[PlanetCCRMA] SElinux message libffado

Martin Tarenskeen m.tarenskeen at zonnet.nl
Thu Feb 25 23:29:16 PST 2010


I never really understand how SELinux works, so I just trust the default 
settings of my distro.

When I start qjackctl I'm getting this SElinux warning report. I don't 
know what's the right place to report such things, so I just post it here:


SELinux is preventing /usr/bin/jackd from loading 
which requires text relocation.

Gedetailleerde omschrijving:

The jackd application attempted to load /usr/lib/libffado.so.2.0.0 which
requires text relocation. This is a potential security problem. Most 
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how 
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/libffado.so.2.0.0 to use relocation as a workaround, until the 
is fixed. Please file a bug report.

Teogang toestaan:

If you trust /usr/lib/libffado.so.2.0.0 to run correctly, you can change 
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/libffado.so.2.0.0'" You must also change the default file 
files on the system in order to preserve them even on a full relabel. 
fcontext -a -t textrel_shlib_t '/usr/lib/libffado.so.2.0.0'"

Commando repareren:

chcon -t textrel_shlib_t '/usr/lib/libffado.so.2.0.0'

Additionele informatie:

Bron context 
Doel context                  system_u:object_r:lib_t:s0
Doel objecten                 /usr/lib/libffado.so.2.0.0 [ file ]
Bron                          jackd
Bron pad                      /usr/bin/jackd
Poort                         <Onbekend>
Host                          D600
Bron RPM pakketten            jack-audio-connection-kit-1.9.4-1.fc12.ccrma
Doel RPM pakketten            libffado-2.0.0-1.fc12.ccrma
Gedragslijn RPM               selinux-policy-3.6.32-89.fc12
SELinux aangezet              True
Gedragslijn type              targeted
Enforcing modus               Enforcing
Pluginnaam                    allow_execmod
Hostnaam                      D600
Platform                      Linux D600
                               #1 SMP PREEMPT RT Thu Jan 21 22:42:06 EST 
                               i686 i686
Aantal waarschuwingen         4
Eerst gezien op               vr 26 feb 2010 08:18:36 CET
Laatst gezien op              vr 26 feb 2010 08:22:30 CET
Locale ID                     d56672c7-2e24-40ee-8a07-8587265498a1

Onbewerkte audit boodschappen

node=D600 type=AVC msg=audit(1267168950.363:25727): avc:  denied  { 
execmod } for  pid=13968 comm="jackd" path="/usr/lib/libffado.so.2.0.0" 
dev=dm-0 ino=67591 
tcontext=system_u:object_r:lib_t:s0 tclass=file

node=D600 type=SYSCALL msg=audit(1267168950.363:25727): arch=40000003 
syscall=125 success=no exit=-13 a0=b76ad000 a1=170000 a2=5 a3=bfad88e0 
items=0 ppid=13241 pid=13968 auid=500 uid=500 gid=500 euid=500 suid=500 
fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm="jackd" 
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)



More information about the PlanetCCRMA mailing list