Bug 287761
| Summary: | Selinux denies maxima to work | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Antonio A. Olivares <olivares14031> |
| Component: | selinux-policy | Assignee: | Daniel Walsh <dwalsh> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | low | Docs Contact: | |
| Priority: | medium | ||
| Version: | rawhide | CC: | drepper, jakub |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Current | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2007-11-12 23:23:20 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Antonio A. Olivares
2007-09-12 15:33:23 UTC
Summary
SELinux is preventing maxima from loading /usr/lib/maxima/5.13.0/binary-
gcl/maxima which requires text relocation.
Detailed Description
The maxima application attempted to load /usr/lib/maxima/5.13.0/binary-
gcl/maxima which requires text relocation. This is a potential security
problem. Most libraries do not need this permission. Libraries are sometimes
coded incorrectly and request this permission. The
http://people.redhat.com/drepper/selinux-mem.html web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/maxima/5.13.0/binary-gcl/maxima to use relocation as a workaround,
until the library is fixed. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access
If you trust /usr/lib/maxima/5.13.0/binary-gcl/maxima to run correctly, you
can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
/usr/lib/maxima/5.13.0/binary-gcl/maxima" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t textrel_shlib_t /usr/lib/maxima/5.13.0
/binary-gcl/maxima"
The following command will allow this access:
chcon -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima
Additional Information
Source Context system_u:system_r:unconfined_execmem_t
Target Context system_u:object_r:unconfined_execmem_exec_t
Target Objects /usr/lib/maxima/5.13.0/binary-gcl/maxima [ file ]
Affected RPM Packages maxima-runtime-gcl-5.13.0-4.fc8 [target]
Policy RPM selinux-policy-3.0.7-10.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_execmod
Host Name localhost
Platform Linux localhost 2.6.23-0.174.rc6.fc8 #1 SMP Tue
Sep 11 19:06:17 EDT 2007 i686 athlon
Alert Count 2
First Seen Wed 12 Sep 2007 10:25:51 AM CDT
Last Seen Wed 12 Sep 2007 10:29:34 AM CDT
Local ID d5f20c6c-774f-4f65-bc5c-90e2658d4c3d
Line Numbers
Raw Audit Messages
avc: denied { execmod } for comm=maxima dev=dm-0 path=/usr/lib/maxima/5.13.0
/binary-gcl/maxima pid=4043 scontext=system_u:system_r:unconfined_execmem_t:s0
tclass=file tcontext=system_u:object_r:unconfined_execmem_exec_t:s0
This is likely more an issue with gcl-created binaries, not specific to maxima. While we're at it, see also a previous maxima/selinux related issue, bug #187647 The egregious hack used for that was to simply run maxima with: setarch -X which I would have thought would help here too. In the meantime, pretty much any other maxima-runtime can/does work better than gcl (maxima-runtime-sbcl for instance). I have installed maxima-runtime-cbl as you have suggested:
[root@localhost ~]# yum install maxima-runtime-sbcl
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
--> Running transaction check
---> Package maxima-runtime-sbcl.i386 0:5.13.0-4.fc8 set to be updated
--> Processing Dependency: sbcl = 1.0.9 for package: maxima-runtime-sbcl
--> Running transaction check
---> Package sbcl.i386 0:1.0.9-1.fc8 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
maxima-runtime-sbcl i386 5.13.0-4.fc8 development 13 M
Installing for dependencies:
sbcl i386 1.0.9-1.fc8 development 9.0 M
Transaction Summary
=============================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 22 M
Is this ok [y/N]: y
Downloading Packages:
(1/2): maxima-runtime-sbc 100% |=========================| 13 MB 00:08
(2/2): sbcl-1.0.9-1.fc8.i 100% |=========================| 9.0 MB 00:07
Running rpm_check_debug
Running Transaction Test
warning: sbcl-1.0.9-1.fc8: Header V3 DSA signature: NOKEY, key ID 30c9ecf8
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: sbcl ######################### [1/2]
Installing: maxima-runtime-sbcl ######################### [2/2]
Installed: maxima-runtime-sbcl.i386 0:5.13.0-4.fc8
Dependency Installed: sbcl.i386 0:1.0.9-1.fc8
Complete!
Yet I still get
Summary
SELinux is preventing maxima from loading /usr/lib/maxima/5.13.0/binary-
gcl/maxima which requires text relocation.
