Description of problem: Fluendo codecs don't work on Fedora 8 test 3 (and probably not on any other fedora version) with selinux enabled. This is the error I get when starting totem with fluendo megacodecs installed: I first tried coping them to /usr/lib/gstreamer-0.10 when that failed I copied them to $HOME/.gstreamer-0.10/plugins. Now I have them on both places. $ gst-inspect-0.10 | grep flu fluac3dec: audio/ac3: no extensions fluac3dec: fluac3dec: AC3 decoder flumpeg4vdec: flumpeg4vdec: Fluendo MPEG-4 ASP Video Decoder flumpeg2vdec: flumpeg2vdec: Fluendo MPEG-2 Video Decoder fluwmvdec: fluwmvdec: Fluendo WMV Decoder fluisodemux: fluisodemux: ISODemux Demuxer flumpegdemux: flupsdemux: MPEG Program Demuxer flumpegdemux: flutsdemux: MPEG Transport stream demuxer fluasf: fluasfdemux: Fluendo ASF Demuxer fluasf: fluasfcmdparse: Fluendo ASF Command Parser flumms: flummssrc: Fluendo MMS source fluwmadec: fluwmadec: Fluendo WMA Decoder flump3dec: flump3dec: Fluendo MP3 Decoder (IPP build) I copied fluendo codec files to $HOME/.gstreamer-0.10/plugins in openSuse 10.3 and it worked with some videos that previously it didn't. Namely it worked with one mpeg1 file named bespring.mpg the same file under same player on Fedora 8 test 3 gives this error: $ totem /data/bedspring.mpg (totem:3725): GStreamer-WARNING **: Failed to load plugin '/home/fedora8test3/.gstreamer-0.10/plugins/libgstfluac3dec.so': /home/fedora8test3/.gstreamer-0.10/plugins/libgstfluac3dec.so: cannot restore segment prot after reloc: Permission denied (totem:3725): GStreamer-WARNING **: Failed to load plugin '/home/fedora8test3/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so': /home/fedora8test3/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so: cannot restore segment prot after reloc: Permission denied ** Message: don't know how to handle video/mpeg, mpegversion=(int)1, systemstream=(boolean)false ** Message: Missing plugin: gstreamer|0.10|totem|MPEG-1 Video decoder|decoder-video/mpeg, mpegversion=(int)1, systemstream=(boolean)false (MPEG-1 Video decoder) XID: 77594627 This is what fluendo support replied to my request: Yes we know about that problem and we are pushing Intel everyday to provide us with a version of IPP that does not do text relocation. Sorry for the frustration that it creates. Version-Release number of selected component (if applicable): How reproducible: Evey time selinux is enabled. Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: to enable codecs to be loaded I needed to do this: chcon -t textrel_shlib_t ~/.gstreamer-0.10/plugins/* Can this be exclusion is selinux policy so that codecs work? here is the link to fluendo bugzilla: https://core.fluendo.com/gstreamer/trac/ticket/24
restorecon -R -v /usr/lib/gstreamer-0.10 Should fix the labeling. selinux-policy-3.0.8-40
I'm really not selinux proficient... can you please explain a bit. Are you adding the exclusion to selinux policy?
The libraries are built incorrectly, They require the execmod privs which selinux is denying. You can label the files textrel_shlib_t and SELinux will allow the execmod priv. In selinux-policy-3.0.8-38 and probably before, the context for the se files was textrel_shlib_t. rpm install of these files would label them correctly, if you installed them by some other means they might not have the right context. So executing restorecon on them will set them to the system defaults. In -40 I am adding the context for these files in the homedirectories.
adding Will Woods to CC. This definitely needs a known issues comment, we are willfully breaking one of our F8 features out of the box.
Works for me. Tested on x86_64 installed from DVD and i386 installed from Live image. ls -lZ ~/.gstreamer-0.10/plugins confirms that the installed object is textrel_shlib_t.
