Description of problem: After updating to the latest bugfix release of mythtv (0.20.2_0-0.20.2-172), I started getting the following selinux errors whenever mythfilldatabase is run: denied { execmod } for pid=19070 comm="mythfilldatabas" path="/usr/lib/libmythavcodec-0.20.2.so.0.20.2" dev=sda7 ino=967204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file I checked with the maintainer (Axel Thimm) and he is not aware of any specific change but clearly something must have changed to cause this... Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
So the mythlibrary codec was built incorrectly, and this is an SELinux bug? Please report this as a bug in myth. The libraries were either built incorrectly or include some assembly code that is causing the system to generate an execmod request. I can set up the default labeling for this file, if the myth people can not fix it. For now you can label it textrel_shlib_t. chcon -t textrel_shlib_t /usr/lib/libmythavcodec-0.20.2.so.0.20.2
Well, I first did report it to Axel Thimm, the maintainer of mythtv and he was not aware of what was causing this - as a result, it was he, in fact, who suggested reporting it here. Personally, I don't care whether it is an selinux or mythtv bug -- I just want to help get it fixed. Additionally, the reason for reporting such issues here is that I find that many of the maintainers are themselves not using selinux because of the frustrations they have experienced with selinux over the years. So, I think that even if strictly-speaking the "bug" lies elsewhere, it is a service to the selinux community (and presumably therefore the Fedora/RedHat organization) to report the bugs here and get them fixed so as not to further feed the impression that selinux is more hassle than it is worth. Also, as you might note, Axel Thimm has been cc'd on this bug so that hopefully between the two of you, a good resolution can be found.
Hi, I indeed suggested Jeff to report it here first. Jeff, Dan suggests to report to mythtv upstream, I'm just teh packager. Even mythtv upstream will probably not immediately know what caused this as this part of the code is imported from ffmpeg. So at the end it will probably take a fixed snapshot of ffmpeg to be imported into mythtv. Dan, could this be added to the policy while we try to dig into mythtv/ffmpeg development about it? Once this is fixed (or we think it is), you can tell us how to turn off the workaround locally so we can verify it isn't needed anymore.
Added /usr/lib(64)?/libmythavcodec-[^/]+\.so.* -- gen_context(system_u:object_r:textrel_shlib_t,s0) To selinux-policy-3.0.8-84.fc8
Closing all bugs that have been in modified for over a month. Please reopen if the bug is not actually fixed.