Detailed Description
The maxima application attempted to load /usr/lib/maxima/5.13.0/binary-
gcl/maxima which requires text relocation. This is a potential security
problem. Most libraries do not need this permission. Libraries are sometimes
coded incorrectly and request this permission. The
http://people.redhat.com/drepper/selinux-mem.html web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/maxima/5.13.0/binary-gcl/maxima to use relocation as a workaround,
until the library is fixed. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access
If you trust /usr/lib/maxima/5.13.0/binary-gcl/maxima to run correctly, you
can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t
/usr/lib/maxima/5.13.0/binary-gcl/maxima" You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t textrel_shlib_t /usr/lib/maxima/5.13.0
/binary-gcl/maxima"
The following command will allow this access:
chcon -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima
Additional Information
Source Context system_u:system_r:unconfined_execmem_t
Target Context system_u:object_r:unconfined_execmem_exec_t
Target Objects /usr/lib/maxima/5.13.0/binary-gcl/maxima [ file ]
Affected RPM Packages maxima-runtime-gcl-5.13.0-4.fc8 [target]
Policy RPM selinux-policy-3.0.7-10.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_execmod
Host Name localhost
Platform Linux localhost 2.6.23-0.174.rc6.fc8 #1 SMP Tue
Sep 11 19:06:17 EDT 2007 i686 athlon
Alert Count 2
First Seen Wed 12 Sep 2007 10:25:51 AM CDT
Last Seen Wed 12 Sep 2007 10:29:34 AM CDT
Local ID d5f20c6c-774f-4f65-bc5c-90e2658d4c3d
Line Numbers
Raw Audit Messages
avc: denied { execmod } for comm=maxima dev=dm-0 path=/usr/lib/maxima/5.13.0
/binary-gcl/maxima pid=4043 scontext=system_u:system_r:unconfined_execmem_t:s0
tclass=file tcontext=system_u:object_r:unconfined_execmem_exec_t:s0
I had maxima running fine, but I had to yum remove it because of setarch, could
not apply the updates:
These were removed because of setarch package
setarch i386 2.0-4.fc7
maxima i386 5.12.99-0.5.rc2.fc8 installed 81 M
maxima-gui i386 5.12.99-0.5.rc2.fc8 installed 833 k
maxima-runtime-gcl i386 5.12.99-0.5.rc2.fc8 installed 24 M
You'll need to either remove maxima-runtime-gcl or run as: maxima --lisp=sbcl What is /usr/lib/maxima/5.13.0/binary-gcl/maxima? Did you set the context to textrel_shlib_t? Did it work then? Reading through the avc's again, it lookd like the app needs execmod as well as execstack and execmem? [olivares@localhost ~]$ maxima
mmap: Permission denied
ensure_space: failed to validate 1044480 bytes at 0x01000000
(hint: Try "ulimit -a"; maybe you should increase memory limits.)
[olivares@localhost ~]$ su -
Password:
[root@localhost ~]# chcon -t textrel_shlib_t
/usr/lib/maxima/5.13.0/binary-gcl/maxima
[root@localhost ~]# semanage fcontext -a -t textrel_shlib_t
/usr/lib/maxima/5.13.0/binary-gcl/maxima
[root@localhost ~]# exit
logout
[olivares@localhost ~]$ maxima
mmap: Permission denied
ensure_space: failed to validate 1044480 bytes at 0x01000000
(hint: Try "ulimit -a"; maybe you should increase memory limits.)
[olivares@localhost ~]$ ulimit -a
core file size (blocks, -c) 0
data seg size (kbytes, -d) unlimited
scheduling priority (-e) 0
file size (blocks, -f) unlimited
pending signals (-i) 12285
max locked memory (kbytes, -l) 32
max memory size (kbytes, -m) unlimited
open files (-n) 1024
pipe size (512 bytes, -p) 8
POSIX message queues (bytes, -q) 819200
real-time priority (-r) 0
stack size (kbytes, -s) 10240
cpu time (seconds, -t) unlimited
max user processes (-u) 12285
virtual memory (kbytes, -v) unlimited
file locks (-x) unlimited
I try as root and this is what happens:
[root@localhost ~]# maxima --lisp=sbcl
mmap: Permission denied
ensure_space: failed to validate 1044480 bytes at 0x01000000
(hint: Try "ulimit -a"; maybe you should increase memory limits.)
Selinux troubleshoot shows:
Summary
SELinux is preventing /usr/bin/sbcl from changing a writable memory segment
executable.
