fedora-selinux-list Digest, Vol 26, Issue 32

John Griffiths fedora at grifent.com
Thu Apr 27 16:47:04 UTC 2006 


fedora-selinux-list-request at redhat.com wrote:
>
> Subject:
> Error running ffmpeg due to permission denied on library
> From:
> "Robert Foster" <rfoster at mountainvisions.com.au>
> Date:
> Thu, 27 Apr 2006 12:41:09 +1000
> To:
> <fedora-selinux-list at redhat.com>
>
> To:
> <fedora-selinux-list at redhat.com>
>
>
> Hi,
> I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the 
> following error (from the debug message via Gallery):
>  
> Executing: ( "/usr/bin/ffmpeg"  "-h" )
> 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC
> file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0)
> feof(Resource id #108)
> fgets(Resource id #108, 4096)
> feof(Resource id #108)
> fgets(Resource id #108, 4096)
> feof(Resource id #108)
> fclose(Resource id #108)
> unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> Regular Output:
> Error Output:
> /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51:
> cannot enable executable stack as shared object requires: Permission
> denied
> Status: 127 (expected 0)
> A quick look in /usr/lib reveals:
>  
> -rwxr-xr-x  root     root     system_u:object_r:textrel_shlib_t 
> /usr/lib/libavcodec-CVS.so
> lrwxrwxrwx  root     root     system_u:object_r:lib_t          
> /usr/lib/libavcodec.so -> libavcodec-CVS.so
> lrwxrwxrwx  root     root     
> system_u:object_r:lib_t          /usr/lib/libavcodec.so.51 -> 
> libavcodec-CVS.so
>
>  
> /var/log/audit/audit.log shows:
>  
> type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003 
> syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007 
> a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48 
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.141:45164): avc:  denied  { execstack } 
> for  pid=25007 comm="ffmpeg" 
> scontext=user_u:system_r:httpd_sys_script_t:s0 
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003 
> syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007 
> a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48 
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.213:45165): avc:  denied  { execstack } 
> for  pid=25009 comm="ffmpeg" 
> scontext=user_u:system_r:httpd_sys_script_t:s0 
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003 
> syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007 
> a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48 
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.221:45166): avc:  denied  { execstack } 
> for  pid=25011 comm="ffmpeg" 
> scontext=user_u:system_r:httpd_sys_script_t:s0 
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003 
> syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 
> a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48 
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> when I run the page producing the error output.
>  
> I tried to set the allow_execstack boolean but it didn't make any 
> difference.
>  
> I'm out of ideas on this one - any help appreciated :)
>
> Robert Foster
> General Manager
> Mountain Visions P/L  http://mountainvisions.com.au 
> <http://mountainvisions.com.au/>
> Mobile: 0418 131 065
>
I had the same problem when using Kino which also uses ffmpeg. Here is 
what I did and it works.

    execstack -c /usr/lib/libmp3lame.so.0
    execstack -c /usr/lib/libxvidcore.so.4
    chcon -t textrel_shlib_t /usr/lib/libavformat.so.50

    chcon -t textrel_shlib_t /usr/lib/libavutil.so.49
    chcon -t textrel_shlib_t /usr/lib/libavcodec.so.51

This also takes care of the problem with lame-3.96.1-10.rhfc5.at, 
libxvidcore4-1.1.0-8.rhfc5.at, 
libavformat50-0.4.9-14_cvs20060301.rhfc5.at, 
libavutil49-0.4.9-14_cvs20060301.rhfc5.at, and 
libavcodec51-0.4.9-14_cvs20060301.rhfc5.at.

Regards,
John

More information about the selinux mailing list