Red Hat Bugzilla – Bug 376401
SELinux is preventing totem from changing the access protection of memory on the heap.
Last modified: 2008-01-17 12:06:41 EST
Description of problem:
I installed a f8 rebuild of gstreamer-pitfdll from freshrpms, and I have the
win32 codecs. I tried to load "totem http://220.127.116.11:80/antena3/neox.asf"
and the following message appears from setroubleshoot:
-setroubleshoot detailed description-
The totem application attempted to change the access protection of memory on
the heap (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests web
page explains how to remove this requirement. If totem does not work and you
need it to work, you can configure SELinux temporarily to allow this access
until the application is fixed. Please file a bug report against this package.
The workaround proposed is allow execheap on all the filesystem, not valid for
me. So I'm reporting this bug, expecting that totem could fix it.
I can play the same address with gmplayer without denials.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Run "totem http://18.104.22.168:80/antena3/neox.asf" with setroubleshoot enabled
2. A message appears.
3. The stream doesn't plays.
the stream doesn't plays.
To work like with gmplayer.
And without gstreamer-pitfdll installed, you don't get the problem?
Check which plugin is causing the AVC messages by moving them away from
/usr/lib*/gstreamer-0.10/ one by one, and running gst-inspect-0.10.
Let me know which plugin is causing the messages.
Without gstreamer-pitfdll I can't play the video, but also I dont get a avc denial.
$rpm -ql gstreamer-pitfdll
I know it must be this new plugin, because it is the only change from one run
also, here is the output of gst-inspect pitfdll:
Description: DLL-loader elements
Source module: pitfdll
Binary package: PitfDLL
Origin URL: http://ronald.bitfreak.net/pitfdll/
qtadec_bin: quicktime binary audio decoder
dmodec_wmspdmodv1: DMO wmspdmod decoder version 1
dmodec_wmadmodv3: DMO wmadmod decoder version 3
dmodec_wmadmodv2: DMO wmadmod decoder version 2
dmodec_wmadmodv1: DMO wmadmod decoder version 1
dmodec_wmvdmodv3: DMO wmvdmod decoder version 3
dmodec_wmvdmodv2: DMO wmvdmod decoder version 2
dmodec_wmvdmodv1: DMO wmvdmod decoder version 1
dmodec_wmv9dmodv3: DMO wmv9dmod decoder version 3
dshowdec_ir41_32v4: DS ir41_32 decoder version 4
dshowdec_ir50_32v5: DS ir50_32 decoder version 5
+-- 11 elements
You can report the problem upstream, at http://sourceforge.net/projects/pitfdll/
but my guess is that the Windows DLL are the ones needing the text relocations
or the executable stacks.
You might be able to run "restorecon -R -v /usr/lib/gstreamer-0.10" if you have
selinux-policy-3.0.8-40 (see bug #355291). If that doesn't work, I'll pass it on
to Dan to fix (read: work-around) in the policy).
I'm reporting this bug to pifdll.
The Allowing Access (workaroung) says:
If you want totem to continue, you must turn on the allow_execheap boolean.
Note: This boolean will affect all applications on the system.The following
command will allow this access:setsebool -P allow_execheap=1
So I understand that it is a coding error and I don't want to allow wrongly
coded programs to access whatever they want to do. I think this is for what
SElinux is usefull.
I tried the "restorecon" and the "chcon -t textrel_shlib_t /usr/lib/codecs/*"
I think that if gmplayer can access it totem (pitfdll) should work too.
Thank you for the help.
You need to run the chcon on the GStreamer plugin, not the binary blobs from
Closing this as it's a pitfdll problem. Please bring up any other problems on
the fedora user mailing-lists or the forums.