Detailed Description
The /usr/bin/sbcl application attempted to change the access protection of
memory (e,g., allocated using malloc). This is a potential security
problem. Applications should not be doing this. Applications are sometimes
coded incorrectly and request this permission. The
http://people.redhat.com/drepper/selinux-mem.html web page explains how to
remove this requirement. If /usr/bin/sbcl does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access
If you trust /usr/bin/sbcl to run correctly, you can change the context of
the executable to unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t /usr/bin/sbcl". You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/sbcl"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t /usr/bin/sbcl
Additional Information
Source Context system_u:system_r:unconfined_t
Target Context system_u:system_r:unconfined_t
Target Objects None [ process ]
Affected RPM Packages sbcl-1.0.9-1.fc8 [application]
Policy RPM selinux-policy-3.0.7-10.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_execmem
Host Name localhost
Platform Linux localhost 2.6.23-0.178.rc6.git2.fc8 #1 SMP
Wed Sep 12 17:14:53 EDT 2007 i686 athlon
Alert Count 21
First Seen Tue 28 Aug 2007 07:49:26 AM CDT
Last Seen Thu 13 Sep 2007 06:50:28 PM CDT
Local ID 5728acf1-707b-4ea6-b2ae-84ecb44cd93c
Line Numbers
Raw Audit Messages
avc: denied { execmem } for comm=sbcl egid=0 euid=0 exe=/usr/bin/sbcl exit=-13
fsgid=0 fsuid=0 gid=0 items=0 pid=3142
scontext=system_u:system_r:unconfined_t:s0 sgid=0
subj=system_u:system_r:unconfined_t:s0 suid=0 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=pts1 uid=0
Hrm, maxima (both gcl and sbcl runtimes) on f7 under SELINUXTYPE=targeted policy WORKSFORME. I'll go see if I can get a f8 VM (qemu or VirtualPC) running to see if I can reproduce. Antonio, what selinux policy are you using (targeted?)? allow_execmem and allow_execstack are turned on in F-7 and turned off in f-8 So, what can lisp's and lisp-generated apps do to work on f8? (Other than rewrite the lisp implementations to not use execmem and execstack at all). Did you try the chcon command mentioned above chcon -t unconfined_execmem_exec_t PATHTOEXEC If this works we can setup this as default labeling Does not help much. Is there another thing that we can try? [olivares@localhost ~]$ su - Password: [root@localhost ~]# chcon -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# maxima mmap: Permission denied ensure_space: failed to validate 1044480 bytes at 0x01000000 (hint: Try "ulimit -a"; maybe you should increase memory limits.) [root@localhost ~]# chcon -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# maximammap: Permission denied ensure_space: failed to validate 1044480 bytes at 0x01000000 (hint: Try "ulimit -a"; maybe you should increase memory limits.) [root@localhost ~]# Thanks, Antonio Did you see additional avc messages in the log file? runcon -t unconfined_execmem_exec_t /usr/lib/maxima/5.13.0/binary-gcl/maxima Might get it to work. Ooops. Should be runcon -t unconfined_execmem_t /usr/lib/maxima/5.13.0/binary-gcl/maxima No go. I have done as you have asked. [olivares@localhost ~]$ su - Password: [root@localhost ~]# runcon -t unconfined_execmem_t /usr/lib/maxima/5.13.0/binary-gcl/maxima Segmentation fault [root@localhost ~]# maxima mmap: Permission denied ensure_space: failed to validate 1044480 bytes at 0x01000000 (hint: Try "ulimit -a"; maybe you should increase memory limits.) [root@localhost ~]# ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 12285 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 12285 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited [root@localhost ~]# maxima mmap: Permission denied ensure_space: failed to validate 1044480 bytes at 0x01000000 (hint: Try "ulimit -a"; maybe you should increase memory limits.) [root@localhost ~]# runcon -t unconfined_execmem_t /usr/lib/maxima/5.13.0/binary-gcl/maxima Segmentation fault [root@localhost ~]# On the other machine which had FC6 and maxima was not working there, I have installed F8T2 on it and will install maxima to see if the behavior is the same and will report back if things are the same as here. I have installed it on another machine (the one which maxima failed and ran FC6) and here are the results: Here is the smolt profile of that machine http://smolt.fedoraproject.org/show?UUID=27eb0b00-4d7a-42a9-93bc-6eb3d48bcf2f [root@localhost ~]# yum install maxima maxima-gui maxima-runtime-sbcl wxMaxima Loading "refresh-updatesd" plugin development 100% |=========================| 2.1 kB 00:00 texlive 100% |=========================| 951 B 00:00 Setting up Install Process Parsing package install arguments Resolving Dependencies --> Running transaction check ---> Package maxima.i386 0:5.13.0-6.fc8 set to be updated --> Processing Dependency: gnuplot for package: maxima ---> Package wxMaxima.i386 0:0.7.2-4.fc8 set to be updated --> Processing Dependency: libwx_gtk2u_core-2.8.so.0(WXU_2.8) for package: wxMaxima --> Processing Dependency: libwx_gtk2u_adv-2.8.so.0(WXU_2.8) for package: wxMaxima --> Processing Dependency: libwx_gtk2u_xrc-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_adv-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_core-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_baseu_net-2.8.so.0(WXU_2.8) for package: wxMaxima --> Processing Dependency: