Bug 431942 - selinux errors with mythtv/libmythavcodec
selinux errors with mythtv/libmythavcodec
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
8
All Linux
low Severity low
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-07 17:42 EST by Need Real Name
Modified: 2008-11-17 17:02 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-11-17 17:02:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2008-02-07 17:42:15 EST
Description of problem:
After updating to the latest bugfix release of mythtv (0.20.2_0-0.20.2-172), I
started getting the following selinux errors whenever mythfilldatabase is run:

denied  { execmod } for  pid=19070 comm="mythfilldatabas"
path="/usr/lib/libmythavcodec-0.20.2.so.0.20.2" dev=sda7 ino=967204
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file

I checked with the maintainer (Axel Thimm) and he is not aware of any specific
change but clearly something must have changed to cause this...


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Daniel Walsh 2008-02-08 10:19:23 EST
So the mythlibrary codec was built incorrectly, and this is an SELinux bug?
Please report this as a bug in myth.  The libraries were either built
incorrectly or include some assembly code that is causing the system to generate
an execmod request.  I can set up the default labeling for this file, if the
myth people can not fix it.  For now you can label it textrel_shlib_t.

chcon -t textrel_shlib_t /usr/lib/libmythavcodec-0.20.2.so.0.20.2
Comment 2 Need Real Name 2008-02-08 15:47:46 EST
Well, I first did report it to Axel Thimm, the maintainer of mythtv and he was
not aware of what was causing this - as a result, it was he, in fact, who
suggested reporting it here.

Personally, I don't care whether it is an selinux or mythtv bug -- I just want
to help get it fixed. Additionally, the reason for reporting such issues here is
that I find that many of the maintainers are themselves not using selinux
because of the frustrations they have experienced with selinux over the years.
So, I think that even if strictly-speaking the "bug" lies elsewhere, it is a
service to the selinux community (and presumably therefore the Fedora/RedHat
organization) to report the bugs here and get them fixed so as not to further
feed the impression that selinux is more hassle than it is worth.

Also, as you might note, Axel Thimm has been cc'd on this bug so that hopefully
between the two of you, a good resolution can be found.

Comment 3 Axel Thimm 2008-02-09 01:54:21 EST
Hi,

I indeed suggested Jeff to report it here first. Jeff, Dan suggests to report to
mythtv upstream, I'm just teh packager. Even mythtv upstream will probably not
immediately know what caused this as this part of the code is imported from
ffmpeg. So at the end it will probably take a fixed snapshot of ffmpeg to be
imported into mythtv.

Dan, could this be added to the policy while we try to dig into mythtv/ffmpeg
development about it? Once this is fixed (or we think it is), you can tell us
how to turn off the workaround locally so we can verify it isn't needed anymore.
Comment 4 Daniel Walsh 2008-02-11 16:26:51 EST
Added 
/usr/lib(64)?/libmythavcodec-[^/]+\.so.*	--
gen_context(system_u:object_r:textrel_shlib_t,s0)

To

selinux-policy-3.0.8-84.fc8
Comment 5 Daniel Walsh 2008-11-17 17:02:59 EST
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.

Note You need to log in before you can comment on or make changes to this bug.