fedora-selinux-list Digest, Vol 26, Issue 32
John Griffiths
fedora at grifent.com
Thu Apr 27 16:47:04 UTC 2006
fedora-selinux-list-request at redhat.com wrote:
>
> Subject:
> Error running ffmpeg due to permission denied on library
> From:
> "Robert Foster" <rfoster at mountainvisions.com.au>
> Date:
> Thu, 27 Apr 2006 12:41:09 +1000
> To:
> <fedora-selinux-list at redhat.com>
>
> To:
> <fedora-selinux-list at redhat.com>
>
>
> Hi,
> I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the
> following error (from the debug message via Gallery):
>
> Executing: ( "/usr/bin/ffmpeg" "-h" )
> 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC
> file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0)
> feof(Resource id #108)
> fgets(Resource id #108, 4096)
> feof(Resource id #108)
> fgets(Resource id #108, 4096)
> feof(Resource id #108)
> fclose(Resource id #108)
> unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> Regular Output:
> Error Output:
> /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51:
> cannot enable executable stack as shared object requires: Permission
> denied
> Status: 127 (expected 0)
> A quick look in /usr/lib reveals:
>
> -rwxr-xr-x root root system_u:object_r:textrel_shlib_t
> /usr/lib/libavcodec-CVS.so
> lrwxrwxrwx root root system_u:object_r:lib_t
> /usr/lib/libavcodec.so -> libavcodec-CVS.so
> lrwxrwxrwx root root
> system_u:object_r:lib_t /usr/lib/libavcodec.so.51 ->
> libavcodec-CVS.so
>
>
> /var/log/audit/audit.log shows:
>
> type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003
> syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.141:45164): avc: denied { execstack }
> for pid=25007 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003
> syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.213:45165): avc: denied { execstack }
> for pid=25009 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003
> syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.221:45166): avc: denied { execstack }
> for pid=25011 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003
> syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> when I run the page producing the error output.
>
> I tried to set the allow_execstack boolean but it didn't make any
> difference.
>
> I'm out of ideas on this one - any help appreciated :)
>
> Robert Foster
> General Manager
> Mountain Visions P/L http://mountainvisions.com.au
> <http://mountainvisions.com.au/>
> Mobile: 0418 131 065
>
I had the same problem when using Kino which also uses ffmpeg. Here is
what I did and it works.
execstack -c /usr/lib/libmp3lame.so.0
execstack -c /usr/lib/libxvidcore.so.4
chcon -t textrel_shlib_t /usr/lib/libavformat.so.50
chcon -t textrel_shlib_t /usr/lib/libavutil.so.49
chcon -t textrel_shlib_t /usr/lib/libavcodec.so.51
This also takes care of the problem with lame-3.96.1-10.rhfc5.at,
libxvidcore4-1.1.0-8.rhfc5.at,
libavformat50-0.4.9-14_cvs20060301.rhfc5.at,
libavutil49-0.4.9-14_cvs20060301.rhfc5.at, and
libavcodec51-0.4.9-14_cvs20060301.rhfc5.at.
Regards,
John
More information about the selinux
mailing list