libwx_gtk2u_aui-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_html-2.8.so.0(WXU_2.8) for package: wxMaxima --> Processing Dependency: libwx_baseu-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_baseu_xml-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_qa-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_html-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_baseu_net-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_baseu-2.8.so.0(WXU_2.8) for package: wxMaxima ---> Package maxima-runtime-sbcl.i386 0:5.13.0-6.fc8 set to be updated --> Processing Dependency: sbcl = 1.0.9 for package: maxima-runtime-sbcl ---> Package maxima-gui.i386 0:5.13.0-6.fc8 set to be updated --> Running transaction check ---> Package gnuplot.i386 0:4.2.0-5.fc8 set to be updated --> Processing Dependency: perl(HTML::Entities) for package: gnuplot ---> Package sbcl.i386 0:1.0.9-1.fc8 set to be updated ---> Package wxGTK.i386 0:2.8.4-6.fc8 set to be updated --> Running transaction check ---> Package perl-HTML-Parser.i386 0:3.56-2.fc8 set to be updated --> Processing Dependency: perl(HTML::Tagset) >= 3.03 for package: perl-HTML-Parser --> Processing Dependency: perl(HTML::Tagset) for package: perl-HTML-Parser --> Running transaction check ---> Package perl-HTML-Tagset.noarch 0:3.10-6.fc8 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: maxima-gui i386 5.13.0-6.fc8 development 365 k wxMaxima i386 0.7.2-4.fc8 development 524 k Installing for dependencies: gnuplot i386 4.2.0-5.fc8 development 1.6 M maxima i386 5.13.0-6.fc8 development 14 M maxima-runtime-sbcl i386 5.13.0-6.fc8 development 13 M perl-HTML-Parser i386 3.56-2.fc8 development 111 k perl-HTML-Tagset noarch 3.10-6.fc8 development 15 k sbcl i386 1.0.9-1.fc8 development 9.0 M wxGTK i386 2.8.4-6.fc8 development 4.4 M Transaction Summary ============================================================================= Install 9 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 43 M Is this ok [y/N]: y Downloading Packages: (1/9): maxima-runtime-sbc 100% |=========================| 13 MB 00:06 (2/9): perl-HTML-Tagset-3 100% |=========================| 15 kB 00:00 (3/9): wxGTK-2.8.4-6.fc8. 100% |=========================| 4.4 MB 00:03 (4/9): maxima-5.13.0-6.fc 100% |=========================| 14 MB 00:07 (5/9): sbcl-1.0.9-1.fc8.i 100% |=========================| 9.0 MB 00:06 (6/9): maxima-gui-5.13.0- 100% |=========================| 365 kB 00:00 (7/9): perl-HTML-Parser-3 100% |=========================| 111 kB 00:00 (8/9): wxMaxima-0.7.2-4.f 100% |=========================| 524 kB 00:00 (9/9): gnuplot-4.2.0-5.fc 100% |=========================| 1.6 MB 00:01 Running rpm_check_debug Running Transaction Test warning: perl-HTML-Parser-3.56-2.fc8: Header V3 DSA signature: NOKEY, key ID 30c9ecf8 Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: wxGTK ######################### [1/9] Installing: sbcl ######################### [2/9] Installing: perl-HTML-Tagset ######################### [3/9] Installing: perl-HTML-Parser ######################### [4/9] Installing: gnuplot ######################### [5/9] Installing: maxima ######################### [6/9] Installing: wxMaxima ######################### [7/9] Installing: maxima-gui ######################### [8/9] Installing: maxima-runtime-sbcl ######################### [9/9] Installed: maxima-gui.i386 0:5.13.0-6.fc8 wxMaxima.i386 0:0.7.2-4.fc8 Dependency Installed: gnuplot.i386 0:4.2.0-5.fc8 maxima.i386 0:5.13.0-6.fc8 maxima-runtime-sbcl.i386 0:5.13.0-6.fc8 perl-HTML-Parser.i386 0:3.56-2.fc8 perl-HTML-Tagset.noarch 0:3.10-6.fc8 sbcl.i386 0:1.0.9-1.fc8 wxGTK.i386 0:2.8.4-6.fc8 Complete! [root@localhost ~]# exit logout [olivares@localhost ~]$ maxima mmap: Permission denied ensure_space: failed to validate 1044480 bytes at 0x01000000 (hint: Try "ulimit -a"; maybe you should increase memory limits.) [olivares@localhost ~]$ xmaxima mmap: Permission denied ensure_space: failed to validate 1044480 bytes at 0x01000000 (hint: Try "ulimit -a"; maybe you should increase memory limits.) [olivares@localhost ~]$ [olivares@localhost ~]$ ulimit -a core file size (blocks, -c) 0 data seg size (kbytes, -d) unlimited scheduling priority (-e) 0 file size (blocks, -f) unlimited pending signals (-i) 8175 max locked memory (kbytes, -l) 32 max memory size (kbytes, -m) unlimited open files (-n) 1024 pipe size (512 bytes, -p) 8 POSIX message queues (bytes, -q) 819200 real-time priority (-r) 0 stack size (kbytes, -s) 10240 cpu time (seconds, -t) unlimited max user processes (-u) 8175 virtual memory (kbytes, -v) unlimited file locks (-x) unlimited [olivares@localhost ~]$ maxima mmap: Permission denied ensure_space: failed to validate 1044480 bytes at 0x01000000 (hint: Try "ulimit -a"; maybe you should increase memory limits.) [olivares@localhost ~]$ Thanks for your help. Regards, Antonio BTW on this other machine which I just installed maxima, I forgot to try the
runcon command and here it is
[root@localhost ~]# runcon -t unconfined_execmem_t
/usr/lib/maxima/5.13.0/binary-gcl/maxima
execvp: No such file or directory
[root@localhost ~]# runcon -t unconfined_execmem_t
/usr/lib/maxima/5.13.0/binary-gcl/maxima
execvp: No such file or directory
[root@localhost ~]#
I got an alert from setroubleshoot browser as follows:
Summary
SELinux is preventing /usr/bin/sbcl from changing a writable memory segment
executable.
