On Tue, 2006-04-04 at 17:44 -0400, Louis E Garcia II wrote:
> pitfdll is a gstreamer plugin that loads win32 binary codecs.
> Which works if selinux=0.
>
> $ ls -Z /usr/lib/gstreamer-0.10/libpitfdll.so
> -rwxr-xr-x root root system_u:object_r:lib_t
> libpitfdll.so
>
> ls -Z -d /usr/lib/win32
> drwxr-xr-x root root
> system_u:object_r:lib_t /usr/lib/win32
>
> under selinux it can't. I get this error:
>
> type=AVC msg=audit(1144183154.042:117): avc: denied { execmod } for
> pid=2360 comm="totem" name="libpitfdll.so" dev=hda3 ino=815199
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
>
> I put this through audit2allow:
> allow unconfined_t lib_t:file execmod;
>
> I don't want to have all unconfined_t access to lib_t just
> libpitfdll.so.
>
> how can I only allow libpitfdll.so access to lib_t?
Change it from lib_t to textrel_shlib_t
This is discussed in the FC5 SELinux FAQ at:
http://fedora.redhat.com/docs/selinux-faq-fc5/
(I have a process running as unconfined_t, and SELinux is still
preventing my application from running)
Unfortunately there is a typo in the FAQ and it tells you to use
testrel_shlib_t instead of textrel_shlib_t.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
