|
»
»
»
writable memory segment: mplayer
|
View:
New views
6 Messages
—
Rating Filter:
Alert me
|
 |
writable memory segment: mplayer
by rahulsundaram
::
Rate this Message:
Hi
Since Fedora doesn't include this software, should a exception be added to the SELinux policy? "If you trust mplayer to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/bin/mplayer'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/bin/mplayer'" Rahul -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: writable memory segment: mplayer
by Stephen Smalley
::
Rate this Message:
On Thu, 2008-10-09 at 13:29 +0530, Rahul Sundaram wrote:
> Hi > > > Since Fedora doesn't include this software, should a exception be added > to the SELinux policy? > > "If you trust mplayer to run correctly, you can change the context of > the executable to unconfined_execmem_exec_t. "chcon -t > unconfined_execmem_exec_t '/usr/bin/mplayer'". You must also change the > default file context files on the system in order to preserve them even > on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t > '/usr/bin/mplayer'" I'd recommend always telling the user to run the semanage command first, and then run restorecon /usr/bin/mplayer afterward to set it on disk, rather than having to separately specify the type via chcon. setroubleshoot really shouldn't ever tell the user to use chcon IMHO. -- Stephen Smalley National Security Agency -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: writable memory segment: mplayer
by Paul Howarth
::
Rate this Message:
Stephen Smalley wrote:
> On Thu, 2008-10-09 at 13:29 +0530, Rahul Sundaram wrote: >> Hi >> >> >> Since Fedora doesn't include this software, should a exception be added >> to the SELinux policy? >> >> "If you trust mplayer to run correctly, you can change the context of >> the executable to unconfined_execmem_exec_t. "chcon -t >> unconfined_execmem_exec_t '/usr/bin/mplayer'". You must also change the >> default file context files on the system in order to preserve them even >> on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t >> '/usr/bin/mplayer'" > > I'd recommend always telling the user to run the semanage command first, > and then run restorecon /usr/bin/mplayer afterward to set it on disk, > rather than having to separately specify the type via chcon. > setroubleshoot really shouldn't ever tell the user to use chcon IMHO. Fedora doesn't include the software, but SELinux policy already includes contexts for it, e.g. on F-9: # semanage fcontext -l | grep mplayer /usr/bin/xine regular file system_u:object_r:mplayer_exec_t:s0 /usr/bin/mplayer regular file system_u:object_r:mplayer_exec_t:s0 /usr/lib/vmware/bin/vmplayer regular file system_u:object_r:vmware_exec_t:s0 /usr/lib64/vmware/bin/vmplayer regular file system_u:object_r:vmware_exec_t:s0 So if the current policy isn't right, can't we just fix it and be done with it rather than adding extra corner cases to setroubleshoot? Or is it that the default policy works except when using particular binary codecs that do weird stuff? Paul. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: writable memory segment: mplayer
by rahulsundaram
::
Rate this Message:
Paul Howarth wrote:
> Or is it that the default policy works except when using particular > binary codecs that do weird stuff? I don't have any binary codecs doing "weird stuff". This is just mplayer from Livna complaining in rawhide constantly. So looks like policy fixes are needed. Rahul -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: writable memory segment: mplayer
by Daniel J Walsh
::
Rate this Message:
Rahul Sundaram wrote:
> Paul Howarth wrote: > >> Or is it that the default policy works except when using particular >> binary codecs that do weird stuff? > > I don't have any binary codecs doing "weird stuff". This is just mplayer > from Livna complaining in rawhide constantly. So looks like policy fixes > are needed. > > Rahul > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list mplayer. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
|
|
Re: writable memory segment: mplayer
by Daniel J Walsh
::
Rate this Message:
Daniel J Walsh wrote:
> Rahul Sundaram wrote: >> Paul Howarth wrote: >> >>> Or is it that the default policy works except when using particular >>> binary codecs that do weird stuff? >> I don't have any binary codecs doing "weird stuff". This is just mplayer >> from Livna complaining in rawhide constantly. So looks like policy fixes >> are needed. >> >> Rahul >> >> -- >> fedora-selinux-list mailing list >> fedora-selinux-list@... >> https://www.redhat.com/mailman/listinfo/fedora-selinux-list > Ok I will run it as unconfined_execmem_t but you need to report a bug to > mplayer. > > -- > fedora-selinux-list mailing list > fedora-selinux-list@... > https://www.redhat.com/mailman/listinfo/fedora-selinux-list testing soon, or you can download it from koji. Please try this out to see if it solves your problem. -- fedora-selinux-list mailing list fedora-selinux-list@... https://www.redhat.com/mailman/listinfo/fedora-selinux-list |
| Free Forum Powered by Nabble | Forum Help |