Detailed Description
The /usr/bin/sbcl application attempted to change the access protection of
memory (e,g., allocated using malloc). This is a potential security
problem. Applications should not be doing this. Applications are sometimes
coded incorrectly and request this permission. The
http://people.redhat.com/drepper/selinux-mem.html web page explains how to
remove this requirement. If /usr/bin/sbcl does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a
http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package.
Allowing Access
If you trust /usr/bin/sbcl to run correctly, you can change the context of
the executable to unconfined_execmem_exec_t. "chcon -t
unconfined_execmem_exec_t /usr/bin/sbcl". You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/sbcl"
The following command will allow this access:
chcon -t unconfined_execmem_exec_t /usr/bin/sbcl
Additional Information
Source Context system_u:system_r:unconfined_t:s0
Target Context system_u:system_r:unconfined_t:s0
Target Objects None [ process ]
Affected RPM Packages sbcl-1.0.9-1.fc8 [application]
Policy RPM selinux-policy-3.0.8-3.fc8
Selinux Enabled True
Policy Type targeted
MLS Enabled True
Enforcing Mode Enforcing
Plugin Name plugins.allow_execmem
Host Name localhost.localdomain
Platform Linux localhost.localdomain
2.6.23-0.189.rc6.git8.fc8 #1 SMP Wed Sep 19
20:34:10 EDT 2007 i686 i686
Alert Count 3
First Seen Fri 21 Sep 2007 06:22:42 PM CDT
Last Seen Fri 21 Sep 2007 06:24:04 PM CDT
Local ID 21b2f0ab-dd92-443f-91a7-a2eeb6d06678
Line Numbers
Raw Audit Messages
avc: denied { execmem } for comm=sbcl egid=500 euid=500 exe=/usr/bin/sbcl
exit=-13 fsgid=500 fsuid=500 gid=500 items=0 pid=10912
scontext=system_u:system_r:unconfined_t:s0 sgid=500
subj=system_u:system_r:unconfined_t:s0 suid=500 tclass=process
tcontext=system_u:system_r:unconfined_t:s0 tty=pts1 uid=500
I did the following and maxima now works, part of it at least(as root):
[root@localhost ~]# runcon -t unconfined_execmem_t
/usr/lib/maxima/5.13.0/binary-gcl/maxima
execvp: No such file or directory
[root@localhost ~]# chcon -t unconfined_execmem_exec_t /usr/bin/sbcl
[root@localhost ~]# semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/sbcl
[root@localhost ~]# runcon -t unconfined_execmem_t
/usr/lib/maxima/5.13.0/binary-gcl/maxima
execvp: No such file or directory
[root@localhost ~]# maxima
Maxima 5.13.0 http://maxima.sourceforge.net
Using Lisp SBCL 1.0.9
Distributed under the GNU Public License. See the file COPYING.
Dedicated to the memory of William Schelter.
This is a development version of Maxima. The function bug_report()
provides bug reporting information.
(%i1) solve(x^2+2*x+1=0,x);
(%o1) [x = - 1]
(%i2) quit();
[root@localhost ~]#
So things are looking brighter. xmaxima works as root user also:
[root@localhost ~]# xmaxima
Maxima 5.13.0 http://maxima.sourceforge.net
Using Lisp SBCL 1.0.9
Distributed under the GNU Public License. See the file COPYING.
Dedicated to the memory of William Schelter.
This is a development version of Maxima. The function bug_report()
provides bug reporting information.
(%i1) jfa: starting server on port 4008
Help! 11 nested errors. SB-KERNEL:*MAXIMUM-ERROR-DEPTH* exceeded.
