#284 closed task (fixed)
selinux labelling of static codec builds
| Reported by: | Antoine Martin | Owned by: | Antoine Martin |
|---|---|---|---|
| Priority: | critical | Milestone: | 0.9 |
| Component: | packaging | Version: | trunk |
| Keywords: | Cc: |
Description
On some distros (ie: CentOS 5.x), the static codec builds will not load without:
chcon -t texrel_shlib_t lib.so /path/to/codec.so
Otherwise we get a:
cannot restore segment prot after reloc
We should be able to do this as an rpm post installation scriptlet I think.
Change History (4)
comment:1 Changed 7 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
comment:2 Changed 6 years ago by
| Priority: | major → critical |
|---|---|
| Resolution: | fixed |
| Status: | closed → reopened |
As per SELinux Reveals Bugs in other code: chcon won't survive a relabel!
We also need:
semanage fcontext -a -t texrel_shlib_t /path/to/codec.so
Note: texrel_shlib_t is an alias for textrel_shlib_t, I believe it is safer to use the former with older distros like centos5.
comment:3 Changed 6 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | reopened → closed |
Applied semanage change in r7008, also needed to use textrel_shlib_t (r7009: with a t) for compatibility with newer policies, and added dependency on policycoreutils-python (policycoreutils for centos5 in r7010). Backport for all of this in r7011.
Tested with beta packages, the library label survived a system relabel.
This will be a non-issue with #613 as we will no longer use static modules.
Closing, feel free to re-open if I've missed something.
copyleft 2010 - 2020
fixed in r2902 - seems to work on
CentOS5.9