A lot of selinux execstack denials in rawhide when starting audio apps

[Ulrich Drepper]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin Sourada wrote:
> It could, but the AVC denials appear just seconds (or less) after the
> start, even if no media is opened - e.g. for totem it displays just
> after the totem logo is displayed, for listen it displays even before
> the main window is loaded...

Plugins might be loaded anyway.

Since you said it's an execstack error it's easy enough to track down
and almost certainly is due to a compilation problem related to
assembler code.

It was python which was reported to have the problem.  So, go through
modules and see whether there is any requesting an executable stack.
For instance:

for f in /usr/lib/python2.5/lib-dynload/*.so; do echo $f; eu-readelf -l
$f|grep STACK; done

If any permission is other than "RW" you found a problem.  There are
likely more places with DSOs for python, I don't know enough about the
installation to say where they are.

If you want to go a more direct route, start totem (that was the program
with the problem?) under control of strace.  I.e., use

  strace -o somefile -f totem

and then sieve through the output in "somefile".  Search for open calls
of DSOs and then use eu-readelf as shown above on then.

- --
➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQFG/ok12ijCOnn/RHQRArhwAKCfeguAJcDZtzgeHVKJjKJf9MDz/wCfalUf
ToBrMppiNmetgY2w22xqVJ0=
=EU48
-----END PGP SIGNATURE-----