SELinux is preventing /usr/libexec/totem-plugin-viewer from using the 'execstack' accesses on a process. ***** Plugin allow_execstack (53.1 confidence) suggests ******************** If you do not think /usr/libexec/totem-plugin-viewer should need to map stack memory that is both writable and executable. Then you need to report a bug. This is a potentially dangerous access. Do contact your security administrator and report this issue. ***** Plugin catchall_boolean (42.6 confidence) suggests ******************* If you want to allow unconfined executables to make their stack executable. This should never, ever be necessary. Probably indicates a badly coded executable, but could indicate an attack. This executable should be reported in bugzilla Then you must tell SELinux about this by enabling the 'allow_execstack' boolean. Do setsebool -P allow_execstack 1 ***** Plugin catchall (5.76 confidence) suggests *************************** If you believe that totem-plugin-viewer should be allowed execstack access on processes labeled unconfined_t by default. Then you should report this as a bug. You can generate a local policy module to allow this access. Do allow this access for now by executing: # grep /usr/libexec/totem-plugin-viewer /var/log/audit/audit.log | audit2allow -M mypol # semodule -i mypol.pp Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects Unknown [ process ] Source queue20:src Source Path /usr/libexec/totem-plugin-viewer Port <不明> Host (removed) Source RPM Packages totem-mozplugin-2.32.0-1.fc14 Target RPM Packages Policy RPM selinux-policy-3.9.7-18.fc14 Selinux Enabled True Policy Type targeted Enforcing Mode Enforcing Host Name (removed) Platform Linux fedora14sun 2.6.35.10-74.fc14.i686 #1 SMP Thu Dec 23 16:17:40 UTC 2010 i686 i686 Alert Count 2 First Seen 西元2010年12月28日 (週二) 21時38分40秒 Last Seen 西元2010年12月28日 (週二) 21時38分40秒 Local ID 2e053207-cd66-455d-acd7-77d33a65ae1b Raw Audit Messages type=AVC msg=audit(1293543520.514:20412): avc: denied { execstack } for pid=2870 comm="queue20:src" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process queue20:src,unconfined_t,unconfined_t,process,execstack type=SYSCALL msg=audit(1293543520.514:20412): arch=i386 syscall=mprotect success=no exit=EACCES a0=bf8c6000 a1=1000 a2=1000007 a3=affd0adc items=0 ppid=1 pid=2870 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm=queue20:src exe=/usr/libexec/totem-plugin-viewer subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) queue20:src,unconfined_t,unconfined_t,process,execstack #============= unconfined_t ============== #!!!! This avc can be allowed using the boolean 'allow_execstack' allow unconfined_t self:process execstack;
*** Bug 666180 has been marked as a duplicate of this bug. ***
Got same error from: totem-plugin-viewer totem-video-thumbnailer totem-audio-preview totem and finally ffplay which gave a clue: [test@localhost ~]$ ffplay title.wma ffplay: error while loading shared libraries: libxvidcore.so.4: cannot enable executable stack as shared object requires: Permission denied /var/log/yum.log says: Dec 28 18:18:36 Updated: xvidcore-1.2.2-1.fc14.i686 so it looks pretty clear where to look. At least in my case.
(In reply to comment #2) > [test@localhost ~]$ ffplay title.wma > ffplay: error while loading shared libraries: libxvidcore.so.4: cannot enable > executable stack as shared object requires: Permission denied > > /var/log/yum.log says: > Dec 28 18:18:36 Updated: xvidcore-1.2.2-1.fc14.i686 > > so it looks pretty clear where to look. At least in my case. As a workaround I have successfully tried out to clear the execstack flag of the libxvidcore.so.4.2 library belonging to xvidcore-1.2.2-1.fc14.i686: execstack -c /usr/lib/libxvidcore.so.4.2 This has apparently solved the problem for me. Bug is also reported to https://bugzilla.rpmfusion.org/show_bug.cgi?id=1560
I have the same problem. There are booleans in selinux policy which solve executable stack problems for mplayer and nsplugin, the similar approach might be used for totem.
This problem has been known for months: http://www.spinics.net/lists/fedora-selinux/msg05899.html
(In reply to comment #4) > I have the same problem. There are booleans in selinux policy which solve > executable stack problems for mplayer and nsplugin, the similar approach might > be used for totem. Václave, what is your problem with totem? You mean ffplay: error while loading shared libraries: libxvidcore.so.4: cannot enable executable stack as shared object requires: Permission denied If so, this library should be labeled as textrel_shlib_t which should resolve your issue # matchpathcon /usr/lib/libxvidcore.so.4.2 /usr/lib/libxvidcore.so.4.2 system_u:object_r:textrel_shlib_t:s0