I am *this* close to disabling selinux!

[david at thekramers.net (David Kramer)]

Kristian Hermansen wrote:
> On 4/28/07, David Kramer <david at thekramers.net> wrote:
>> Can someone explain to me what that error means, and how I can get
>> around it?  Meta-answers about how to figure out what to do about
>> selinux errors in general are welcome (as is sympathy).
> 
> OK.  So what appears to be happening is that your ffmpeg process is
> actually appearing to become corrupted.  However, all that is really
> happening is that the segment 'prot' is being remapped internally.
> This looks like a malicious library injection to SELINUX.  That makes
> sense.  So, you just need to manually allow this library to be
> remapped within your ffmpeg process.  Check out chcon...

> Specifically you might want to try this:
> chcon -t texrel_shlib_t libswscale.so


1) Thank you.  That worked.

2) Will that survive a reboot?  Did it change the default policy, or
just the running policy?

3) How would one find this information?

OK, in part answering (3), I had a feeling that there was more to
setroubleshoot.  I did:
rpm -ql setroubleshoot | grep bin
(my favorite techniques for finding commands in a package)

There's a command "sealert" which didn't seem to do much, until I found
the "-b" parameter.  That launched a very helpful setroubleshoot logfile
browser that gave detailed explanations of each entry, how to modify the
policy that created the rule, and even suggested which ones you probably
didn't want to change,  Nice.

So yes, there's this pretty good tool if you stumble upon it, but how
can you have a tool that's so invasive without accessible documentation?



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.