Tuesday, August 22, 2006

SELinux Tip

I installed vlcplayer and mplayer to watch movies and also add some codecs. When run this applications generated errors on dmesg like the following:

audit(1156241386.596:14): avc: denied { execmod } for pid=2850 comm="vlc" name="libavutil.so.49.0.0" dev=dm-0 ino=284990 scontext=user_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

This was an issue on SELinux don't giving them access to the files. Looking around I found the following comment on http://fedora.redhat.com/docs/selinux-faq-fc5/:

SELinux restricts certain memory protection operation. Following is a list of those denials, as well as possible reasons and solutions for those denials. For more information on these restrictions, see http://people.redhat.com/drepper/selinux-mem.html.

These show up in /var/log/messages (or /var/log/audit/audit.log if using the audit daemon) as avc denials. These can also show up when running programs with errors like

error while loading shared libraries: /usr/lib/libavutil.so.49:
cannot restore segment prot after reloc: Permission denied

which indicates that the library is trying to perform a text relocation and failing. Text relocations are bad, but can be allowed via the first hint below. Below are the SELinux memory permissions that are denied, as well as hints at how to address these denials.


This is usually based on a library label. You can permanently change the context on the library with the following commands

# /usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/lib/libavutil.so.49.0.0'
# /sbin/restorecon -v /usr/lib/libavutil.so.49.0.0

with the particular library at fault in place of /usr/lib/libavutil.so.49.0.0. Now your application should be able to run. Please report this as a bugzilla.

Attempt to execstack -c LIBRARY. Now try your application again. If the application now works, the library was mistakenly marked as requiring execstack. Please report this as a bugzilla.
execmem, execheap

A boolean for each one of these memory check errors have been provided. So if you need to run an application requiring either of these permissions, you can set the boolean allow_exec* to fix the problem. For instance if you try to run an application and you get an AVC message containing an execstack failure. You can set the boolean with

setsebool -P allow_execstack=1

No comments: