On Thu, 2006-04-27 at 12:41 +1000, Robert Foster wrote:
> Hi,
> I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the
> following error (from the debug message via Gallery):
>
> Executing: ( "/usr/bin/ffmpeg" "-h" )
> 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC
> file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0)
> feof(Resource id #108)
> fgets(Resource id #108, 4096)
> feof(Resource id #108)
> fgets(Resource id #108, 4096)
> feof(Resource id #108)
> fclose(Resource id #108)
> unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> Regular Output:
> Error Output:
> /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51:
> cannot enable executable stack as shared object requires: Permission
> denied
> Status: 127 (expected 0)
> A quick look in /usr/lib reveals:
>
> -rwxr-xr-x root root
> system_u:object_r:textrel_shlib_t /usr/lib/libavcodec-CVS.so
> lrwxrwxrwx root root
> system_u:object_r:lib_t /usr/lib/libavcodec.so ->
> libavcodec-CVS.so
> lrwxrwxrwx root root
> system_u:object_r:lib_t /usr/lib/libavcodec.so.51 ->
> libavcodec-CVS.so
>
>
> /var/log/audit/audit.log shows:
>
> type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003
> syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.141:45164): avc: denied { execstack }
> for pid=25007 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003
> syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.213:45165): avc: denied { execstack }
> for pid=25009 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003
> syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.221:45166): avc: denied { execstack }
> for pid=25011 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process
> type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003
> syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007
> a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
>
> when I run the page producing the error output.
>
> I tried to set the allow_execstack boolean but it didn't make any
> difference.
Are you sure you've set the boolean?
# getsebool allow_execstack
ffmpeg is probably using a library that was not built for FC5. You
should be able to find which one it is as follows:
* List all libraries loaded. Assuming ffmpeg doesn't load any itself,
the following should work:
$ ldd /usr/bin/ffmpeg | sed -e 's,[^/]*\(/[^ ]*\).*,\1,'
For each of the listed libraries, do:
$ eu-readelf -l /path/to/library
There must be a GNU_STACK line. If this is missing or the permissions
(second to last field) is RWX instead of RW you found the culprit.
Paul.
--
fedora-selinux-list mailing list
fedora-selinux-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-selinux-list
