Bug 743

Summary: libxvidcore.so.4: cannot enable executable stack as shared object requires: Permission denied
Product: Fedora Reporter: Nicolas Mailhot <nicolas.mailhot>
Component: xvidcoreAssignee: Dominik 'Rathann' Mierzejewski <dominik>
Status: RESOLVED FIXED    
Severity: normal CC: hans, kwizart, mschmidt
Priority: P5    
Version: 11   
Hardware: All   
OS: GNU/Linux   
namespace:
Attachments: patch to make stack non-executable

Description Nicolas Mailhot 2009-08-02 13:38:00 CEST 
$ totem /dev/video0

(totem:12874): GStreamer-WARNING **: Failed to load plugin '/usr/lib64/gstreamer-0.10/libgstpostproc.so': libxvidcore.so.4: cannot enable executable stack as shared object requires: Permission denied

SELinux is preventing totem from making the program stack executable. Description détailléeThe totem application attempted to make its stack executable. This is a potential security problem. This should never ever be necessary. Stack memory is not executable on most OSes these days and this will not change. Executable stack memory is one of the biggest security problems. An execstack error might in fact be most likely raised by malicious code. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. If totem does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report against this package. 

Sometimes a library is accidentally marked with the execstack flag, if you find a library with this flag you can clear it with the execstack -c LIBRARY_PATH. Then retry your application. If the app continues to not work, you can turn the flag back on with execstack -s LIBRARY_PATH. Otherwise, if you trust totem to run correctly, you can change the context of the executable to execmem_exec_t. "chcon -t execmem_exec_t '/usr/bin/totem'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t execmem_exec_t '/usr/bin/totem'" 

Commande de correction
chcon -t execmem_exec_t '/usr/bin/totem'

Informations complémentaires
Contexte source:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Contexte cible:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Objets du contexte:  None [ process ]
source:  
Chemin de la source:  
Port:  <Inconnu>
Hôte:  
Paquetages RPM source:  totem-2.27.2-2.fc12
Paquetages RPM cible:  
Politique RPM:  selinux-policy-3.6.26-2.fc12
Selinux activé:  True
Type de politique:  targeted
MLS activé:  True
Mode strict:  Enforcing
Nom du plugin:  allow_execstack
Nom de l'hôte:  
Plateforme:  Linux  2.6.31-0.117.rc5.kbz13551.fc12.x86_64 #1 SMP Sat Aug 1 07:04:15 EDT 2009 x86_64 x86_64
Compteur d'alertes:  66
Première alerte:  ven. 31 juil. 2009 21:25:38 CEST
Dernière alerte:  dim. 02 août 2009 13:26:19 CEST
ID local:  c2b055ba-3a9b-43b1-8bfa-13a3106e92e0
Numéros des lignes:  

Messages d'audit bruts :

node= type=AVC msg=audit(1249212379.334:35195): avc: denied { execstack } for pid=12874 comm="totem" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
node= type=SYSCALL msg=audit(1249212379.334:35195): arch=c000003e syscall=10 success=no exit=-13 a0=7fff63efa000 a1=1000 a2=1000007 a3=7fc58228b979 items=0 ppid=12873 pid=12874 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=1 comm="totem" exe="/usr/bin/totem" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) 

xvidcore-00:1.2.1-2.fc11.x86_64

ffmpeg-libs-00:0.5-2.fc11.x86_64

totem-mozplugin-00:2.27.2-2.fc12.x86_64
totem-nautilus-00:2.27.2-2.fc12.x86_64
totem-pl-parser-00:2.27.2-2.fc12.x86_64

gstreamer-00:0.10.23.4-1.fc12.x86_64
gstreamer-ffmpeg-00:0.10.7-2.fc12.x86_64
gstreamer-java-00:1.2-3.fc12.x86_64
gstreamer-plugins-base-00:0.10.23.4-1.fc12.x86_64
gstreamer-plugins-flumpegdemux-00:0.10.15-7.fc12.x86_64
gstreamer-plugins-good-00:0.10.15-5.fc12.x86_64
gstreamer-plugins-schroedinger-00:1.0.7-1.fc12.x86_64
gstreamer-plugins-ugly-00:0.10.12-1.fc12.x86_64
gstreamer-python-00:0.10.15-2.fc12.x86_64
gstreamer-tools-00:0.10.23.4-1.fc12.x86_64
PackageKit-gstreamer-plugin-00:0.5.1-0.1.20090727git.fc12.x86_64
phonon-backend-gstreamer-1:4.5.2-5.fc12.x86_64

selinux-policy-targeted-00:3.6.26-2.fc12.noarch
selinux-policy-00:3.6.26-2.fc12.noarch
libselinux-utils-00:2.0.85-2.fc12.x86_64
libselinux-00:2.0.85-2.fc12.x86_64
libselinux-python-00:2.0.85-2.fc12.x86_64
Comment 1 Nicolas Chauvet 2009-09-01 22:12:52 CEST 
It seems to have a complains with selinux indeed.

Have you checked the common selinux compilation issues with this package ?
Comment 2 Michal Schmidt 2009-09-15 17:17:07 CEST 
Created attachment 289 [details]
patch to make stack non-executable

Today I sent this patch to xvid-devel@xvid.org which fixes it. It's against latest CVS, can be applied to 1.2.2 with minor fuzz.
Comment 3 Dominik 'Rathann' Mierzejewski 2009-09-15 17:34:41 CEST 
Thanks for the patch, Michal. I will test and apply ASAP.
Comment 4 Michal Schmidt 2009-09-16 20:52:01 CEST 
The patch is now merged in upstream CVS in HEAD and in release-1_2_2 branch.
Comment 5 Hans de Goede 2009-09-21 12:30:55 CEST 
Michal, thanks for the patch.

Rathann, given that you asked others to take care of your packages while
you are away, I've taken the liberty to fix this.

xvidcore-1.2.1-3 with the patch fixing this included is on its way to the development / F11 updates testing / F-10 updates testing repositories -> closing this bug.