Bug 469992 - SELinux is preventing totem from loading /usr/lib/sse2/libavcodec.so.51.71.0
SELinux is preventing totem from loading /usr/lib/sse2/libavcodec.so.51.71.0
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
All Linux
high Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-11-04 23:02 EST by Ralf Corsepius
Modified: 2008-12-02 11:00 EST (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-12-02 11:00:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
full sealert (3.09 KB, text/plain)
2008-11-04 23:02 EST, Ralf Corsepius
no flags Details
avc denial on loading the codec w/ selinux-policy-3.5.13-19 (3.03 KB, text/plain)
2008-11-09 15:11 EST, Jakub Hrozek
no flags Details

  None (edit)
Description Ralf Corsepius 2008-11-04 23:02:02 EST
Created attachment 322522 [details]
full sealert

Description of problem:

Current selinux policies prevent rpmfusion's ffmpeg based totem-plugins from being functional.

For details c.f. 
http://lists.rpmfusion.org/pipermail/rpmfusion-developers/2008-November/002102.html

The cause seems to be ffmpeg having started to ship sse2 variants of its libraries.

Version-Release number of selected component (if applicable):
selinux-policy-3.5.13-11.fc10.noarch

How reproducible:
Always.

Steps to Reproduce:
1. On an i386-rawhide system, launch totem on a file requiring a totem plugin requiring ffmpeg
  
Actual results:
If launching totem via nautilus, packagekit is being launched, producing bogus results, searching for invalid plugins, triggering selinux-alerts.

Expected results:
function.

Additional info:
* Discussions on rpmfusion-devel list seem to indicate that the ffmpeg related exceptions to /usr/lib[64]/libav* need to be extended to /usr/lib/sse2/libav* on i386 platforms.
* Setting priority to high, because I would expect this bug to severely impact the user-experience with FC10.
Comment 1 Hans de Goede 2008-11-05 03:30:02 EST
Note that there is another problem with the latest ffmpeg and SELinux, ffmpeg has grown a new lib /usr/lib/libavfilter.so.*, which needs textrel too, so what needs to be added is:

1) textrel_shlib_t for /usr/lib/libavfilter.so.*
2) change all /usr/lib/libav*.so.* special rules to also cover /usr/lib/sse2/libav*.so.*
Comment 3 Daniel Walsh 2008-11-05 11:28:20 EST
Fixed in selinux-policy-3.5.13-15.fc10
Comment 4 Jakub Hrozek 2008-11-09 15:11:16 EST
Created attachment 323024 [details]
avc denial on loading the codec w/ selinux-policy-3.5.13-19
Comment 5 Jakub Hrozek 2008-11-09 15:13:45 EST
D'oh I submitted the full denial report before the problem description, sorry.

The thing is, that I still get AVCs related to ffmpeg codecs even with selinux-policy-3.5.13-19 grabbed from Koji, the one attached is related to /usr/lib/sse2/libx264.so.61

Moving the bug back to ASSIGNED as this is not fixed completely yet.
Comment 6 Hans de Goede 2008-11-10 03:24:25 EST
(In reply to comment #5)
> D'oh I submitted the full denial report before the problem description, sorry.
> 
> The thing is, that I still get AVCs related to ffmpeg codecs even with
> selinux-policy-3.5.13-19 grabbed from Koji, the one attached is related to
> /usr/lib/sse2/libx264.so.61
> 
> Moving the bug back to ASSIGNED as this is not fixed completely yet.

Thats a different and new issue for which a new bug has been filed, see bug
470682.

Moving back to modified.
Comment 7 Bug Zapper 2008-11-25 23:47:51 EST
This bug appears to have been reported against 'rawhide' during the Fedora 10 development cycle.
Changing version to '10'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 8 William Lovaton 2008-12-01 18:18:21 EST
As commented in RPM Fusion bugzilla:
https://bugzilla.rpmfusion.org/show_bug.cgi?id=131#c7

/usr/lib/sse2/libpostproc.so.51.2.0 is causing the same SELinux alerts.

Note You need to log in before you can comment on or make changes to this bug.