I have Fedora 8 with all updates and I still see this bug! look here: $ totem clip1.wmv (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so': /home/valentt/.gstreamer-0.10/plugins/libgstflumpeg2vdec.so: cannot restore segment prot after reloc: Permission denied (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstflumpeg4videodec.so': /home/valentt/.gstreamer-0.10/plugins/libgstflumpeg4videodec.so: cannot restore segment prot after reloc: Permission denied (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstfluac3dec.so': /home/valentt/.gstreamer-0.10/plugins/libgstfluac3dec.so: cannot restore segment prot after reloc: Permission denied (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstfluwmvdec.so': /home/valentt/.gstreamer-0.10/plugins/libgstfluwmvdec.so: cannot restore segment prot after reloc: Permission denied (totem:14560): GStreamer-WARNING **: Failed to load plugin '/home/valentt/.gstreamer-0.10/plugins/libgstflump3dec.so': /home/valentt/.gstreamer-0.10/plugins/libgstflump3dec.so: cannot restore segment prot after reloc: Permission denied ** Message: don't know how to handle video/x-wmv, wmvversion=(int)3, framerate=(fraction)10000000/333333, width=(int)720, height=(int)480, format=(fourcc)WMV3, pixel-aspect-ratio=(fraction)1/1, codec_data=(buffer)4e611a01, bitrate=(int)455725 ** Message: Error: Failed to connect stream: Invalid argument pulsesink.c(399): gst_pulsesink_prepare (): /play/visbin/abin/audiosinkbin/audio-sink/bin6/autoaudiosink1/autoaudiosink1-actual-sink-pulse
after: chcon -t textrel_shlib_t /home/valentt/.gstreamer-0.10/plugins/* it works...
ps. I testing full fluendo codec pack not only mp3 plugin... $ ls -a .gstreamer-0.10/plugins/ . libgstfluac3dec.so libgstfluisodemux.so libgstflump3dec.so libgstflumpeg4videodec.so libgstfluwmadec.so .. libgstfluasfdemux.so libgstflumms.so libgstflumpeg2vdec.so libgstflumpegdemux.so libgstfluwmvdec.so
Daniel can only change the defaults for the system filepaths, not for the user ones. There's no way to fix the problem for the user part without manual changes, other than getting Fluendo to actually fix the bugs in their code.
thank you for explaining.
I still see this bug. I installed a fluendo codecs to a new machine with fresh fedora 8 in folder '/usr/lib/gstreamer-0.10/' and after trying to play one file that I know fluedo codecs play I get AVC message saying that it is forbidden. look: $ totem bedspring.mpg (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstflumpeg4videodec.so': /usr/lib/gstreamer-0.10/libgstflumpeg4videodec.so: cannot restore segment prot after reloc: Permission denied (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstflump3dec.so': /usr/lib/gstreamer-0.10/libgstflump3dec.so: cannot restore segment prot after reloc: Permission denied (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstflumpeg2vdec.so': /usr/lib/gstreamer-0.10/libgstflumpeg2vdec.so: cannot restore segment prot after reloc: Permission denied (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstfluwmvdec.so': /usr/lib/gstreamer-0.10/libgstfluwmvdec.so: cannot restore segment prot after reloc: Permission denied (totem:3079): GStreamer-WARNING **: Failed to load plugin '/usr/lib/gstreamer-0.10/libgstfluac3dec.so': /usr/lib/gstreamer-0.10/libgstfluac3dec.so: cannot restore segment prot after reloc: Permission denied ** Message: don't know how to handle video/mpeg, mpegversion=(int)1, systemstream=(boolean)false ** Message: don't know how to handle audio/mpeg, mpegversion=(int)1 after doing this as a root: chcon -t textrel_shlib_t /usr/lib/gstreamer-0.10/* Now I can play bedspring.mpg without any problems.
Okay - selinux-policy-3.0.8-56.fc8 has been built, which should automatically label gstreamer plugins textrel_shlib_t when they are created. This will *not* fix files that have already been created in ~/.gstreamer*/plugins Could you test the policy from here: http://koji.fedoraproject.org/koji/buildinfo?buildID=24504 Probably you could test by removing the plugins, installing the policy, then reinstalling the plugins.
I tried all this and I still have this issue.
Please attach the AVC messages you are having. You can just set the boolean allow_execmod setsebool -P allow_execmod=1
Created attachment 268781 [details] avc denial message avc denial message
restorecon -R -v /usr/lib should fix the /usr/lib/gstreamer-0.10/libgstflumpeg4videodec.so
new version of fluendo codecs is out and I got it for testing. Looks like they behave ok with SELinux. I'll test them on one other machine and report back.
nope - latest version of fluendo codecs still has this error (AVC Denial). I tried "restorecon -R -v /usr/lib" and after that it's ok. Should this be added to SELinux or some fedora script?
No, the codecs should be fixed. If the codecs come in a rpm, they will be labeled correctly.
fluendo codecs are distributed in tar.bz2 archives
I just bought the lastest codec pack and it works just fine with an updated F8 system (x86_64 relabeled with the lastest selinux-policy-targeted). I'm a Fluendo beta tester so I'll make sure to keep an eye on future SELinux issues. WORKSFORME
Bugs have been in modified for over one month. Closing as fixed in current release please reopen if the problem still persists.