latest 7.4 nightly, then report back in this bug if you still see the issue.

Report the revision number you test with.

Comment 2 Pat McDonough 2009-06-09 17:11:16 UTC

Well, the specific issue with MySQL is gone, but the same problem still exists with some other libraries: ...XML/Parser/Expat/Expat.so


Summary:

SELinux is preventing squeezecenter-s from loading
/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
which requires text relocation.

Detailed Description:

The squeezecenter-s application attempted to load
/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
which requires text relocation. This is a potential security problem. Most
libraries do not need this permission. Libraries are sometimes coded incorrectly
and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
to use relocation as a workaround, until the library is fixed. Please file a bug
report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust
/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
to run correctly, you can change the file context to textrel_shlib_t. "chcon -t
textrel_shlib_t
'/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so'"
You must also change the default file context files on the system in order to
preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
'/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so'"

Fix Command:

chcon -t textrel_shlib_t
'/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so'

Additional Information:

Source Context                system_u:system_r:initrc_t:s0
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/share/squeezecenter/CPAN/arch/5.10/i386
                              -linux-thread-multi/auto/XML/Parser/Expat/Expat.so
                              [ file ]
Source                        squeezecenter-s
Source Path                   /usr/bin/perl
Port                          <Unknown>
Host                          pmcdonou.fc11
Source RPM Packages           perl-5.10.0-68.fc11
Target RPM Packages           squeezecenter-7.4-0.1.26954
Policy RPM                    selinux-policy-3.6.12-39.fc11
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     pmcdonou.fc11
Platform                      Linux pmcdonou.fc11 2.6.29.4-167.fc11.i686.PAE #1
                              SMP Wed May 27 17:28:22 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Tue 09 Jun 2009 05:05:15 PM PDT
Last Seen                     Tue 09 Jun 2009 05:05:15 PM PDT
Local ID                      88a31702-7d13-40f7-ba31-469354ced747
Line Numbers                  

Raw Audit Messages            

node=pmcdonou.fc11 type=AVC msg=audit(1244592315.178:24): avc:  denied  { execmod } for  pid=3123 comm="squeezecenter-s" path="/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so" dev=dm-4 ino=1637668 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

node=pmcdonou.fc11 type=SYSCALL msg=audit(1244592315.178:24): arch=40000003 syscall=125 success=no exit=-13 a0=1fc000 a1=3b000 a2=5 a3=bf8b3ae0 items=0 ppid=3089 pid=3123 auid=4294967295 uid=489 gid=482 euid=489 suid=489 fsuid=489 egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="squeezecenter-s" exe="/usr/bin/perl" subj=system_u:system_r:initrc_t:s0 key=(null)

Comment 3 Pat McDonough 2009-06-09 17:12:44 UTC

Using: squeezecenter-7.4-0.1.26954.noarch.rpm

(In reply to comment #2)
> Well, the specific issue with MySQL is gone, but the same problem still exists
> with some other libraries: ...XML/Parser/Expat/Expat.so
> 
> 
> Summary:
> 
> SELinux is preventing squeezecenter-s from loading
> /usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
> which requires text relocation.
> 
> Detailed Description:
> 
> The squeezecenter-s application attempted to load
> /usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
> which requires text relocation. This is a potential security problem. Most
> libraries do not need this permission. Libraries are sometimes coded
> incorrectly
> and request this permission. The SELinux Memory Protection Tests
> (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
> remove this requirement. You can configure SELinux temporarily to allow
> /usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
> to use relocation as a workaround, until the library is fixed. Please file a
> bug
> report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this
> package.
> 
> Allowing Access:
> 
> If you trust
> /usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so
> to run correctly, you can change the file context to textrel_shlib_t. "chcon -t
> textrel_shlib_t
> '/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so'"
> You must also change the default file context files on the system in order to
> preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t
> '/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so'"
> 
> Fix Command:
> 
> chcon -t textrel_shlib_t
> '/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so'
> 
> Additional Information:
> 
> Source Context                system_u:system_r:initrc_t:s0
> Target Context                system_u:object_r:lib_t:s0
> Target Objects                /usr/share/squeezecenter/CPAN/arch/5.10/i386
>                              
> -linux-thread-multi/auto/XML/Parser/Expat/Expat.so
>                               [ file ]
> Source                        squeezecenter-s
> Source Path                   /usr/bin/perl
> Port                          <Unknown>
> Host                          pmcdonou.fc11
> Source RPM Packages           perl-5.10.0-68.fc11
> Target RPM Packages           squeezecenter-7.4-0.1.26954
> Policy RPM                    selinux-policy-3.6.12-39.fc11
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   allow_execmod
> Host Name                     pmcdonou.fc11
> Platform                      Linux pmcdonou.fc11 2.6.29.4-167.fc11.i686.PAE #1
>                               SMP Wed May 27 17:28:22 EDT 2009 i686 i686
> Alert Count                   1
> First Seen                    Tue 09 Jun 2009 05:05:15 PM PDT
> Last Seen                     Tue 09 Jun 2009 05:05:15 PM PDT
> Local ID                      88a31702-7d13-40f7-ba31-469354ced747
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> node=pmcdonou.fc11 type=AVC msg=audit(1244592315.178:24): avc:  denied  {
> execmod } for  pid=3123 comm="squeezecenter-s"
> path="/usr/share/squeezecenter/CPAN/arch/5.10/i386-linux-thread-multi/auto/XML/Parser/Expat/Expat.so"
> dev=dm-4 ino=1637668 scontext=system_u:system_r:initrc_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> 
> node=pmcdonou.fc11 type=SYSCALL msg=audit(1244592315.178:24): arch=40000003
> syscall=125 success=no exit=-13 a0=1fc000 a1=3b000 a2=5 a3=bf8b3ae0 items=0
> ppid=3089 pid=3123 auid=4294967295 uid=489 gid=482 euid=489 suid=489 fsuid=489
> egid=482 sgid=482 fsgid=482 tty=(none) ses=4294967295 comm="squeezecenter-s"
> exe="/usr/bin/perl" subj=system_u:system_r:initrc_t:s0 key=(null)

Comment 4 Pat McDonough 2009-06-09 17:13:28 UTC

Also, note there is a security warning before installing because the package is not signed.

Comment 5 Pat McDonough 2009-07-09 12:30:08 UTC

I've just tested this again with the latest nightly build (http://repos.slimdevices.com/yum/squeezecenter/unstable/squeezecenter-7.4-0.1.27455.noarch.rpm).

The same tow issues exist:
* the package is unsigned (perhaps b/c it's a nightly)
* The same SELinux bug about the CPAN libraries

Comment 6 Andy Grundman 2009-07-29 14:59:10 UTC

Moving 7.4 bugs to 8.0.