Description of problem: After installing flac-1.2.0-1.fc8, I get the following execmod AVC when trying to start audacity: type=AVC msg=audit(1189518127.378:24): avc: denied { execmod } for pid=5321 comm="audacity" path="/usr/lib/libFLAC.so.8.1.0" dev=dm-0 ino=12255847 scontext=system_u:system_r:unconfined_execmem_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1189518127.378:24): arch=40000003 syscall=125 success=no exit=-13 a0=279000 a1=54000 a2=5 a3=bfd77d70 items=0 ppid=1 pid=5321 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="audacity" exe="/usr/bin/audacity" subj=system_u:system_r:unconfined_execmem_t:s0 key=(null) [I run audacity as 'unconfined_execmem_t' to allow use of 'ugly codec'.] Don't recall seeing this with prior version. Version-Release number of selected component (if applicable): flac-1.2.0-1.fc8 How reproducible: Every time. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
flac-1.1.3-gnu-stack.patch probably needs updating to cover the new nasm files. Let me give it a try.
Please test with the build at: http://koji.fedoraproject.org/koji/taskinfo?taskID=155392
Make that: http://koji.fedoraproject.org/koji/taskinfo?taskID=155415 My fingers hate me.
No joy. Downloaded/installed flac-1.2.0-2.fc8. Reran audacity. Still get: type=AVC msg=audit(1189526382.610:28): avc: denied { execmod } for pid=6042 comm="audacity" path="/usr/lib/libFLAC.so.8.1.0" dev=dm-0 ino=5483267 scontext=system_u:system_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1189526382.610:28): arch=40000003 syscall=125 success=no exit=-13 a0=279000 a1=54000 a2=5 a3=bf9dea60 items=0 ppid=5324 pid=6042 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 comm="audacity" exe="/usr/bin/audacity" subj=system_u:system_r:unconfined_t:s0 key=(null)
Can you reproduce using another app, say, /usr/bin/metaflac instead? Dan, got a guide for debugging those?
Jakub or Uli would be much more help.
A bit more detail.... Running audacity from console window produces: [tbl@localhost Downloads]$ audacity audacity: error while loading shared libraries: /usr/lib/libFLAC.so.8: cannot restore segment prot after reloc: Permission denied [tbl@localhost Downloads]$ Here are the last few lines of 'strace audacity': open("/usr/lib/libXdmcp.so.6", O_RDONLY) = 3 read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\r\0\0004\0\0\0"..., 512) = 512 fstat64(3, {st_mode=S_IFREG|0755, st_size=18612, ...}) = 0 mmap2(NULL, 21420, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x1976000 mmap2(0x197b000, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x4) = 0x197b000 close(3) = 0 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef5000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef4000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef3000 mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7ef2000 set_thread_area({entry_number:-1 -> 6, base_addr:0xb7ef26d0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 mprotect(0xac8000, 4096, PROT_READ) = 0 mprotect(0xd97000, 8192, PROT_READ) = 0 mprotect(0xaa4000, 4096, PROT_READ) = 0 mprotect(0xa72000, 12288, PROT_READ) = 0 mprotect(0x992000, 4096, PROT_READ) = 0 mprotect(0x987000, 4096, PROT_READ) = 0 mprotect(0x279000, 344064, PROT_READ|PROT_WRITE) = 0 mprotect(0x279000, 344064, PROT_READ|PROT_EXEC) = -1 EACCES (Permission denied) writev(2, [{"audacity", 8}, {": ", 2}, {"error while loading shared libra"..., 36}, {": ", 2}, {"/usr/lib/libFLAC.so.8", 21}, {": ", 2}, {"cannot restore segment prot afte"..., 39}, {": ", 2}, {"Permission denied", 17}, {"\n", 1}], 10audacity: error while loading shared libraries: /usr/lib/libFLAC.so.8: cannot restore segment prot after reloc: Permission denied ) = 130 exit_group(127) = ? [tbl@localhost Downloads]$
And yes, fails with 'metaflac': [tbl@localhost Downloads]$ metaflac metaflac: error while loading shared libraries: /usr/lib/libFLAC.so.8: cannot restore segment prot after reloc: Permission denied [tbl@localhost Downloads]$
libFLAC.so.8.1.0 on i386 is DT_TEXTREL, please avoid that. The bad relocations are: 0004c653 0001c901 R_386_32 00054940 FLAC__crc16_table 0004c6f0 0001c901 R_386_32 00054940 FLAC__crc16_table 0004c84d 0001c901 R_386_32 00054940 FLAC__crc16_table 0004c78c 00017202 R_386_PC32 00009f20 bitreader_read_from_client_ 0004c7e1 00017202 R_386_PC32 00009f20 bitreader_read_from_client_ %ifdef FLAC__PUBLIC_NEEDS_UNDERSCORE mov edi, _FLAC__crc16_table %else mov edi, FLAC__crc16_table %endif or %ifdef FLAC__PUBLIC_NEEDS_UNDERSCORE call _bitreader_read_from_client_ %else call bitreader_read_from_client_ %endif is not correct PIC code. The latter is more easily fixable, assuming bitreader_read_from_client_ is not part of the exported ABI, making it hidden within the library is all that is needed. simple_ogg_page__set_at and simple_ogg_page__init, simple_ogg_page__get_at probably should be made hidden as well. Just add __attribute__((__visibility__("hidden"))) to those 4 prototypes or function definitions. The 3 movl $FLAC__crc16_table_, %edi instructions really need to be rewritten as PIC sequences, but I haven't studied if they are used in loops or not. If not and you have one spare register, you can have: .Lget_pc_thunk: movl (%esp), %ecx ret somewhere and call .Lget_pc_thunk addl $_GLOBAL_OFFSET_TABLE_, %ecx movl FLAC__crc16_table_(%ecx), %edi to load the address. Unfortunately flac uses nasm, not sure how this can be written in that.
I forwarded the bug upstream, as my visibility changes weren't enough to fix the problem: http://sourceforge.net/tracker/index.php?func=detail&aid=1793536&group_id=13478&atid=113478 I've committed the visibility changes, as well as disabling optimisations on x86 until fixes this.
Did at least the bitreader_read_from_client_ relocs go away? For the loading of FLAC__crc16_table_ address, following might help: http://developer.apple.com/documentation/DeveloperTools/nasm/nasmdoc8.html#section-8.2
*** Bug 289721 has been marked as a duplicate of this bug. ***