I am *this* close to disabling selinux!

[David Kramer]

I'm normally the kinda geek that tries to understand what's running on 
my box, and going on when I'm having problems with my system.  But I 
have to say, every time I've researched a problem and it turned out to 
be selinux, the solution has always been a "You just have to know what 
to do" thing.  The setroubleshootd.log is EXTREMELY unhelpful in fixing 
problems, except when google can find someone else who got that message 
and somehow figured it out.  There's no actual central documentation set 
for it, and there's no list of errors and their meanings.  In short, 
I've learned some pretty complex daemons pretty well, but selinux isn't 
really giving me a fighting chance to do that.

\me steps off soapbox

When trying to run ffmpeg to transcode a MythTV file, I get the 
following error:
# ffmpeg -v 1 -i "/data/mythtv/tmp/work/1/newfile.mpg" -r ntsc -target 
dvd -b 4771k -s 720x480 -acodec ac3 -ab 192k -ac 2 -copyts -aspect 4:3 
"/data/mythtv/tmp/work/1/newfile2.mpg" -map 0:0 -map 0:1

ffmpeg: error while loading shared libraries: /usr/lib/libswscale.so.0: 
cannot restore segment prot after reloc: Permission denied

Googling has shown this is definitely a selinux issue, and 
setroubleshootd.log shows:
[avc.DEBUG] analyze_avc() avc=avc: denied { execmod } for a0=11b000 
a1=2d000 a2=5 a3=bfdc4110 arch=40000003 auid=500 comm="ffmpeg" dev=hda1 
egid=0 euid=0 exe="/usr/bin/ffmpeg" exit=-13 fsgid=0 fsuid=0 gid=0 
items=0 name="libswscale.so.0.5.0" path="/usr/lib/libswscale.so.0.5.0" 
pid=5534 scontext=user_u:system_r:unconfined_t:s0 sgid=0 
subj=user_u:system_r:unconfined_t:s0 success=no suid=0 syscall=125 
tclass=file tcontext=system_u:object_r:lib_t:s0 tty=pts2 uid=0

WTF!!!!

Did I mention almost every single article I found Googling for "cannot 
restore segment prot after reloc: Permission denied" said "OH, just 
disable selinux"?  What does it say about a security tool when almost 
everyone's answer is to disable it instead of reconfiguring it?  Even 
searching on http://www.nsa.gov/selinux itself turns up that answer!

Can someone explain to me what that error means, and how I can get 
around it?  Meta-answers about how to figure out what to do about 
selinux errors in general are welcome (as is sympathy).

Thanks.

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.