- This topic has 4 replies, 2 voices, and was last updated 17 years ago by
.
-
Posts
-
Hi,
I am not sure this is the best place to ask this, but I couldn’t find anything elsewhere, and I thought some of you already run SELinux on their system…
I have just set up SELinux, everything runs smoothly except Firefl^Wmt-daapd (I run Debian), here is the audit log when starting mt-daapd:
audit(1175533647.759:45): avc: denied { execstack } for pid=1390 comm="mt-daapd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process
audit(1175533647.795:46): avc: denied { execmem } for pid=1390 comm="mt-daapd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process
audit(1175533647.907:47): avc: denied { execmod } for pid=1390 comm="mt-daapd" name="libavcodec.so.0d.51.11.0" dev=dm-1 ino=48216 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Here is the context:
# ps -efZ | grep [mt]-daapd
user_u:system_r:initrc_t:s0 mt-daapd 1391 1 0 19:07 pts/0 00:00:00 /usr/sbin/mt-daapd
user_u:system_r:initrc_t:s0 mt-daapd 1393 1 0 19:07 pts/0 00:00:02 /usr/sbin/mt-daapd
Note that I run targeted policy.
It doesn’t prevent mt-daapd to start and run with my current needs, which could change in the near future.
Do you have any tips on this?
Cheers,
Julien@julienv wrote:
audit(1175533647.759:45): avc: denied { execstack } for pid=1390 comm="mt-daapd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process
audit(1175533647.795:46): avc: denied { execmem } for pid=1390 comm="mt-daapd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process
audit(1175533647.907:47): avc: denied { execmod } for pid=1390 comm="mt-daapd" name="libavcodec.so.0d.51.11.0" dev=dm-1 ino=48216 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file
Looks like it’s balking at loading the ffmpeg stuff, which will only affect you if you are transcoding ogg or flac or something.
As far as how to fix it, I can’t address that. I haven’t actually *run* selinux. Sorry. 🙁
Hi,
Thanks for your answer.
It should be something like that, as I can’t see any issue with the features I use.
I will study SELinux more in depth and might be interested in writing a module for mt-daapd, which I will share here of course.
If someone knows more about this, please contact meOk, I have finally managed to understand better.
Here are the steps to make mt-daapd work with SELinux enforced (yes, I forgot to mention that I ran in permissive mode earlier, which explains why everything seemed to work!):
# setsebool -P allow_execmod=1
# execstack -c $(locate libFLAC.so.7)
# execstack -c $(locate libavcodec.so.0d)In the first line, you turn on execmod; in the 2 lines after, you disable the execstack from shared librairies.
More info:
@julienv wrote:
Ok, I have finally managed to understand better.
Here are the steps to make mt-daapd work with SELinux enforced (yes, I forgot to mention that I ran in permissive mode earlier, which explains why everything seemed to work!):
# setsebool -P allow_execmod=1
# execstack -c $(locate libFLAC.so.7)
# execstack -c $(locate libavcodec.so.0d)In the first line, you turn on execmod; in the 2 lines after, you disable the execstack from shared librairies.
More info:
Nice. I’m going to sticky this until I can put it on the wiki. Thanks.
- The forum ‘Setup Issues’ is closed to new topics and replies.