Bug 285961
Summary: | flac-1.2.0-1.fc8: execmod for libFLAC.so.8.1.0 ? | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tom London <selinux> |
Component: | flac | Assignee: | Bastien Nocera <bnocera> |
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | rawhide | CC: | drepper, dwalsh, jakub, jonathan.roberts.uk |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | 1.2.0-3 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-09-12 21:07:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tom London
2007-09-11 13:54:19 UTC
flac-1.1.3-gnu-stack.patch probably needs updating to cover the new nasm files. Let me give it a try. Please test with the build at: http://koji.fedoraproject.org/koji/taskinfo?taskID=155392 Make that: http://koji.fedoraproject.org/koji/taskinfo?taskID=155415 My fingers hate me. No joy. Downloaded/installed flac-1.2.0-2.fc8. Reran audacity. Still get: type=AVC msg=audit(1189526382.610:28): avc: denied { execmod } for pid=6042 comm="audacity" path="/usr/lib/libFLAC.so.8.1.0" dev=dm-0 ino=5483267 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1189526382.610:28): arch=40000003 syscall=125 success=no exit=-13 a0=279000 a1=54000 a2=5 a3=bf9dea60 items=0 ppid=5324 pid=6042 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="audacity" exe="/usr/bin/audacity" subj=system_u:system_r:unconfined_t:s0 key=(null) Can you reproduce using another app, say, /usr/bin/metaflac instead? Dan, got a guide for debugging those? Jakub or Uli would be much more help. A bit more detail.... Running audacity from console window produces: [tbl@localhost Downloads]$ audacity audacity: error while loading shared libraries: /usr/lib/libFLAC.so.8: cannot restore segment prot after reloc: Permission denied [tbl@localhost Downloads]$ Here are the last few lines of 'strace audacity': open("/usr/lib/libXdmcp.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\r\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=18612, ...}) = 0 mmap2(NULL, 21420, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x1976000 mmap2(0x197b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4) = 0x197b000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef5000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef4000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef3000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef2000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7ef26d0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xac8000, 4096, PROT_READ) = 0 mprotect(0xd97000, 8192, PROT_READ) = 0 mprotect(0xaa4000, 4096, PROT_READ) = 0 mprotect(0xa72000, 12288, PROT_READ) = 0 mprotect(0x992000, 4096, PROT_READ) = 0 mprotect(0x987000, 4096, PROT_READ) = 0 mprotect(0x279000, 344064, PROT_READ|PROT_WRITE) = 0 mprotect(0x279000, 344064, PROT_READ|PROT_EXEC) = -1 EACCES (Permission denied) writev(2, [{"audacity", 8}, {": ", 2}, {"error while loading shared libra"..., 36}, {": ", 2}, {"/usr/lib/libFLAC.so.8", 21}, {": ", 2}, {"cannot restore segment prot afte"..., 39}, {": ", 2}, {"Permission denied", 17}, {"\n", 1}], 10audacity: error while loading shared libraries: /usr/lib/libFLAC.so.8: cannot restore segment prot after reloc: Permission denied ) = 130 exit_group(127) = ? [tbl@localhost Downloads]$ And yes, fails with 'metaflac': [tbl@localhost Downloads]$ metaflac metaflac: error while loading shared libraries: /usr/lib/libFLAC.so.8: cannot restore segment prot after reloc: Permission denied [tbl@localhost Downloads]$ libFLAC.so.8.1.0 on i386 is DT_TEXTREL, please avoid that. The bad relocations are: 0004c653 0001c901 R_386_32 00054940 FLAC__crc16_table 0004c6f0 0001c901 R_386_32 00054940 FLAC__crc16_table 0004c84d 0001c901 R_386_32 00054940 FLAC__crc16_table 0004c78c 00017202 R_386_PC32 00009f20 bitreader_read_from_client_ 0004c7e1 00017202 R_386_PC32 00009f20 bitreader_read_from_client_ %ifdef FLAC__PUBLIC_NEEDS_UNDERSCORE mov edi, _FLAC__crc16_table %else mov edi, FLAC__crc16_table %endif or %ifdef FLAC__PUBLIC_NEEDS_UNDERSCORE call _bitreader_read_from_client_ %else call bitreader_read_from_client_ %endif is not correct PIC code. The latter is more easily fixable, assuming bitreader_read_from_client_ is not part of the exported ABI, making it hidden within the library is all that is needed. simple_ogg_page__set_at and simple_ogg_page__init, simple_ogg_page__get_at probably should be made hidden as well. Just add __attribute__((__visibility__("hidden"))) to those 4 prototypes or function definitions. The 3 movl $FLAC__crc16_table_, %edi instructions really need to be rewritten as PIC sequences, but I haven't studied if they are used in loops or not. If not and you have one spare register, you can have: .Lget_pc_thunk: movl (%esp), %ecx ret somewhere and call .Lget_pc_thunk addl $_GLOBAL_OFFSET_TABLE_, %ecx movl FLAC__crc16_table_(%ecx), %edi to load the address. Unfortunately flac uses nasm, not sure how this can be written in that. I forwarded the bug upstream, as my visibility changes weren't enough to fix the problem: http://sourceforge.net/tracker/index.php?func=detail&aid=1793536&group_id=13478&atid=113478 I've committed the visibility changes, as well as disabling optimisations on x86 until fixes this. Did at least the bitreader_read_from_client_ relocs go away? For the loading of FLAC__crc16_table_ address, following might help: http://developer.apple.com/documentation/DeveloperTools/nasm/nasmdoc8.html#section-8.2 *** Bug 289721 has been marked as a duplicate of this bug. *** |