A lot of selinux execstack denials in rawhide when starting audio apps
Martin Sourada
martin.sourada at seznam.cz
Sat Sep 29 21:19:26 UTC 2007
On Sat, 2007-09-29 at 19:19 +0200, Ulrich Drepper wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Martin Sourada wrote:
> > It could, but the AVC denials appear just seconds (or less) after the
> > start, even if no media is opened - e.g. for totem it displays just
> > after the totem logo is displayed, for listen it displays even before
> > the main window is loaded...
>
> Plugins might be loaded anyway.
>
> Since you said it's an execstack error it's easy enough to track down
> and almost certainly is due to a compilation problem related to
> assembler code.
>
> It was python which was reported to have the problem. So, go through
> modules and see whether there is any requesting an executable stack.
> For instance:
>
> for f in /usr/lib/python2.5/lib-dynload/*.so; do echo $f; eu-readelf -l
> $f|grep STACK; done
>
> If any permission is other than "RW" you found a problem. There are
> likely more places with DSOs for python, I don't know enough about the
> installation to say where they are.
>
> If you want to go a more direct route, start totem (that was the program
> with the problem?) under control of strace. I.e., use
>
> strace -o somefile -f totem
>
> and then sieve through the output in "somefile". Search for open calls
> of DSOs and then use eu-readelf as shown above on then.
>
> - --
> ➧ Ulrich Drepper ➧ Red Hat, Inc. ➧ 444 Castro St ➧ Mountain View, CA ❖
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (GNU/Linux)
>
> iD8DBQFG/ok12ijCOnn/RHQRArhwAKCfeguAJcDZtzgeHVKJjKJf9MDz/wCfalUf
> ToBrMppiNmetgY2w22xqVJ0=
> =EU48
> -----END PGP SIGNATURE-----
>
The python denial is from listen, but other applications is having this
problem too, I noticed it in totem (with gstreamer backend) and gxine
(uses xine-lib) as well. One thing that is same for all the apps I am
getting this with is audio output, so I thought it could be
pulseaudio... The suggestion you gave me for python showed only RW
permissions. Will try strace as well (need to install it first).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-test-list/attachments/20070929/40b785c1/attachment.sig>
More information about the fedora-test-list
mailing list