Error running ffmpeg due to permission denied on library

Paul Howarth paul at city-fan.org
Thu Apr 27 07:34:39 UTC 2006 

On Thu, 2006-04-27 at 12:41 +1000, Robert Foster wrote:
> Hi,
> I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the
> following error (from the debug message via Gallery):
>  
> Executing: ( "/usr/bin/ffmpeg"  "-h" )
> 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC
> file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0)
> feof(Resource id #108)
> fgets(Resource id #108, 4096)
> feof(Resource id #108)
> fgets(Resource id #108, 4096)
> feof(Resource id #108)
> fclose(Resource id #108)
> unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> Regular Output:
> Error Output:
> /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51:
> cannot enable executable stack as shared object requires: Permission
> denied
> Status: 127 (expected 0)
> A quick look in /usr/lib reveals:
>  
> -rwxr-xr-x  root     root
> system_u:object_r:textrel_shlib_t /usr/lib/libavcodec-CVS.so
> lrwxrwxrwx  root     root
> system_u:object_r:lib_t          /usr/lib/libavcodec.so ->
> libavcodec-CVS.so
> lrwxrwxrwx  root     root
> system_u:object_r:lib_t          /usr/lib/libavcodec.so.51 ->
> libavcodec-CVS.so
> 
>  
> /var/log/audit/audit.log shows:
>  
> type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003
> syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.141:45164): avc:  denied  { execstack }
> for  pid=25007 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003
> syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.213:45165): avc:  denied  { execstack }
> for  pid=25009 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003
> syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.221:45166): avc:  denied  { execstack }
> for  pid=25011 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003
> syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> 
> when I run the page producing the error output.
>  
> I tried to set the allow_execstack boolean but it didn't make any
> difference.

Are you sure you've set the boolean?

# getsebool allow_execstack

ffmpeg is probably using a library that was not built for FC5. You
should be able to find which one it is as follows:

* List all libraries loaded. Assuming ffmpeg doesn't load any itself,
the following should work:

$ ldd /usr/bin/ffmpeg | sed -e 's,[^/]*\(/[^ ]*\).*,\1,'

For each of the listed libraries, do:

$ eu-readelf -l /path/to/library

There must be a GNU_STACK line.  If this is missing or the permissions
(second to last field) is RWX instead of RW you found the culprit.

Paul.

More information about the selinux mailing list