[Ffmpeg-devel] Fw: Re: kino vs selinux

Andrew Morton akpm
Fri Apr 28 19:47:21 CEST 2006

kino fails to start on a standard FC5 setup due to a problem in ffmpeg
which gets trapped by SELinux.

Using kino-0.8.1-0.2.20060320.fc5 and ffmpeg-0.4.9-0.4.20060317.fc5 from

Please see below for a diagnosis, workaround and resolution suggestion from
Stephen Smalley (the SELinux maintainer).


Begin forwarded message:

Date: Fri, 28 Apr 2006 08:06:26 -0400
From: Stephen Smalley <sds at tycho.nsa.gov>
To: Andrew Morton <akpm at osdl.org>
Cc: Daniel J Walsh <dwalsh at redhat.com>, Chad Sellers <csellers at tresys.com>, James Morris <jmorris at namei.org>
Subject: Re: kino vs selinux

On Fri, 2006-04-28 at 02:11 -0700, Andrew Morton wrote:
> g'day.
> - Latest FC5
> - Get into freshrpms.net by installing
>   http://ftp.freshrpms.net/pub/freshrpms/fedora/linux/5/freshrpms-release/freshrpms-release-1.1-1.fc.noarch.rpm
> - yum install kino
> Now running kino gives:
> kino: error while loading shared libraries: /usr/lib/libavutil.so.49: cannot restore segment prot after reloc: Permission denied
> Did
> sony:/home/akpm# echo 0 > /selinux/enforce        
> sony:/home/akpm# 
> and voila.
> Who do I blame?

Blame the library, and file a bug against it noting that it requires a
text relocation and asking them to fix it.  The following information
may help them understand, drawn from a comment by Ulrich Drepper in a
similar bugzilla against another library:

"Text relocations are the result of using position dependent code in a
DSO or PIE.  See http://people.redhat.com/drepper/dsohowto.pdf for
explanations of building DSOs.

You can hopefully easily determine what is wrong by building the
binaries with debug info and then use the eu-findtextrel utility from
elfutils.  It should point you to the files which either are not
compiled with -fpic/-fPIC or which contain assembler code which is
position dependent."

To allow it to proceed in the meantime while staying enforcing, you can
# /usr/sbin/semanage fcontext -a -t textrel_shlib_t '/usr/lib/libavutil.so.[0-9]*'
# /sbin/restorecon -v /usr/lib/libavutil.so.49

This tells SELinux to label the file with a type that indicates that it
requires text relocation and then applies that label to it.
Subsequently relabels or rpm installs/updates should then preserve it
since you added it to your local file contexts via semanage.  Later you
can remove it with semanage fcontext -d if the library is fixed

Chad, Dan - can this be added to the Fedora SELinux FAQ?  I see that the
FC5 SELinux FAQ does mention the use of chcon -t textrel_shlib_t, but
that won't survive a relabel or package update, right?  And it really
needs to be in terms of the error the user will actually see (i.e. the
cannot restore segment prot after reloc message), not the SELinux denial
that they might not see unless they know to look in /var/log/messages or
audit.log (depending on whether they are running auditd).

Stephen Smalley
National Security Agency

More information about the ffmpeg-devel mailing list