Hi Paul, Thanks for your help, but no luck so far :( # getsebool allow_execstack allow_execstack --> on - As expected. # eu-readelf -l /usr/lib/libavcodec.so.51 Program Headers: Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align LOAD 0x000000 0x00000000 0x00000000 0x32dabc 0x32dabc R E 0x1000 LOAD 0x32e000 0x0032e000 0x0032e000 0x00a390 0x0e0a90 RW 0x1000 DYNAMIC 0x32e098 0x0032e098 0x0032e098 0x000138 0x000138 RW 0x4 GNU_EH_FRAME 0x312588 0x00312588 0x00312588 0x00511c 0x00511c R 0x4 GNU_STACK 0x000000 0x00000000 0x00000000 0x000000 0x000000 RWE 0x4 <------ Bummer :( Section to Segment mapping: Segment Sections... 00 [RO: .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame] 01 .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss 02 .dynamic 03 [RO: .eh_frame_hdr] 04 Bummer. I guess I'll have to contact the livna repository maintainer and see what can be done about this. Thanks again for your help. Robert Foster -----Original Message----- From: Paul Howarth [mailto:paul@xxxxxxxxxxxx] Sent: Thursday, 27 April 2006 5:35 PM To: Robert Foster Cc: fedora-selinux-list@xxxxxxxxxx Subject: Re: Error running ffmpeg due to permission denied on library On Thu, 2006-04-27 at 12:41 +1000, Robert Foster wrote: > Hi, > I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the > following error (from the debug message via Gallery): > > Executing: ( "/usr/bin/ffmpeg" "-h" ) > 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC > file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0) feof(Resource > id #108) fgets(Resource id #108, 4096) feof(Resource id #108) > fgets(Resource id #108, 4096) feof(Resource id #108) fclose(Resource > id #108) > unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC) > Regular Output: > Error Output: > /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51: > cannot enable executable stack as shared object requires: Permission > denied > Status: 127 (expected 0) > A quick look in /usr/lib reveals: > > -rwxr-xr-x root root > system_u:object_r:textrel_shlib_t /usr/lib/libavcodec-CVS.so > lrwxrwxrwx root root > system_u:object_r:lib_t /usr/lib/libavcodec.so -> > libavcodec-CVS.so > lrwxrwxrwx root root > system_u:object_r:lib_t /usr/lib/libavcodec.so.51 -> > libavcodec-CVS.so > > > /var/log/audit/audit.log shows: > > type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003 > syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.141:45164): avc: denied { execstack } > for pid=25007 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003 > syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.213:45165): avc: denied { execstack } > for pid=25009 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003 > syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > type=AVC msg=audit(1146010953.221:45166): avc: denied { execstack } > for pid=25011 comm="ffmpeg" > scontext=user_u:system_r:httpd_sys_script_t:s0 > tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process > type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003 > syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 > a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48 > fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg" > > when I run the page producing the error output. > > I tried to set the allow_execstack boolean but it didn't make any > difference. Are you sure you've set the boolean? # getsebool allow_execstack ffmpeg is probably using a library that was not built for FC5. You should be able to find which one it is as follows: * List all libraries loaded. Assuming ffmpeg doesn't load any itself, the following should work: $ ldd /usr/bin/ffmpeg | sed -e 's,[^/]*\(/[^ ]*\).*,\1,' For each of the listed libraries, do: $ eu-readelf -l /path/to/library There must be a GNU_STACK line. If this is missing or the permissions (second to last field) is RWX instead of RW you found the culprit. Paul. -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
