Bug 464305

Summary: SELinux bug in hooks.c, and it conflicts with the fglrx driver
Product: [Fedora] Fedora Reporter: Viktor Erdelyi <verdelyi>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: medium    
Version: 9CC: kernel-maint
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-09-27 16:14:19 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Viktor Erdelyi 2008-09-27 11:55:15 UTC 
Version-Release number of selected component (if applicable):
selinux: 3.3.1.91.fc9
XOrg: Fedora 8 latest (downgraded to xserver 1.4 for fglrx to work)

How reproducible:
I get it at every boot, after login. Then if I start compiz, the system freezes in 30 seconds (sometimes 3d desktop works for 30 secs, then it goes blank, and nothing)

kernel BUG at security/selinux/hooks.c:1332!
invalid opcode: 0000 [#1] SMP 
Modules linked in: w83627ehf hwmon_vid hwmon fuse sunrpc ppp_synctty ppp_async crc_ccitt ppp_generic slhc ipt_REJECT nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables cpufreq_ondemand acpi_cpufreq ext2 dm_mirror dm_log dm_multipath dm_mod ipv6 snd_hda_intel sr_mod cdrom snd_seq_dummy snd_seq_oss snd_seq_midi_event snd_seq ata_generic snd_seq_device snd_pcm_oss floppy snd_mixer_oss snd_pcm fglrx(P) snd_timer iTCO_wdt snd_page_alloc iTCO_vendor_support sky2 ata_piix snd_hwdep i2c_i801 pata_acpi pcspkr serio_raw sg snd i2c_core soundcore ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded: microcode]

Pid: 2789, comm: Xorg Tainted: P          (2.6.26.3-29.fc9.i686 #1)
EIP: 0060:[<c04d49b7>] EFLAGS: 00013246 CPU: 0
EIP is at task_has_capability+0x48/0x76
EAX: 00000030 EBX: f6cac030 ECX: f41bbf28 EDX: 00000000
ESI: f6cc2020 EDI: f6e64ec8 EBP: f6e64ed4 ESP: f6e64e84
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process Xorg (pid: 2789, ti=f6e64000 task=f47d1900 task.ti=f6e64000)
Stack: c06e2556 f6cac030 f47d1900 00000003 f47d1900 f6cac030 00000000 00000000 
       00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 
       00000000 f6cac030 f47d1900 f41b6800 f6e64ee4 c04d4a04 f47d1900 f8c76020 
Call Trace:
 [<c04d4a04>] ? selinux_capable+0x1f/0x23
 [<c04d03ea>] ? security_capable+0xc/0xe
 [<c042f37f>] ? __capable+0xb/0x22
 [<f8b47d50>] ? firegl_version+0x0/0x1b0 [fglrx]
 [<c042f3a6>] ? capable+0x10/0x12
 [<f8b47c14>] ? firegl_ioctl+0x134/0x270 [fglrx]
 [<c04d52df>] ? file_has_perm+0x7b/0x84
 [<f8b3e8e1>] ? ip_firegl_ioctl+0xe/0x10 [fglrx]
 [<c048febc>] ? vfs_ioctl+0x50/0x69
 [<c049010e>] ? do_vfs_ioctl+0x239/0x24c
 [<c04d5475>] ? selinux_file_ioctl+0xa8/0xab
 [<c0490161>] ? sys_ioctl+0x40/0x5b
 [<c0404c32>] ? syscall_call+0x7/0xb
 [<c0630000>] ? __down_interruptible+0x4/0x8d
 ======================
 ======================Code: 00 89 d0 f3 ab 8b 4d b8 89 d8 b2 04 c1 f8 05 c6 45 bc 03 89 5d c4 89 4d c0 74 16 48 b2 45 74 11 53 68 56 25 6e c0 e8 e4 a2 15 00 <0f> 0b 59 5b eb fe 8b 46 04 83 e3 1f 0f b7 f2 8d 55 bc 88 d9 52 
EIP: [<c04d49b7>] task_has_capability+0x48/0x76 SS:ESP 0068:f6e64e84
---[ end trace 7df5ba2712165806 ]---
Comment 1 Chuck Ebbert 2008-09-27 16:14:19 UTC 
The fgrlx driver is compiled against broken capability libraries and/or header files. Take this up with the driver author.
Comment 2 Viktor Erdelyi 2008-09-27 18:52:57 UTC 
Ehh...

http://www.linux-archive.org/fedora-selinux-support/165825-selinux-detects-problem-proprietary-binary-fglrx-driver-however-amd-ati-will-not-help.html

"AMD/ATI's response is as follows:
I regret there is no support for Linux at this time."

It's hopeless.
Comment 3 Chuck Ebbert 2008-10-04 06:01:01 UTC 
(In reply to comment #2)
> Ehh...
> 
> http://www.linux-archive.org/fedora-selinux-support/165825-selinux-detects-problem-proprietary-binary-fglrx-driver-however-amd-ati-will-not-help.html
> 
> "AMD/ATI's response is as follows:
> I regret there is no support for Linux at this time."
> 
> It's hopeless.

If you didn't build the driver yourself from source, ask whoever built it for a fix.
Comment 4 Viktor Erdelyi 2008-10-05 09:10:56 UTC 
I updated my fglrx to the newest official driver (8.530 or whatever, from ATI's homepage), now it seems to work. The latest livna-testing package that I used didn't work. I think I'll stick with the official installer.