0: (BACKTRACE 536870911 #<SYNONYM-STREAM :SYMBOL SB-SYS:*TTY* {C38B8D1}>)
1: ((LAMBDA NIL))
2: ((LAMBDA NIL))
3: (SB-IMPL::%WITH-STANDARD-IO-SYNTAX #<CLOSURE (LAMBDA NIL) {C38B9ED}>)
4: (SB-IMPL::ERROR-ERROR)
5: (SB-IMPL::INFINITE-ERROR-PROTECTOR)
6: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
7: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
8: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
9: (SB-IMPL::OUTPUT-CHAR-UTF-8-LINE-BUFFERED #<SB-SYS:FD-STREAM for "a socket"
{C2F6249}> #\Newline)
10: (TERPRI #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
11: ((LAMBDA NIL))
12: ((LAMBDA NIL))
13: (SB-IMPL::%WITH-STANDARD-IO-SYNTAX #<CLOSURE (LAMBDA NIL) {C38B02D}>)
14: (SB-IMPL::ERROR-ERROR)
15: (SB-IMPL::INFINITE-ERROR-PROTECTOR)
16: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
17: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
18: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
19: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
20: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
21: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38AEE1}>)
22: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38AEE1}>)
23: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
24: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
25: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
26: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
27: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
28: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38AD89}>)
29: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38AD89}>)
30: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
31: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
32: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
33: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
34: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
35: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38AC31}>)
36: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38AC31}>)
37: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
38: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
39: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
40: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
41: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
42: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38AAD9}>)
43: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38AAD9}>)
44: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
45: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
46: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
47: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
48: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
49: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A981}>)
50: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A981}>)
51: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
52: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
53: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
54: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
55: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
56: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A829}>)
57: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A829}>)
58: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
59: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
60: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
61: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
62: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
63: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A6D1}>)
64: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A6D1}>)
65: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
66: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
67: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
68: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
69: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
70: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A579}>)
71: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A579}>)
72: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
73: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
74: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
75: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
76: (SB-INT:FLUSH-STANDARD-OUTPUT-STREAMS)
77: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A421}>)
78: (INVOKE-DEBUGGER #<SB-INT:SIMPLE-STREAM-ERROR {C38A421}>)
79: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
80: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
81: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
82: (SB-IMPL::OUTPUT-CHAR-UTF-8-LINE-BUFFERED #<SB-SYS:FD-STREAM for "a socket"
{C2F6249}> #\Newline)
83: (FRESH-LINE #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
84: (SB-FORMAT::&-FORMAT-DIRECTIVE-INTERPRETER #<SB-SYS:FD-STREAM for "a socket"
{C2F6249}> #<~&> ("Maxima encountered a Lisp error:" #<~%> #<~%> " " #<~A>)
#<unavailable argument> #<unavailable argument>)
85: (SB-FORMAT::INTERPRET-DIRECTIVE-LIST #<SB-SYS:FD-STREAM for "a socket"
{C2F6249}> (#<~&> "Maxima encountered a Lisp error:" #<~%> #<~%> " " #<~A>)
(#<SIMPLE-ERROR {C389EE1}>) (#<SIMPLE-ERROR {C389EE1}>))
86: (SB-FORMAT::%FORMAT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}> "~&Maxima
encountered a Lisp error:~%~% ~A" (#<SIMPLE-ERROR {C389EE1}>) (#<SIMPLE-ERROR
{C389EE1}>))
87: (FORMAT T "~&Maxima encountered a Lisp error:~%~% ~A")
88: (MAXIMA::MAXIMA-LISP-DEBUGGER #<SIMPLE-ERROR {C389EE1}> #<unavailable argument>)
89: (INVOKE-DEBUGGER #<SIMPLE-ERROR {C389EE1}>)
90: (INVOKE-DEBUGGER #<SIMPLE-ERROR {C389EE1}>)
91: (ERROR "Error during processing of --eval ~
option ~S:~%~% ~A")
92: ((LAMBDA (SB-IMPL::E)) #<SB-INT:SIMPLE-STREAM-ERROR {C389BF9}>)
93: ((LAMBDA (SB-IMPL::E)) #<SB-INT:SIMPLE-STREAM-ERROR {C389BF9}>)
94: (SIGNAL #<SB-INT:SIMPLE-STREAM-ERROR {C389BF9}>)
95: (ERROR SB-INT:SIMPLE-STREAM-ERROR)
96: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
97: (SB-IMPL::SIMPLE-STREAM-PERROR "Couldn't write to ~s" #<SB-SYS:FD-STREAM for
"a socket" {C2F6249}> 32)
98: (FORCE-OUTPUT #<SB-SYS:FD-STREAM for "a socket" {C2F6249}>)
99: (MAXIMA::DBM-READ #<SB-SYS:FD-STREAM for "a socket" {C2F6249}> NIL (NIL) NIL)
100: (MAXIMA::CONTINUE #<SB-SYS:FD-STREAM for "a socket" {C2F6249}> NIL)
101: (MAXIMA::MACSYMA-TOP-LEVEL #<SB-IMPL::STRING-INPUT-STREAM {BABE181}> NIL)
102: (RUN)
103: (SB-INT:SIMPLE-EVAL-IN-LEXENV (RUN) #<NULL-LEXENV>)
104: (SB-IMPL::PROCESS-EVAL-OPTIONS ("(cl-user::run)"))
105: (SB-IMPL::TOPLEVEL-INIT)
106: ((LABELS SB-IMPL::RESTART-LISP))
debugger invoked on a SIMPLE-ERROR in thread #<THREAD "initial thread"
{BA8FAA9}>: Maximum error nesting depth exceeded
Type HELP for debugger help, or (SB-EXT:QUIT) to exit from SBCL.
restarts (invokable by number or by possibly-abbreviated name):
0: [MACSYMA-QUIT] Maxima top-level
1: [CONTINUE ] Ignore and continue with next --eval option.
