Bug 355291
| Summary: | RFE: Allow fluendo codecs to work with SELinux enabled | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Valent Turkovic <valent.turkovic> | ||||
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> | ||||
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | low | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | 8 | CC: | bnocera, gnomeuser, maurizio.antillon, wwoods | ||||
| Target Milestone: | --- | Keywords: | Reopened | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Current | Doc Type: | Bug Fix | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2008-03-05 22:17:10 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
Valent Turkovic
2007-10-27 15:01:50 UTC
restorecon -R -v /usr/lib/gstreamer-0.10 Should fix the labeling. selinux-policy-3.0.8-40 I'm really not selinux proficient... can you please explain a bit. Are you adding the exclusion to selinux policy? The libraries are built incorrectly, They require the execmod privs which selinux is denying. You can label the files textrel_shlib_t and SELinux will allow the execmod priv. In selinux-policy-3.0.8-38 and probably before, the context for the se files was textrel_shlib_t. rpm install of these files would label them correctly, if you installed them by some other means they might not have the right context. So executing restorecon on them will set them to the system defaults. In -40 I am adding the context for these files in the homedirectories. adding Will Woods to CC. This definitely needs a known issues comment, we are willfully breaking one of our F8 features out of the box. Works for me. Tested on x86_64 installed from DVD and i386 installed from Live image. ls -lZ ~/.gstreamer-0.10/plugins confirms that the installed object is textrel_shlib_t. I have Fedora 8 with all updates and I still see this bug! look here: $ totem clip1.wmv (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so': /home/valentt/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so: cannot restore segment prot after reloc: Permission denied (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstflumpeg4videodec.so': /home/valentt/.gstreamer-0.10/plugins/libgstflumpeg4videodec.so: cannot restore segment prot after reloc: Permission denied (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstfluac3dec.so': /home/valentt/.gstreamer-0.10/plugins/libgstfluac3dec.so: cannot restore segment prot after reloc: Permission denied (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstfluwmvdec.so': /home/valentt/.gstreamer-0.10/plugins/libgstfluwmvdec.so: cannot restore segment prot after reloc: Permission denied (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstflump3dec.so': /home/valentt/.gstreamer-0.10/plugins/libgstflump3dec.so: cannot restore segment prot after reloc: Permission denied ** Message: don't know how to handle video/x-wmv, wmvversion=(int)3, framerate=(fraction)10000000/333333, width=(int)720, height=(int)480, format=(fourcc)WMV3, pixel-aspect-ratio=(fraction)1/1, codec_data=(buffer)4e611a01, bitrate=(int)455725 ** Message: Error: Failed to connect stream: Invalid argument pulsesink.c(399): gst_pulsesink_prepare (): /play/visbin/abin/audiosinkbin/audio-sink/bin6/autoaudiosink1/autoaudiosink1-actual-sink-pulse after: chcon -t textrel_shlib_t /home/valentt/.gstreamer-0.10/plugins/* it works... ps. I testing full fluendo codec pack not only mp3 plugin... $ ls -a .gstreamer-0.10/plugins/ . libgstfluac3dec.so libgstfluisodemux.so libgstflump3dec.so libgstflumpeg4videodec.so libgstfluwmadec.so .. libgstfluasfdemux.so libgstflumms.so libgstflumpeg2vdec.so libgstflumpegdemux.so libgstfluwmvdec.so Daniel can only change the defaults for the system filepaths, not for the user ones. There's no way to fix the problem for the user part without manual changes, other than getting Fluendo to actually fix the bugs in their code. thank you for explaining. I still see this bug. I installed a fluendo codecs to a new machine with fresh fedora 8 in folder '/usr/lib/gstreamer-0.10/' and after trying to play one file that I know fluedo codecs play I get AVC message saying that it is forbidden. look: $ totem bedspring.mpg (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstflumpeg4videodec.so': /usr/lib/gstreamer-0.10/libgstflumpeg4videodec.so: cannot restore segment prot after reloc: Permission denied (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstflump3dec.so': /usr/lib/gstreamer-0.10/libgstflump3dec.so: cannot restore segment prot after reloc: Permission denied (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstflumpeg2vdec.so': /usr/lib/gstreamer-0.10/libgstflumpeg2vdec.so: cannot restore segment prot after reloc: Permission denied (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstfluwmvdec.so': /usr/lib/gstreamer-0.10/libgstfluwmvdec.so: cannot restore segment prot after reloc: Permission denied (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstfluac3dec.so': /usr/lib/gstreamer-0.10/libgstfluac3dec.so: cannot restore segment prot after reloc: Permission denied ** Message: don't know how to handle video/mpeg, mpegversion=(int)1, systemstream=(boolean)false ** Message: don't know how to handle audio/mpeg, mpegversion=(int)1 after doing this as a root: chcon -t textrel_shlib_t /usr/lib/gstreamer-0.10/* Now I can play bedspring.mpg without any problems. Okay - selinux-policy-3.0.8-56.fc8 has been built, which should automatically label gstreamer plugins textrel_shlib_t when they are created. This will *not* fix files that have already been created in ~/.gstreamer*/plugins Could you test the policy from here: http://koji.fedoraproject.org/koji/buildinfo?buildID=24504 Probably you could test by removing the plugins, installing the policy, then reinstalling the plugins. I tried all this and I still have this issue. Please attach the AVC messages you are having. You can just set the boolean allow_execmod setsebool -P allow_execmod=1 Created attachment 268781 [details]
avc denial message
avc denial message
restorecon -R -v /usr/lib should fix the /usr/lib/gstreamer-0.10/libgstflumpeg4videodec.so new version of fluendo codecs is out and I got it for testing. Looks like they behave ok with SELinux. I'll test them on one other machine and report back. nope - latest version of fluendo codecs still has this error (AVC Denial). I tried "restorecon -R -v /usr/lib" and after that it's ok. Should this be added to SELinux or some fedora script? No, the codecs should be fixed. If the codecs come in a rpm, they will be labeled correctly. fluendo codecs are distributed in tar.bz2 archives I just bought the lastest codec pack and it works just fine with an updated F8 system (x86_64 relabeled with the lastest selinux-policy-targeted). I'm a Fluendo beta tester so I'll make sure to keep an eye on future SELinux issues. WORKSFORME Bugs have been in modified for over one month. Closing as fixed in current release please reopen if the problem still persists. |