[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: gstreamer plugin problem

From: Paul Howarth <paul city-fan org>
To: fedora-selinux-list redhat com
Subject: Re: gstreamer plugin problem
Date: Wed, 05 Apr 2006 07:58:10 +0100

On Tue, 2006-04-04 at 17:44 -0400, Louis E Garcia II wrote:
> pitfdll is a gstreamer plugin that loads win32 binary codecs.
> Which works if selinux=0.
> 
> $ ls -Z /usr/lib/gstreamer-0.10/libpitfdll.so
> -rwxr-xr-x  root     root     system_u:object_r:lib_t
> libpitfdll.so
> 
> ls -Z -d /usr/lib/win32
> drwxr-xr-x  root     root
> system_u:object_r:lib_t          /usr/lib/win32
> 
> under selinux it can't. I get this error:
> 
> type=AVC msg=audit(1144183154.042:117): avc:  denied  { execmod } for
> pid=2360 comm="totem" name="libpitfdll.so" dev=hda3 ino=815199
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=system_u:object_r:lib_t:s0 tclass=file
> 
> I put this through audit2allow:
> allow unconfined_t lib_t:file execmod;
> 
> I don't want to have all unconfined_t access to lib_t just
> libpitfdll.so.
> 
> how can I only allow libpitfdll.so access to lib_t?

Change it from lib_t to textrel_shlib_t

This is discussed in the FC5 SELinux FAQ at:
http://fedora.redhat.com/docs/selinux-faq-fc5/
(I have a process running as unconfined_t, and SELinux is still
preventing my application from running)

Unfortunately there is a typo in the FAQ and it tells you to use
testrel_shlib_t instead of textrel_shlib_t.

Paul.

References:
- gstreamer plugin problem
  - From: Louis E Garcia II

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]