Error running ffmpeg due to permission denied on library

Robert Foster rfoster at mountainvisions.com.au
Thu Apr 27 09:58:03 UTC 2006 

Hi Paul,
Thanks for your help, but no luck so far :(
# getsebool allow_execstack
allow_execstack --> on

- As expected.

# eu-readelf -l /usr/lib/libavcodec.so.51
Program Headers:
  Type           Offset   VirtAddr   PhysAddr   FileSiz  MemSiz   Flg Align
  LOAD           0x000000 0x00000000 0x00000000 0x32dabc 0x32dabc R E 0x1000
  LOAD           0x32e000 0x0032e000 0x0032e000 0x00a390 0x0e0a90 RW  0x1000
  DYNAMIC        0x32e098 0x0032e098 0x0032e098 0x000138 0x000138 RW  0x4
  GNU_EH_FRAME   0x312588 0x00312588 0x00312588 0x00511c 0x00511c R   0x4
  GNU_STACK      0x000000 0x00000000 0x00000000 0x000000 0x000000 RWE 0x4
<------ Bummer :(

 Section to Segment mapping:
  Segment Sections...
   00      [RO: .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn
.rel.plt .init .plt .text .fini .rodata .eh_frame_hdr .eh_frame]
   01      .ctors .dtors .jcr .data.rel.ro .dynamic .got .got.plt .data .bss
   02      .dynamic
   03      [RO: .eh_frame_hdr]
   04

Bummer. I guess I'll have to contact the livna repository maintainer and see
what can be done about this.

Thanks again for your help.


Robert Foster 

-----Original Message-----
From: Paul Howarth [mailto:paul at city-fan.org] 
Sent: Thursday, 27 April 2006 5:35 PM
To: Robert Foster
Cc: fedora-selinux-list at redhat.com
Subject: Re: Error running ffmpeg due to permission denied on library

On Thu, 2006-04-27 at 12:41 +1000, Robert Foster wrote:
> Hi,
> I'm trying to get ffmpeg working for Gallery2 on FC5, and getting the 
> following error (from the debug message via Gallery):
>  
> Executing: ( "/usr/bin/ffmpeg"  "-h" )
> 2>/MV/webs/Repository/gallery/tmp/g2dbgitTQYC
> file_exists(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> filesize(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> fopen(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC, r, 0) feof(Resource 
> id #108) fgets(Resource id #108, 4096) feof(Resource id #108) 
> fgets(Resource id #108, 4096) feof(Resource id #108) fclose(Resource 
> id #108)
> unlink(/MV/webs/Repository/gallery/tmp/g2dbgitTQYC)
> Regular Output:
> Error Output:
> /usr/bin/ffmpeg: error while loading shared libraries: libavcodec.so.51:
> cannot enable executable stack as shared object requires: Permission 
> denied
> Status: 127 (expected 0)
> A quick look in /usr/lib reveals:
>  
> -rwxr-xr-x  root     root
> system_u:object_r:textrel_shlib_t /usr/lib/libavcodec-CVS.so
> lrwxrwxrwx  root     root
> system_u:object_r:lib_t          /usr/lib/libavcodec.so ->
> libavcodec-CVS.so
> lrwxrwxrwx  root     root
> system_u:object_r:lib_t          /usr/lib/libavcodec.so.51 ->
> libavcodec-CVS.so
> 
>  
> /var/log/audit/audit.log shows:
>  
> type=SYSCALL msg=audit(1146010953.133:45163): arch=40000003
> syscall=125 success=no exit=-13 a0=bfc5b000 a1=1000 a2=1000007 
> a3=fffff000 items=0 pid=25005 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.141:45164): avc:  denied  { execstack } 
> for  pid=25007 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process 
> type=SYSCALL msg=audit(1146010953.141:45164): arch=40000003
> syscall=125 success=no exit=-13 a0=bf9e8000 a1=1000 a2=1000007 
> a3=fffff000 items=0 pid=25007 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.213:45165): avc:  denied  { execstack } 
> for  pid=25009 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process 
> type=SYSCALL msg=audit(1146010953.213:45165): arch=40000003
> syscall=125 success=no exit=-13 a0=bfbe6000 a1=1000 a2=1000007 
> a3=fffff000 items=0 pid=25009 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> type=AVC msg=audit(1146010953.221:45166): avc:  denied  { execstack } 
> for  pid=25011 comm="ffmpeg"
> scontext=user_u:system_r:httpd_sys_script_t:s0
> tcontext=user_u:system_r:httpd_sys_script_t:s0 tclass=process 
> type=SYSCALL msg=audit(1146010953.221:45166): arch=40000003
> syscall=125 success=no exit=-13 a0=bf89b000 a1=1000 a2=1000007 
> a3=fffff000 items=0 pid=25011 auid=1000 uid=48 gid=48 euid=48 suid=48
> fsuid=48 egid=48 sgid=48 fsgid=48 comm="ffmpeg" exe="/usr/bin/ffmpeg"
> 
> when I run the page producing the error output.
>  
> I tried to set the allow_execstack boolean but it didn't make any 
> difference.

Are you sure you've set the boolean?

# getsebool allow_execstack

ffmpeg is probably using a library that was not built for FC5. You should be
able to find which one it is as follows:

* List all libraries loaded. Assuming ffmpeg doesn't load any itself, the
following should work:

$ ldd /usr/bin/ffmpeg | sed -e 's,[^/]*\(/[^ ]*\).*,\1,'

For each of the listed libraries, do:

$ eu-readelf -l /path/to/library

There must be a GNU_STACK line.  If this is missing or the permissions
(second to last field) is RWX instead of RW you found the culprit.

Paul.

More information about the fedora-selinux-list mailing list