Bug 376401 - SELinux is preventing totem from changing the access protection of memory on the heap.
SELinux is preventing totem from changing the access protection of memory on ...
Product: Fedora
Classification: Fedora
Component: totem (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Bastien Nocera
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2007-11-11 14:40 EST by Juan Manuel Borges Caño
Modified: 2008-01-17 12:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-17 12:06:41 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Juan Manuel Borges Caño 2007-11-11 14:40:02 EST
Description of problem:

 I installed a f8 rebuild of gstreamer-pitfdll from freshrpms, and I have the
win32 codecs. I tried to load "totem"
and the following message appears from setroubleshoot:

-setroubleshoot detailed description-
 The totem application attempted to change the access protection of memory on
the heap (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests web
page explains how to remove this requirement. If totem does not work and you
need it to work, you can configure SELinux temporarily to allow this access
until the application is fixed. Please file a bug report against this package.

 The workaround proposed is allow execheap on all the filesystem, not valid for
me. So I'm reporting this bug, expecting that totem could fix it.

 I can play the same address with gmplayer without denials.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Run "totem" with setroubleshoot enabled
2. A message appears.
3. The stream doesn't plays.
Actual results:
the stream doesn't plays.

Expected results:
To work like with gmplayer.

Additional info:
Comment 1 Bastien Nocera 2007-11-11 21:27:57 EST
And without gstreamer-pitfdll installed, you don't get the problem?

Check which plugin is causing the AVC messages by moving them away from
/usr/lib*/gstreamer-0.10/ one by one, and running gst-inspect-0.10.

Let me know which plugin is causing the messages.
Comment 2 Juan Manuel Borges Caño 2007-11-11 21:43:04 EST

 Without gstreamer-pitfdll I can't play the video, but also I dont get a avc denial.

$rpm -ql gstreamer-pitfdll

 I know it must be this new plugin, because it is the only change from one run
to another

also, here is the output of gst-inspect pitfdll:
$gst-inspect-0.10 pitfdll
Plugin Details:
  Name:                 pitfdll
  Description:          DLL-loader elements
  Filename:             /usr/lib/gstreamer-0.10/libpitfdll.so
  License:              GPL
  Source module:        pitfdll
  Binary package:       PitfDLL
  Origin URL:           http://ronald.bitfreak.net/pitfdll/

  qtadec_bin: quicktime binary audio decoder
  dmodec_wmspdmodv1: DMO wmspdmod decoder version 1
  dmodec_wmadmodv3: DMO wmadmod decoder version 3
  dmodec_wmadmodv2: DMO wmadmod decoder version 2
  dmodec_wmadmodv1: DMO wmadmod decoder version 1
  dmodec_wmvdmodv3: DMO wmvdmod decoder version 3
  dmodec_wmvdmodv2: DMO wmvdmod decoder version 2
  dmodec_wmvdmodv1: DMO wmvdmod decoder version 1
  dmodec_wmv9dmodv3: DMO wmv9dmod decoder version 3
  dshowdec_ir41_32v4: DS ir41_32 decoder version 4
  dshowdec_ir50_32v5: DS ir50_32 decoder version 5

  11 features:
  +-- 11 elements

Comment 3 Bastien Nocera 2007-11-11 22:00:30 EST
You can report the problem upstream, at http://sourceforge.net/projects/pitfdll/
but my guess is that the Windows DLL are the ones needing the text relocations
or the executable stacks.

You might be able to run "restorecon -R -v /usr/lib/gstreamer-0.10" if you have
selinux-policy-3.0.8-40 (see bug #355291). If that doesn't work, I'll pass it on
to Dan to fix (read: work-around) in the policy).
Comment 4 Juan Manuel Borges Caño 2007-11-12 08:26:55 EST

 I'm reporting this bug to pifdll.

 The Allowing Access (workaroung) says:
 If you want totem to continue, you must turn on the allow_execheap boolean.
Note:  This boolean will affect all applications on the system.The following
command will allow this access:setsebool -P allow_execheap=1

 So I understand that it is a coding error and I don't want to allow wrongly
coded programs to access whatever they want to do. I think this is for what
SElinux is usefull.

 I tried the "restorecon" and the "chcon -t textrel_shlib_t /usr/lib/codecs/*"
without success.

 I think that if gmplayer can access it totem (pitfdll) should work too.

 Thank you for the help.
Comment 5 Bastien Nocera 2008-01-17 12:06:41 EST
You need to run the chcon on the GStreamer plugin, not the binary blobs from

Closing this as it's a pitfdll problem. Please bring up any other problems on
the  fedora user mailing-lists or the forums.

Note You need to log in before you can comment on or make changes to this bug.