gstreamer and selinux issue

Sat Aug 12 11:48:24 UTC 2006

Louis Garcia II wrote:
> On Fri, 2006-08-11 at 15:59 -0400, Louis Garcia II wrote:
>   
>> On Fri, 2006-08-11 at 08:01 -0100, Paul Howarth wrote:
>>     
>>> On Thu, 2006-08-10 at 16:31 -0400, Louis Garcia II wrote:
>>>       
>>>> On Thu, 2006-08-10 at 10:15 -0400, Daniel J Walsh wrote:
>>>>         
>>>>> On Wed, 2006-08-09 at 20:31 -0400, Louis Garcia II wrote:
>>>>>           
>>>>>> On Wed, 2006-08-09 at 18:12 -0400, Louis Garcia II wrote:
>>>>>>             
>>>>>>> I was able to setup the pitfdll plugin for gstreamer and use the win32
>>>>>>> codecs under fc5 with selinux enabled. The pitfdll plugin needed to be
>>>>>>> marked textrel_shlib_t and the codecs under /usr/lib/win32 marked lib_t.
>>>>>>>               
>>>>>>>> This worked for FC5 under selinux and FC6 with selinux disabled. But
>>>>>>>>                 
>>>>>>> selinux under FC6 seems to have changed. Is their another lable I
>>>>>>> should use, how can I debug this?
>>>>>>>
>>>>>>> -Thanks
>>>>>>>               
>>>>>> This is what I get:
>>>>>>
>>>>>> Aug  9 19:12:34 soncomputer kernel: audit(1155165152.723:10): avc:
>>>>>> denied  { execstack } for  pid=9530 comm="totem"
>>>>>> scontext=user_u:system_r:unconfined_t:s0
>>>>>> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>>>>>>
>>>>>> -Louis
>>>>>>             
>>>>> you can turn on allow_execstack or change the context of totem to
>>>>>           
>>>> unconfined_execmen_exec_t
>>>>         
>>>>> chcon -t unconfined_execmem_exec_t /usr/bin/totem
>>>>>           
>>>> if I turn on allow_execstack would that be for everything
>>>>         
>>> Yes.
>>>
>>>       
>>>>  or just for totem?
>>>> What would be the most secure of these two options?
>>>>         
>>> Just changing the context type of totem.
>>>
>>> Paul.
>>>       
>> Ok, I chaged the context type of totem and now it's:
>> -rwxr-xr-x  root root system_u:object_r:unconfined_execmem_exec_t /usr/bin/totem
>>
>> This seems to fix my problem. However I get a slightly different message now:
>> Aug 11 15:09:41 soncomputer kernel: audit(1155323379.605:36): avc:  denied  { execheap } for  pid=3094 comm="totem" scontext=user_u:system_r:unconfined_execmem_t:s0 tcontext=user_u:system_r:unconfined_execmem_t:s0 tclass=process
>>
>> what does it mean?
>>
>> -Louis
>>     
>
> I am also having problems with totem-mozplugin, totem's plugin for
> firefox. 
>
> Aug 11 16:18:15 soncomputer kernel: audit(1155327494.846:63): avc:
> denied  { execstack } for  pid=11603 comm="totem-mozilla-v"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>
> Aug 11 16:18:15 soncomputer kernel: audit(1155327494.850:64): avc:
> denied  { execstack } for  pid=11603 comm="totem-mozilla-v"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>
> Aug 11 16:18:15 soncomputer kernel: audit(1155327494.850:65): avc:
> denied  { execstack } for  pid=11603 comm="totem-mozilla-v"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>
>   
You have two choices with this turn on allow_execstack boolean or label
firefox unconfined_execmem_exec_t.

You might want to complain to the people who ship totem or the other 
plugins to fix their code.

http://people.redhat.com/~drepper/selinux-mem.html
<http://people.redhat.com/%7Edrepper/selinux-mem.html>
Explains the memory checks. 

> -Louis
>
>   