Xpra: Ticket #284: selinux labelling of static codec builds

On some distros (ie: CentOS 5.x), the static codec builds will not load without:

chcon -t texrel_shlib_t lib.so /path/to/codec.so

Otherwise we get a:

cannot restore segment prot after reloc

We should be able to do this as an rpm post installation scriptlet I think.

Thu, 07 Mar 2013 13:58:30 GMT - Antoine Martin: status changed; resolution set

status changed from new to closed
resolution set to fixed

fixed in r2902 - seems to work on CentOS 5.9

Sun, 20 Jul 2014 13:57:08 GMT - Antoine Martin: priority, status changed; resolution deleted

priority changed from major to critical
status changed from closed to reopened
resolution fixed deleted

As per SELinux Reveals Bugs in other code: chcon won't survive a relabel!

We also need:

semanage fcontext -a -t texrel_shlib_t /path/to/codec.so

Note: texrel_shlib_t is an alias for textrel_shlib_t, I believe it is safer to use the former with older distros like centos5.

Tue, 29 Jul 2014 14:44:20 GMT - Antoine Martin: status changed; resolution set

status changed from reopened to closed
resolution set to fixed

Applied semanage change in r7008, also needed to use textrel_shlib_t (r7009: with a t) for compatibility with newer policies, and added dependency on policycoreutils-python (policycoreutils for centos5 in r7010). Backport for all of this in r7011.

Tested with beta packages, the library label survived a system relabel.

This will be a non-issue with #613 as we will no longer use static modules.

Closing, feel free to re-open if I've missed something.

Tue, 24 Feb 2015 02:42:38 GMT - Antoine Martin:

Note: the ticket for the xpra selinux policy is #815.

Sat, 23 Jan 2021 04:50:34 GMT - migration script:

this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/284