Bug 191191 - libGL.so needs execmod priviliges on load
libGL.so needs execmod priviliges on load
Status: CLOSED DUPLICATE of bug 178262
Product: Fedora
Classification: Fedora
Component: mesa (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Adam Jackson
X/OpenGL Maintenance List
Depends On:
  Show dependency treegraph
Reported: 2006-05-09 13:38 EDT by Noa Resare
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-06-23 17:13:42 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Noa Resare 2006-05-09 13:38:31 EDT
Description of problem:

In some cases selinux denies the "execmod" privilege. For some reason libGL.so
does operations that need this privilege on library load. Is it really needed?

The reason I'm asking is that it looks like ATI uses mesa as a part of their
proprietary driver and they place their shared libraries in subdirectory to
/usr/lib which is (was) not previously added to the selinux policy. This lead to
selinux permission failures outlined in #191054

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
# mkdir /usr/lib/test
# cp /usr/lib/libGL.so.1.2 /usr/lib/test
# echo "/usr/lib/test" >> /etc/ld.so.conf.d/test
# /sbin/ldconfig
# ldd /usr/bin/metacity |grep GL.so
        libGL.so.1 => /usr/lib/test/libGL.so.1 (0x06276000)
# /usr/bin/metacity

Actual results:
/usr/bin/metacity: error while loading shared libraries:
/usr/lib/test/libGL.so.1: cannot restore segment prot after reloc: Permission denied

Expected results:
started metacity

Additional info:

http://people.redhat.com/~drepper/selinux-mem.html outlines how the need for
this privilege can be avoided
Comment 1 Hans Ulrich Niedermann 2006-06-18 15:41:00 EDT
FWIW, this problem also exists in stock FC5 (updated using "yum update"),
without any proprietary video drivers or other obscure code.
Comment 2 Adam Jackson 2006-06-23 17:13:42 EDT

*** This bug has been marked as a duplicate of 178262 ***

Note You need to log in before you can comment on or make changes to this bug.