You are here: Home » Topic » Firefly and SELinux

Firefly and SELinux

This topic contains 4 replies, has 2 voices, and was last updated by  rpedde 10 years, 6 months ago.

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • #1224

    julienv
    Participant

    Hi,

    I am not sure this is the best place to ask this, but I couldn’t find anything elsewhere, and I thought some of you already run SELinux on their system…

    I have just set up SELinux, everything runs smoothly except Firefl^Wmt-daapd (I run Debian), here is the audit log when starting mt-daapd:


    audit(1175533647.759:45): avc: denied { execstack } for pid=1390 comm="mt-daapd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process
    audit(1175533647.795:46): avc: denied { execmem } for pid=1390 comm="mt-daapd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process
    audit(1175533647.907:47): avc: denied { execmod } for pid=1390 comm="mt-daapd" name="libavcodec.so.0d.51.11.0" dev=dm-1 ino=48216 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

    Here is the context:


    # ps -efZ | grep [mt]-daapd
    user_u:system_r:initrc_t:s0 mt-daapd 1391 1 0 19:07 pts/0 00:00:00 /usr/sbin/mt-daapd
    user_u:system_r:initrc_t:s0 mt-daapd 1393 1 0 19:07 pts/0 00:00:02 /usr/sbin/mt-daapd

    Note that I run targeted policy.

    It doesn’t prevent mt-daapd to start and run with my current needs, which could change in the near future.

    Do you have any tips on this?

    Cheers,
    Julien

    #9770

    rpedde
    Participant

    @julienv wrote:


    audit(1175533647.759:45): avc: denied { execstack } for pid=1390 comm="mt-daapd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process
    audit(1175533647.795:46): avc: denied { execmem } for pid=1390 comm="mt-daapd" scontext=user_u:system_r:initrc_t:s0 tcontext=user_u:system_r:initrc_t:s0 tclass=process
    audit(1175533647.907:47): avc: denied { execmod } for pid=1390 comm="mt-daapd" name="libavcodec.so.0d.51.11.0" dev=dm-1 ino=48216 scontext=user_u:system_r:initrc_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file

    Looks like it’s balking at loading the ffmpeg stuff, which will only affect you if you are transcoding ogg or flac or something.

    As far as how to fix it, I can’t address that. I haven’t actually *run* selinux. Sorry. šŸ™

    #9771

    julienv
    Participant

    Hi,

    Thanks for your answer.

    It should be something like that, as I can’t see any issue with the features I use.

    I will study SELinux more in depth and might be interested in writing a module for mt-daapd, which I will share here of course.
    If someone knows more about this, please contact me

    #9772

    julienv
    Participant

    Ok, I have finally managed to understand better.

    Here are the steps to make mt-daapd work with SELinux enforced (yes, I forgot to mention that I ran in permissive mode earlier, which explains why everything seemed to work!):


    # setsebool -P allow_execmod=1
    # execstack -c $(locate libFLAC.so.7)
    # execstack -c $(locate libavcodec.so.0d)

    In the first line, you turn on execmod; in the 2 lines after, you disable the execstack from shared librairies.

    More info:

    #9773

    rpedde
    Participant

    @julienv wrote:

    Ok, I have finally managed to understand better.

    Here are the steps to make mt-daapd work with SELinux enforced (yes, I forgot to mention that I ran in permissive mode earlier, which explains why everything seemed to work!):


    # setsebool -P allow_execmod=1
    # execstack -c $(locate libFLAC.so.7)
    # execstack -c $(locate libavcodec.so.0d)

    In the first line, you turn on execmod; in the 2 lines after, you disable the execstack from shared librairies.

    More info:

    Nice. I’m going to sticky this until I can put it on the wiki. Thanks.

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.