On Fri, 2006-08-11 at 08:01 -0100, Paul Howarth wrote:
On Thu, 2006-08-10 at 16:31 -0400, Louis Garcia II wrote:
On Thu, 2006-08-10 at 10:15 -0400, Daniel J Walsh wrote:
On Wed, 2006-08-09 at 20:31 -0400, Louis Garcia II wrote:
On Wed, 2006-08-09 at 18:12 -0400, Louis Garcia II wrote:
I was able to setup the pitfdll plugin for gstreamer and use the win32 codecs under fc5 with selinux enabled. The pitfdll plugin needed to be marked textrel_shlib_t and the codecs under /usr/lib/win32 marked lib_t.
This worked for FC5 under selinux and FC6 with selinux disabled. But
selinux under FC6 seems to have changed. Is their another lable I should use, how can I debug this?
-Thanks
This is what I get:
Aug 9 19:12:34 soncomputer kernel: audit(1155165152.723:10): avc: denied { execstack } for pid=9530 comm="totem" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
-Louis
you can turn on allow_execstack or change the context of totem to
unconfined_execmen_exec_t
chcon -t unconfined_execmem_exec_t /usr/bin/totem
if I turn on allow_execstack would that be for everything
Yes.
or just for totem? What would be the most secure of these two options?
Just changing the context type of totem.
Paul.
Ok, I chaged the context type of totem and now it's: -rwxr-xr-x root root system_u:object_r:unconfined_execmem_exec_t /usr/bin/totem
This seems to fix my problem. However I get a slightly different message now: Aug 11 15:09:41 soncomputer kernel: audit(1155323379.605:36): avc: denied { execheap } for pid=3094 comm="totem" scontext=user_u:system_r:unconfined_execmem_t:s0 tcontext=user_u:system_r:unconfined_execmem_t:s0 tclass=process
what does it mean?
-Louis
On Fri, 2006-08-11 at 15:59 -0400, Louis Garcia II wrote:
On Fri, 2006-08-11 at 08:01 -0100, Paul Howarth wrote:
On Thu, 2006-08-10 at 16:31 -0400, Louis Garcia II wrote:
On Thu, 2006-08-10 at 10:15 -0400, Daniel J Walsh wrote:
On Wed, 2006-08-09 at 20:31 -0400, Louis Garcia II wrote:
On Wed, 2006-08-09 at 18:12 -0400, Louis Garcia II wrote:
I was able to setup the pitfdll plugin for gstreamer and use the win32 codecs under fc5 with selinux enabled. The pitfdll plugin needed to be marked textrel_shlib_t and the codecs under /usr/lib/win32 marked lib_t. > This worked for FC5 under selinux and FC6 with selinux disabled. But selinux under FC6 seems to have changed. Is their another lable I should use, how can I debug this?
-Thanks
This is what I get:
Aug 9 19:12:34 soncomputer kernel: audit(1155165152.723:10): avc: denied { execstack } for pid=9530 comm="totem" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
-Louis
you can turn on allow_execstack or change the context of totem to
unconfined_execmen_exec_t
chcon -t unconfined_execmem_exec_t /usr/bin/totem
if I turn on allow_execstack would that be for everything
Yes.
or just for totem? What would be the most secure of these two options?
Just changing the context type of totem.
Paul.
Ok, I chaged the context type of totem and now it's: -rwxr-xr-x root root system_u:object_r:unconfined_execmem_exec_t /usr/bin/totem
This seems to fix my problem. However I get a slightly different message now: Aug 11 15:09:41 soncomputer kernel: audit(1155323379.605:36): avc: denied { execheap } for pid=3094 comm="totem" scontext=user_u:system_r:unconfined_execmem_t:s0 tcontext=user_u:system_r:unconfined_execmem_t:s0 tclass=process
what does it mean?
-Louis
I am also having problems with totem-mozplugin, totem's plugin for firefox.
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.846:63): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.850:64): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.850:65): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
-Louis
Louis Garcia II wrote:
On Fri, 2006-08-11 at 15:59 -0400, Louis Garcia II wrote:
On Fri, 2006-08-11 at 08:01 -0100, Paul Howarth wrote:
On Thu, 2006-08-10 at 16:31 -0400, Louis Garcia II wrote:
On Thu, 2006-08-10 at 10:15 -0400, Daniel J Walsh wrote:
On Wed, 2006-08-09 at 20:31 -0400, Louis Garcia II wrote:
On Wed, 2006-08-09 at 18:12 -0400, Louis Garcia II wrote:
> I was able to setup the pitfdll plugin for gstreamer and use the win32 > codecs under fc5 with selinux enabled. The pitfdll plugin needed to be > marked textrel_shlib_t and the codecs under /usr/lib/win32 marked lib_t. > >> This worked for FC5 under selinux and FC6 with selinux disabled. But >> > selinux under FC6 seems to have changed. Is their another lable I > should use, how can I debug this? > > -Thanks > This is what I get:
Aug 9 19:12:34 soncomputer kernel: audit(1155165152.723:10): avc: denied { execstack } for pid=9530 comm="totem" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
-Louis
you can turn on allow_execstack or change the context of totem to
unconfined_execmen_exec_t
chcon -t unconfined_execmem_exec_t /usr/bin/totem
if I turn on allow_execstack would that be for everything
Yes.
or just for totem? What would be the most secure of these two options?
Just changing the context type of totem.
Paul.
Ok, I chaged the context type of totem and now it's: -rwxr-xr-x root root system_u:object_r:unconfined_execmem_exec_t /usr/bin/totem
This seems to fix my problem. However I get a slightly different message now: Aug 11 15:09:41 soncomputer kernel: audit(1155323379.605:36): avc: denied { execheap } for pid=3094 comm="totem" scontext=user_u:system_r:unconfined_execmem_t:s0 tcontext=user_u:system_r:unconfined_execmem_t:s0 tclass=process
what does it mean?
-Louis
I am also having problems with totem-mozplugin, totem's plugin for firefox.
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.846:63): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.850:64): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.850:65): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
You have two choices with this turn on allow_execstack boolean or label firefox unconfined_execmem_exec_t.
You might want to complain to the people who ship totem or the other plugins to fix their code.
http://people.redhat.com/~drepper/selinux-mem.html http://people.redhat.com/%7Edrepper/selinux-mem.html Explains the memory checks.
-Louis
On Sat, 2006-08-12 at 07:48 -0400, Daniel J Walsh wrote:
I am also having problems with totem-mozplugin, totem's plugin for firefox.
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.846:63): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.850:64): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Aug 11 16:18:15 soncomputer kernel: audit(1155327494.850:65): avc: denied { execstack } for pid=11603 comm="totem-mozilla-v" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process
You have two choices with this turn on allow_execstack boolean or label firefox unconfined_execmem_exec_t.
Actually there is a better choice. Rather than change the context for totem (and firefox and pitivi and rhythmbox and everything else that uses gstreamer) you can just change the context of the pitfdll plugin that is causing problems. It needs to exec its own modifiable memory since it loads .dll files on to the heap, and then executes code that it cuts out of them. Try this:
chcon -t texrel_shlib_t /usr/lib/gstreamer-0.10/libpitfdll.so
Cheers, -Aaron