Bug 430454

Summary: selinux denials libGL.so writable memory segment executable
Product: [Fedora] Fedora Reporter: Andrew Farris <lordmorgul>
Component: mesaAssignee: Adam Jackson <ajax>
Status: CLOSED CANTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-28 11:13:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andrew Farris 2008-01-28 06:44:48 UTC 
Version-Release number of selected component (if applicable):
mesa-libGL-7.1-0.8.fc9.i386
selinux-policy-3.2.5-19.fc9.noarch
kernel-2.6.24-2.fc9.i686

Summary:

SELinux is preventing gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper)
from changing a writable memory segment executable.

Detailed Description:

The gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper) application
attempted to change the access protection of memory (e.g., allocated using
malloc). This is a potential security problem. Applications should not be doing
this. Applications are sometimes coded incorrectly and request this permission.
The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If
gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper) does not work and you
need it to work, you can configure SELinux temporarily to allow this access
until the application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper) to run
correctly, you can change the context of the executable to
unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper)". You must also change
the default file context files on the system in order to preserve them even on a
full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t
gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper)"

The following command will allow this access:

chcon -t unconfined_execmem_exec_t
gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper)

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Context                unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Target Objects                None [ process ]
Source                        gnome-screensav(/usr/libexec/gnome-screensaver-gl-
                              helper)
Port                          <Unknown>
Host                          cirithungol
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.2.5-19.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmem
Host Name                     cirithungol
Platform                      Linux cirithungol 2.6.24-2.fc9 #1 SMP Fri Jan 25
                              13:14:54 EST 2008 i686 i686
Alert Count                   2
First Seen                    Sun 27 Jan 2008 07:01:57 AM EST
Last Seen                     Sun 27 Jan 2008 06:29:46 PM EST
Local ID                      10c8826c-0d04-4c04-987f-277adcf3009e
Line Numbers                  

Raw Audit Messages            

host=cirithungol type=AVC msg=audit(1201487386.879:70): avc:  denied  { execmem
} for  pid=4159 comm="gnome-screensav"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=cirithungol type=SYSCALL msg=audit(1201487386.879:70): arch=40000003
syscall=192 success=no exit=-13 a0=48f000 a1=1b000 a2=7 a3=812 items=0 ppid=2993
pid=4159 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500
fsgid=500 tty=(none) comm="gnome-screensav"
exe="/usr/libexec/gnome-screensaver-gl-helper"
subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Errors from glxgears and glxinfo as well:
Jan 28 01:41:38 cirithungol setroubleshoot: SELinux is preventing
glxinfo(/usr/bin/glxinfo) from making the program stack executable. For complete
SELinux messages. run sealert -l a17416c0-8543-45b9-93e9-cc834af042ab
 - Jan 28 01:37:11 cirithungol setroubleshoot: SELinux is preventing
glxinfo(/usr/bin/glxinfo) from changing a writable memory segment executable.
For complete SELinux messages. run sealert -l 10c8826c-0d04-4c04-987f-277adcf3009e



 - llz /usr/lib/libGL*
818229   4 lrwxrwxrwx+ 1 system_u:object_r:lib_t:s0       0 0   1 2008-01-24
21:14 /usr/lib/libGL.so -> libGL.so.1
816847   4 lrwxrwxrwx+ 1 system_u:object_r:lib_t:s0       0 0   1 2008-01-24
18:55 /usr/lib/libGL.so.1 -> libGL.so.1.2
818352 456 -rwxr-xr-x+ 1 system_u:object_r:textrel_shlib_t:s0 0 0 448 2008-01-22
13:41 /usr/lib/libGL.so.1.2
816746   4 lrwxrwxrwx+ 1 system_u:object_r:lib_t:s0       0 0   1 2008-01-24
18:52 /usr/lib/libGLU.so.1 -> libGLU.so.1.3.070100
817972 536 -rwxr-xr-x+ 1 system_u:object_r:textrel_shlib_t:s0 0 0 526 2008-01-22
13:41 /usr/lib/libGLU.so.1.3.070100

Running the 'nv' X driver, although nvidia libs installed via livna (relocated).
 After setenforce 0 glxinfo outputs expected results.
Comment 1 Andrew Farris 2008-01-28 06:46:48 UTC 
The question.. is that executable memory required here (so a policy issue)?
Comment 2 Andrew Farris 2008-01-28 11:13:21 UTC 
Opps... ldd shows this one really is the nvidia libs instead.  They seem to be
labeled correctly as per policy, so it could be a problem with their latest
driver itself, or just the fact that the nvidia module isn't loaded while
attempting to use those libs.  Closing this, I'll clone it to policy if I can
get the nvidia module loaded and still have policy problems (currently module
wont work with X ABI anyway).