This weekend I upgraded my Linux system from Fedora 11 to Fedora 14 (and got
all updates) and I have just now installed, as root, the latest stable version
of Lilypond. When I tried just getting the current version number I got this
in the console:
*********************
$ lilypond -v
/usr/local/lilypond/usr/bin/lilypond: error while loading shared libraries:
libgmp.so.3: cannot enable executable stack as shared object requires:
Permission denied
*********************
Then, an SELinux alert popped up. I got the detailed report which follows
below. I suppose this is off topic but I thought I'd start here.
Thanks,
David
*********************
SELinux is preventing /usr/local/lilypond/usr/bin/lilypond from using the
execstack access on a process.
***** Plugin allow_execstack (53.1 confidence) suggests ********************
If you believe that
None
should not require execstack
Then you should clear the execstack flag and see if
/usr/local/lilypond/usr/bin/lilypond works correctly.
Report this as a bug on None.
You can clear the exestack flag by executing:
Do
execstack -c None
***** Plugin catchall_boolean (42.6 confidence) suggests *******************
If you want to allow unconfined executables to make their stack executable.
This should never, ever be necessary. Probably indicates a badly coded
executable, but could indicate an attack. This executable should be reported in
bugzilla
Then you must tell SELinux about this by enabling the 'allow_execstack' boolean.
Do
setsebool -P allow_execstack 1
***** Plugin catchall (5.76 confidence) suggests ***************************
If you believe that lilypond should be allowed execstack access on processes
labeled unconfined_t by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# grep lilypond /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp
Additional Information:
Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023
Target Objects Unknown [ process ]
Source lilypond
Source Path /usr/local/lilypond/usr/bin/lilypond
Port <Unknown>
Host rockhopper
Source RPM Packages
Target RPM Packages
Policy RPM selinux-policy-3.9.7-31.fc14
Selinux Enabled True
Policy Type targeted
Enforcing Mode Enforcing
Host Name rockhopper
Platform Linux rockhopper 2.6.35.6-45.fc14.i686 #1 SMP Mon
Oct 18 23:56:17 UTC 2010 i686 i686
Alert Count 2
First Seen Sun 20 Mar 2011 09:07:42 PM GMT
Last Seen Sun 20 Mar 2011 09:07:54 PM GMT
Local ID 8b557660-272a-4b68-86d8-982fac2bd97a
Raw Audit Messages
type=AVC msg=audit(1300655274.856:51941): avc: denied { execstack } for
pid=28870 comm="lilypond"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process
type=SYSCALL msg=audit(1300655274.856:51941): arch=i386 syscall=mprotect
success=no exit=EACCES a0=bfb41000 a1=1000 a2=1000007 a3=bfb41774 items=0
ppid=28856 pid=28870 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500
egid=500 sgid=500 fsgid=500 tty=pts0 ses=1 comm=lilypond
exe=/usr/local/lilypond/usr/bin/lilypond
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Hash: lilypond,unconfined_t,unconfined_t,process,execstack
audit2allow
#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'
allow unconfined_t self:process execstack;
audit2allow -R
#============= unconfined_t ==============
#!!!! This avc can be allowed using the boolean 'allow_execstack'
allow unconfined_t self:process execstack;
*********************
_______________________________________________
lilypond-user mailing list
lilypond-user@gnu.org
http://lists.gnu.org/mailman/listinfo/lilypond-user