2: [ABORT ] Skip rest of --eval options.
3: Skip to toplevel READ/EVAL/PRINT loop.
4: [QUIT ] Quit SBCL (calling #'QUIT, killing the process).
((LAMBDA (SB-IMPL::E)) #<SB-INT:SIMPLE-STREAM-ERROR {C389BF9}>)
0] [root@localhost ~]#
Now will try as regular user and report back.
Now xmaxima is running as regular user as well:
(%i1)
2 x - 1
2 atan(-------)
log(x - x + 1) sqrt(3) log(x + 1)
(%o1) - --------------- + ------------- + ----------
6 sqrt(3) 3
(%i2)
2 x - 1
2 atan(-------)
log(x - x + 1) sqrt(3) log(x + 1)
(%o2) --------------- + ------------- - ----------
6 sqrt(3) 3
(%i3)
%pi
(%o3) ---
4
(%i4)
[olivares@localhost ~]$ Maxima 5.13.0 http://maxima.sourceforge.net
Using Lisp SBCL 1.0.9
Distributed under the GNU Public License. See the file COPYING.
Dedicated to the memory of William Schelter.
This is a development version of Maxima. The function bug_report()
provides bug reporting information.
(%i1) jfa: starting server on port 4008
Will try these changes to other machine and see if it helps. This machine
appear to have squashed maxima/xmaxima error.
Regards,
Antonio
On the machine with the original problem http://smolt.fedoraproject.org/show?UUID=5e80274b-13b0-455b-b557-d05b0170dcfc I have done this: [root@localhost ~]# chcon -t unconfined_execmem_exec_t /usr/bin/sbcl [root@localhost ~]# semanage fcontext -a -t unconfined_execmem_exec_t /usr/bin/sbcl [root@localhost ~]# runcon -t unconfined_execmem_t /usr/lib/maxima/5.13.0/binary-gcl/maxima Segmentation fault I got the alert: Summary SELinux is preventing /usr/lib/maxima/5.13.0/binary-gcl/maxima from loading /usr/lib/maxima/5.13.0/binary-gcl/maxima which requires text relocation. Detailed Description The /usr/lib/maxima/5.13.0/binary-gcl/maxima application attempted to load /usr/lib/maxima/5.13.0/binary-gcl/maxima which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The http://people.redhat.com/drepper/selinux-mem.html web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/maxima/5.13.0/binary-gcl/maxima to use relocation as a workaround, until the library is fixed. Please file a http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this package. Allowing Access If you trust /usr/lib/maxima/5.13.0/binary-gcl/maxima to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t /usr/lib/maxima/5.13.0 /binary-gcl/maxima" The following command will allow this access: chcon -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima Additional Information Source Context system_u:system_r:unconfined_execmem_t Target Context system_u:object_r:unconfined_execmem_exec_t Target Objects /usr/lib/maxima/5.13.0/binary-gcl/maxima [ file ] Affected RPM Packages maxima-runtime-gcl-5.13.0-6.fc8 [application ]maxima-runtime-gcl-5.13.0-6.fc8 [target] Policy RPM selinux-policy-3.0.8-3.fc8 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name plugins.allow_execmod Host Name localhost Platform Linux localhost 2.6.23-0.189.rc6.git8.fc8 #1 SMP Wed Sep 19 20:34:10 EDT 2007 i686 athlon Alert Count 8 First Seen Wed 12 Sep 2007 10:25:51 AM CDT Last Seen Fri 21 Sep 2007 06:43:46 PM CDT Local ID d5f20c6c-774f-4f65-bc5c-90e2658d4c3d Line Numbers Raw Audit Messages avc: denied { execmod } for comm=maxima dev=dm-0 egid=0 euid=0 exe=/usr/lib/maxima/5.13.0/binary-gcl/maxima exit=-13 fsgid=0 fsuid=0 gid=0 items=0 path=/usr/lib/maxima/5.13.0/binary-gcl/maxima pid=6874 scontext=system_u:system_r:unconfined_execmem_t:s0 sgid=0 subj=system_u:system_r:unconfined_execmem_t:s0 suid=0 tclass=file tcontext=system_u:object_r:unconfined_execmem_exec_t:s0 tty=pts0 uid=0 Applied the requirements [root@localhost ~]# chcon -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# semanage fcontext -a -t textrel_shlib_t /usr/lib/maxima/5.13.0/binary-gcl/maxima [root@localhost ~]# maxima Maxima 5.13.0 http://maxima.sourceforge.net Using Lisp SBCL 1.0.9 Distributed under the GNU Public License. See the file COPYING. Dedicated to the memory of William Schelter. This is a development version of Maxima. The function bug_report() provides bug reporting information. (%i1) solve(x^3+7*x^2+7*x-1;x); Incorrect syntax: Missing ) (%i1) Incorrect syntax: Too many )'s (%i1) Incorrect syntax: Premature termination of input at ;. (%i1) solve(x^3+7*x^2+7*x-1,x); sqrt(3) %i 1 - 3/2 109 1/3 (%o1) [x = (- ---------- - -) (3 sqrt(373) %i - ---) 2 2 27 sqrt(3) %i 1 28 (---------- - -) 2 2 7 + -------------------------------- - -, - 3/2 109 1/3 3 9 (3 sqrt(373) %i - ---) 27 sqrt(3) %i 1 - 3/2 109 1/3 x = (---------- - -) (3 sqrt(373) %i - ---) 2 2 27 sqrt(3) %i 1 28 (- ---------- - -) 2 2 7 + -------------------------------- - -, - 3/2 109 1/3 3 9 (3 sqrt(373) %i - ---) 27 - 3/2 109 1/3 28 7 x = (3 sqrt(373) %i - ---) + -------------------------------- - -] 27 - 3/2 109 1/3 3 9 (3 sqrt(373) %i - ---) 27 (%i2) xmaxima works! and I have installed wxMaxima as well and it is also working. [olivares@localhost ~]$ wxmaxima bash: wxmaxima: command not found [olivares@localhost ~]$ su - Password: [root@localhost ~]# yum install wxMaxima Loading "skip-broken" plugin Loading "refresh-updatesd" plugin development 100% |=========================| 2.1 kB 00:00 texlive 100% |=========================| 951 B 00:00 Setting up Install Process Parsing package install arguments Resolving Dependencies --> Running transaction check ---> Package wxMaxima.i386 0:0.7.2-4.fc8 set to be updated --> Processing Dependency: libwx_gtk2u_core-2.8.so.0(WXU_2.8) for package: wxMaxima --> Processing Dependency: libwx_gtk2u_adv-2.8.so.0(WXU_2.8) for package: wxMaxima --> Processing Dependency: libwx_gtk2u_xrc-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_adv-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_core-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_baseu_net-2.8.so.0(WXU_2.8) for package: wxMaxima --> Processing Dependency: libwx_gtk2u_aui-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_html-2.8.so.0(WXU_2.8) for package: wxMaxima --> Processing Dependency: libwx_baseu-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_baseu_xml-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_qa-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_gtk2u_html-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_baseu_net-2.8.so.0 for package: wxMaxima --> Processing Dependency: libwx_baseu-2.8.so.0(WXU_2.8) for package: wxMaxima --> Running transaction check ---> Package wxGTK.i386 0:2.8.4-6.fc8 set to be updated --> Finished Dependency Resolution Dependencies Resolved ============================================================================= Package Arch Version Repository Size ============================================================================= Installing: wxMaxima i386 0.7.2-4.fc8 development 524 k Installing for dependencies: wxGTK i386 2.8.4-6.fc8 development 4.4 M Transaction Summary ============================================================================= Install 2 Package(s) Update 0 Package(s) Remove 0 Package(s) Total download size: 4.9 M Is this ok [y/N]: y Downloading Packages: (1/2): wxGTK-2.8.4-6.fc8. 100% |=========================| 4.4 MB 00:02 (2/2): wxMaxima-0.7.2-4.f 100% |=========================| 524 kB 00:00 Running rpm_check_debug Running Transaction Test warning: wxGTK-2.8.4-6.fc8: Header V3 DSA signature: NOKEY, key ID 30c9ecf8 Finished Transaction Test Transaction Test Succeeded Running Transaction Installing: wxGTK ######################### [1/2] Installing: wxMaxima ######################### [2/2] Installed: wxMaxima.i386 0:0.7.2-4.fc8 Dependency Installed: wxGTK.i386 0:2.8.4-6.fc8 Complete! it works as regular user: (%i2) wxplot2d([x^2], [x,-5,5], [gnuplot_preamble, "set grid;"])$Maxima encountered a Lisp error: Error during processing of --eval option "(cl-user::run)": c-string decoding error (:external-format :UTF-8): the octet sequence 1 cannot be decoded.Automatically continuing.To reenable the Lisp debugger set *debugger-hook* to nil.(%i3) solve([x^2+5x-6], [x]);Incorrect syntax: X is not an infix operatorsolve([x^2+5x- ^(%i3) solve([x^2+5*x+6], [x]); (%o3) [x=-3,x=-2](%i4) This bug appears to be fixed. Now I guess it is your call. There are other bugs. Will get to them later. Regards, Antonio Ok I am changing /usr/bin/sbcl -- gen_context(system_u:object_r:unconfined_execmem_exec_t,s0) And /usr/lib/maxima/[^/]+/binary-gcl/maxima -- gen_context(system_u:object_r:textrel_shlib_t,s0) fixed in selinux-policy-3.0.8-11 confirmed, works as advertised. |