Bug 486772

Summary: SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx.so which requires text relocation.
Product: [Fedora] Fedora Reporter: rohit <imrohit>
Component: selinux-policyAssignee: Miroslav Grepl <mgrepl>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 10CC: mgrepl
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-02-23 09:49:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description rohit 2009-02-22 02:32:12 UTC
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020410 Fedora/3.0.6-1.fc10 Firefox/3.0.6

Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
The gnome-screensav application attempted to load /usr/lib/fglrx/libatiadlxx.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/fglrx/libatiadlxx.so to use relocation as a workaround, until the library is fixed. Please file a bug report against this package.

Additional Information
Source Context:  unconfined_u:unconfined_r:unconfined_t:s0
Target Context:  system_u:object_r:lib_t:s0
Target Objects:  /usr/lib/fglrx/libatiadlxx.so [ file ]
Source:  glxinfo
Source Path:  /usr/bin/glxinfo
Port:  <Unknown>
Host:  localhost.localdomainSource 
RPM Packages:  gnome-screensaver-2.24.1-2.fc10
Target RPM Packages:  xorg-x11-drv-fglrx-libs-8.573-1.9.1.fc10
Policy RPM:  selinux-policy-3.5.13-44.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  allow_execmod
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.27.15-170.2.24.fc10.i686 #1 SMP Wed Feb 11 23:58:12 EST 2009 i686 athlon (AMD Phenom Quad Core)
Alert Count:  1
First Seen:  Sat 21 Feb 2009 11:54:08 PM IST
Last Seen:  Sun 22 Feb 2009 12:18:33 AM IST
Local ID:  3591d9a3-a2dd-417c-a336-4b9e3deca9f7

Raw Audit Messages :

node=localhost.localdomain type=AVC msg=audit(1235242113.561:28): avc: denied { execmod } for pid=12565 comm="gnome-screensav" path="/usr/lib/fglrx/libatiadlxx.so" dev=sda7 ino=2370152 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file 

node=localhost.localdomain type=SYSCALL msg=audit(1235242113.561:28): arch=40000003 syscall=125 success=yes exit=0 a0=8ac000 a1=1f000 a2=5 a3=bfe3e7f0 items=0 ppid=3254 pid=12565 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) 

Reproducible: Always

Steps to Reproduce:
1.Install fglrx packages from compiz-fusion repo (including deps)
2.reboot the system
3.After reboot with updated kernel, and login, it appears on the top right in Selinux icon.
Actual Results:  
Same as given in results box


As a workaround I used chcon command:

chcon -t textrel_shlib_t '/usr/lib/fglrx/libatiadlxx.so'

Comment 1 Miroslav Grepl 2009-02-23 09:49:14 UTC
Fixed in current release of selinux-policy:

selinux-policy-3.5.13-45.fc10