Ticket #7503: mythbug_001

Summary:

SELinux is preventing /usr/bin/mythtv-setup from loading
/usr/lib/libmythswscale-0.22.so.0.22.0 which requires text relocation.

Detailed Description:

The mythtv-setup application attempted to load
/usr/lib/libmythswscale-0.22.so.0.22.0 which requires text relocation. 
This is
a
potential security problem. Most libraries do not need this permission.
Libraries are sometimes coded incorrectly and request this permission. 
The
SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains 
how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libmythswscale-0.22.so.0.22.0 to use relocation as a 
workaround, until
the library is fixed. Please file a bug report.

Allowing Access:

If you trust /usr/lib/libmythswscale-0.22.so.0.22.0 to run correctly, 
you can
change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libmythswscale-0.22.so.0.22.0'" You must also change the 
default file
context files on the system in order to preserve them even on a full 
relabel.
"semanage fcontext -a -t textrel_shlib_t
'/usr/lib/libmythswscale-0.22.so.0.22.0'"

Fix Command:

chcon -t textrel_shlib_t '/usr/lib/libmythswscale-0.22.so.0.22.0'

Additional Information:

Source Context               
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                system_u:object_r:lib_t:s0
Target Objects                /usr/lib/libmythswscale-0.22.so.0.22.0 [ 
file ]
Source                        mythtv-setup
Source Path                   /usr/bin/mythtv-setup
Port                          <Unknown>
Host                          (removed)
Source RPM Packages           mythtv-setup-0.22-0.5.rc1.fc12
Target RPM Packages           libmyth-0.22-0.5.rc1.fc12
Policy RPM                    selinux-policy-3.6.32-37.fc12
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmod
Host Name                     (removed)
Platform                      Linux (removed) 2.6.31.5-96.fc12.i686 #1
                              SMP Fri Oct 23 19:53:24 EDT 2009 i686 i686
Alert Count                   1
First Seen                    Tue 03 Nov 2009 07:28:30 PM EST
Last Seen                     Tue 03 Nov 2009 07:28:30 PM EST
Local ID                      ad9b6d19-96c5-49cd-84f9-1869601b45cb
Line Numbers                  

Raw Audit Messages            

node=(removed) type=AVC msg=audit(1257294510.891:23836): avc:  denied  {
execmod } for  pid=9537 comm="mythtv-setup"
path="/usr/lib/libmythswscale-0.22.so.0.22.0" dev=sda4 ino=55891
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=system_u:object_r:lib_t:s0 tclass=file

node=(removed) type=SYSCALL msg=audit(1257294510.891:23836): 
arch=40000003
syscall=125 success=no exit=-13 a0=b30000 a1=38000 a2=5 a3=bfed39c0 
items=0
ppid=1 pid=9537 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 
egid=500
sgid=500 fsgid=500 tty=(none) ses=1 comm="mythtv-setup"
exe="/usr/bin/mythtv-setup"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



Hash String generated from 
selinux-policy-3.6.32-37.fc12,allow_execmod,mythtv-setup,unconfined_t,lib_t,file,execmod
audit2allow suggests:

#============= unconfined_t ==============
allow unconfined_t lib_t:file execmod;