Bug 431942 - selinux errors with mythtv/libmythavcodec
Summary: selinux errors with mythtv/libmythavcodec
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted
Version: 8
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-02-07 22:42 UTC by Need Real Name
Modified: 2008-11-17 22:02 UTC (History)
1 user (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-11-17 22:02:59 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Need Real Name 2008-02-07 22:42:15 UTC
Description of problem:
After updating to the latest bugfix release of mythtv (0.20.2_0-0.20.2-172), I
started getting the following selinux errors whenever mythfilldatabase is run:

denied  { execmod } for  pid=19070 comm="mythfilldatabas"
path="/usr/lib/libmythavcodec-0.20.2.so.0.20.2" dev=sda7 ino=967204
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:lib_t:s0 tclass=file

I checked with the maintainer (Axel Thimm) and he is not aware of any specific
change but clearly something must have changed to cause this...


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Comment 1 Daniel Walsh 2008-02-08 15:19:23 UTC
So the mythlibrary codec was built incorrectly, and this is an SELinux bug?
Please report this as a bug in myth.  The libraries were either built
incorrectly or include some assembly code that is causing the system to generate
an execmod request.  I can set up the default labeling for this file, if the
myth people can not fix it.  For now you can label it textrel_shlib_t.

chcon -t textrel_shlib_t /usr/lib/libmythavcodec-0.20.2.so.0.20.2

Comment 2 Need Real Name 2008-02-08 20:47:46 UTC
Well, I first did report it to Axel Thimm, the maintainer of mythtv and he was
not aware of what was causing this - as a result, it was he, in fact, who
suggested reporting it here.

Personally, I don't care whether it is an selinux or mythtv bug -- I just want
to help get it fixed. Additionally, the reason for reporting such issues here is
that I find that many of the maintainers are themselves not using selinux
because of the frustrations they have experienced with selinux over the years.
So, I think that even if strictly-speaking the "bug" lies elsewhere, it is a
service to the selinux community (and presumably therefore the Fedora/RedHat
organization) to report the bugs here and get them fixed so as not to further
feed the impression that selinux is more hassle than it is worth.

Also, as you might note, Axel Thimm has been cc'd on this bug so that hopefully
between the two of you, a good resolution can be found.



Comment 3 Axel Thimm 2008-02-09 06:54:21 UTC
Hi,

I indeed suggested Jeff to report it here first. Jeff, Dan suggests to report to
mythtv upstream, I'm just teh packager. Even mythtv upstream will probably not
immediately know what caused this as this part of the code is imported from
ffmpeg. So at the end it will probably take a fixed snapshot of ffmpeg to be
imported into mythtv.

Dan, could this be added to the policy while we try to dig into mythtv/ffmpeg
development about it? Once this is fixed (or we think it is), you can tell us
how to turn off the workaround locally so we can verify it isn't needed anymore.


Comment 4 Daniel Walsh 2008-02-11 21:26:51 UTC
Added 
/usr/lib(64)?/libmythavcodec-[^/]+\.so.*	--
gen_context(system_u:object_r:textrel_shlib_t,s0)

To

selinux-policy-3.0.8-84.fc8

Comment 5 Daniel Walsh 2008-11-17 22:02:59 UTC
Closing all bugs that have been in modified for over a month.  Please reopen if the bug is not actually fixed.


Note You need to log in before you can comment on or make changes to this bug.