Archive for July, 2009

24
Jul

Kaltura CE v.1.5 Linux i386 on Fedora 11 & Selinux (execstack, execmem)

   Posted by: admin    in Internet

Installing Kaltura CE 1.5 on Fedora 11 (i386) with a “trick” to point to the system’s ffmpeg, the below selinux error messages showed up:

type=AVC msg=audit(1248459483.954:30685): avc:  denied  { execstack } for  pid=8515 comm=”ffmpeg” scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1248459483.954:30685): arch=40000003 syscall=125 success=no exit=-13 a0=bfc28000 a1=1000 a2=1000007 a3=bfc280ac items=0 ppid=8482 pid=8515 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=13 comm=”ffmpeg” exe=”/usr/bin/ffmpeg” subj=unconfined_u:system_r:httpd_t:s0 key=(null)

type=AVC msg=audit(1248462183.935:30734): avc:  denied  { execmem } for  pid=8758 comm=”ffmpeg” scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:system_r:httpd_t:s0 tclass=process
type=SYSCALL msg=audit(1248462183.935:30734): arch=40000003 syscall=125 success=no exit=-13 a0=bffea000 a1=1000 a2=1000007 a3=bffe994c items=0 ppid=8744 pid=8758 auid=0 uid=48 gid=48 euid=48 suid=48 fsuid=48 egid=48 sgid=48 fsgid=48 tty=(none) ses=1255 comm=”ffmpeg” exe=”/usr/bin/ffmpeg” subj=unconfined_u:system_r:httpd_t:s0 key=(null)

they were domesticated using Tomáš “Tomyk” Ruprich hint from:

https://akela.mendelu.cz/~ruprich/tlachy/zend_selinux.html

as bellow:

[root@localhost selinux]# more local.te
module local 1.1;

require {
type httpd_t;
#type usr_t;
class file execute;
#class process { execstack execmem execheap };
class process { execstack execmem };
}

#============= httpd_t ==============
allow httpd_t self:process execstack;
allow httpd_t self:process execmem;
#allow httpd_t self:process execheap;
#allow httpd_t usr_t:file execute;

[root@localhost selinux]# checkmodule -M -m -o local.mod local.te
checkmodule:  loading policy configuration from local.te
checkmodule:  policy configuration loaded
checkmodule:  writing binary representation (version 10) to local.mod

[root@localhost selinux]# semodule_package -o local.pp -m local.mod

[root@localhost selinux]# semodule -i ./local.pp

No Comments
Back to top