gstreamer and selinux issue
Daniel J Walsh
dwalsh at redhat.com
Fri Aug 11 03:43:03 UTC 2006
Karl MacMillan wrote:
> On Thu, 2006-08-10 at 16:31 -0400, Louis Garcia II wrote:
>
>> On Thu, 2006-08-10 at 10:15 -0400, Daniel J Walsh wrote:
>>
>>> On Wed, 2006-08-09 at 20:31 -0400, Louis Garcia II wrote:
>>>
>>>> On Wed, 2006-08-09 at 18:12 -0400, Louis Garcia II wrote:
>>>>
>>>>> I was able to setup the pitfdll plugin for gstreamer and use the win32
>>>>> codecs under fc5 with selinux enabled. The pitfdll plugin needed to be
>>>>> marked textrel_shlib_t and the codecs under /usr/lib/win32 marked lib_t.
>>>>> This worked for FC5 under selinux and FC6 with selinux disabled. But
>>>>> selinux under FC6 seems to have changed. Is their another lable I
>>>>> should use, how can I debug this?
>>>>>
>>>>> -Thanks
>>>>>
>>>> This is what I get:
>>>>
>>>> Aug 9 19:12:34 soncomputer kernel: audit(1155165152.723:10): avc:
>>>> denied { execstack } for pid=9530 comm="totem"
>>>> scontext=user_u:system_r:unconfined_t:s0
>>>> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>>>>
>>>> -Louis
>>>>
>>> you can turn on allow_execstack or change the context of totem to
>>>
>> unconfined_execmen_exec_t
>>
>>> chcon -t unconfined_execmem_exec_t /usr/bin/totem
>>>
>> if I turn on allow_execstack would that be for everything or just for totem?
>> What would be the most secure of these two options?
>>
>>
>
> allow_execstack will effect everything. Changing the context
> on /usr/bin/totem is by far the most secure option.
>
> Karl
>
>
>
To clarify allow_exec* allows exec permissions for the unconfined
domains. All other domains are not affected. But setting the
unconfined_execmem_exec_t context will only allow it for that executable
instead of all unconfined executables.
More information about the fedora-devel-list
mailing list