On some distros (ie: CentOS
5.x), the static codec builds will not load without:
chcon -t texrel_shlib_t lib.so /path/to/codec.so
Otherwise we get a:
cannot restore segment prot after reloc
We should be able to do this as an rpm post installation scriptlet I think.
fixed in r2902 - seems to work on CentOS
5.9
As per SELinux Reveals Bugs in other code: chcon
won't survive a relabel!
We also need:
semanage fcontext -a -t texrel_shlib_t /path/to/codec.so
Note: texrel_shlib_t
is an alias for textrel_shlib_t
, I believe it is safer to use the former with older distros like centos5.
Applied semanage
change in r7008, also needed to use textrel_shlib_t
(r7009: with a t
) for compatibility with newer policies, and added dependency on policycoreutils-python
(policycoreutils
for centos5 in r7010). Backport for all of this in r7011.
Tested with beta packages, the library label survived a system relabel.
This will be a non-issue with #613 as we will no longer use static modules.
Closing, feel free to re-open if I've missed something.
Note: the ticket for the xpra selinux policy is #815.
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/284