Description of problem: For awhile now, I believe since the last update to mesa-libGL, metacity will no longer start when SELinux is active. GNOME will not start because of an execmem error. Version-Release number of selected component (if applicable): mesa-libGL-6.5-13.1.fc6 How reproducible: With SELinux active, start gnome. The splash screen pauses for a long time. If GNOME is started, metacity is not active. For reference, compiz does the same thing. Steps to Reproduce: 1. start computer 2.login at gdm prompt to gnome 3. wait for a long time, no advancement of splash screen. 4. ctl-alt-backspace to gdm 5. run setenforce 0 6. Login again to gnome via gdm Actual results: before ctl-alt-backspace and selnux being set to permissive mode, gnome fails to load metacity. Expected results: Login to gnome with selinux active Additional info: metacity: error while loading shared libraries: libGL.so.1: failed to map segment from shared object: Permission denied excerpt from audit.log: type=MAC_STATUS msg=audit(1153692103.842:53): enforcing=0 old_enforcing=1 auid=0 type=SYSCALL msg=audit(1153692103.842:53): arch=40000003 syscall=4 success=yes exit=1 a0=3 a1=bfddd7c4 a2=1 a3=bfddd7c4 items=0 ppid=2544 pid=2621 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="setenforce" exe="/usr/sbin/setenforce" subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null) type=AVC msg=audit(1153692103.858:54): avc: denied { dac_override } for pid=1695 comm="python" capability=1 scontext=system_u:system_r:setroubleshoot_t:s0 tcontext=system_u:system_r:setroubleshoot_t:s0 tclass=capability type=SYSCALL msg=audit(1153692103.858:54): arch=40000003 syscall=33 success=yes exit=0 a0=8c24588 a1=2 a2=1045a64 a3=0 items=1 ppid=1660 pid=1695 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="python" exe="/usr/bin/python" subj=system_u:system_r:setroubleshoot_t:s0 key=(null) type=CWD msg=audit(1153692103.858:54): cwd="/" type=PATH msg=audit(1153692103.858:54): item=0 name="/var/lib/rpm" inode=195650 dev=03:06 mode=040755 ouid=37 ogid=37 rdev=00:00 obj=system_u:object_r:rpm_var_lib_t:s0 type=AVC msg=audit(1153692118.295:55): avc: denied { execmem } for pid=2623 comm="metacity" scontext=user_u:system_r:unconfined_t:s0 tcontext=user_u:system_r:unconfined_t:s0 tclass=process type=SYSCALL msg=audit(1153692118.295:55): arch=40000003 syscall=192 success=yes exit=67481600 a0=405b000 a1=5000 a2=7 a3=812 items=0 ppid=2598 pid=2623 auid=500 uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=pts2 comm="metacity" exe="/usr/bin/metacity" subj=user_u:system_r:unconfined_t:s0 key=(null)
Another option to allow successful booting is to use allow_execmem=0 into the grub.conf file by following the discussion on the fedora-test-list
I confirm that on my PC FC6 yum updated till yesterday 26/07/2006 the "metacity"/"no window manager" bug is gone. I tested it by removing setenforcing 0 in (example) S99loccal (/etc/rc5.d) I have a (small)issue on the "how long it took" to solve the problem, since on MY PC, fc6 downloaded from internet, weeks ago..., already contained the bug. Only a few days ago I encountered the setenforcing temporarily fix. However I'm very happy it's fixed in/with SELinux,.. Marc Verbeke.
Thanks for testing. I do not have development installed currently and noticed a patch to mesa which pinpointed the SELinux issue. I had development installed a day before the removal of the patch to mesa. I'll change resolution to fixed in rawhide.