I am *this* close to disabling selinux!

[me at mattgillen.net (Matthew Gillen)]

David Kramer wrote:
> Kristian Hermansen wrote:
>> On 4/28/07, David Kramer <david at thekramers.net> wrote:
>>> Can someone explain to me what that error means, and how I can get
>>> around it?  Meta-answers about how to figure out what to do about
>>> selinux errors in general are welcome (as is sympathy).
>> OK.  So what appears to be happening is that your ffmpeg process is
>> actually appearing to become corrupted.  However, all that is really
>> happening is that the segment 'prot' is being remapped internally.
>> This looks like a malicious library injection to SELINUX.  That makes
>> sense.  So, you just need to manually allow this library to be
>> remapped within your ffmpeg process.  Check out chcon...
> 
>> Specifically you might want to try this:
>> chcon -t texrel_shlib_t libswscale.so
> 
> 
> 1) Thank you.  That worked.
> 
> 2) Will that survive a reboot?

Yes.

> Did it change the default policy, or just the running policy?

Neither.  It set a property on the file itself (stored by the filesystem).
The texrel_shlib_t is basically a group that needs to do something that most
programs shouldn't need to do.  Video codecs are notorious for this
technique though (which is probably one of the reasons they have so many
security problems).

<snip>
> So yes, there's this pretty good tool if you stumble upon it, but how
> can you have a tool that's so invasive without accessible documentation?

That issue is sort of endemic to linux in general ;-)
Part of the answer is that it's still being developed.  You might look this
site for more info on the setroubleshoot tool:
https://hosted.fedoraproject.org/projects/setroubleshoot


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.