Bug 199886 - With selinux active, metacity won't start
With selinux active, metacity won't start
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: mesa (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Adam Jackson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-23 20:12 EDT by Jim Cornette
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-07-27 20:45:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jim Cornette 2006-07-23 20:12:56 EDT
Description of problem:
For awhile now, I believe since the last update to mesa-libGL, metacity will no
longer start when SELinux is active. GNOME will not start because of an execmem
error.

Version-Release number of selected component (if applicable):
mesa-libGL-6.5-13.1.fc6

How reproducible:
With SELinux active, start gnome. The splash screen pauses for a long time. If
GNOME is started, metacity is not active. For reference, compiz does the same thing.

Steps to Reproduce:
1. start computer
2.login at gdm prompt to gnome
3. wait for a long time, no advancement of splash screen.
4. ctl-alt-backspace to gdm
5. run setenforce 0
6. Login again to gnome via gdm
  
Actual results:
before ctl-alt-backspace and selnux being set to permissive mode, gnome fails to
load metacity.

Expected results:
Login to gnome with selinux active

Additional info:
metacity: error while loading shared libraries: libGL.so.1: failed to map
segment from shared object: Permission denied

excerpt from audit.log:
type=MAC_STATUS msg=audit(1153692103.842:53): enforcing=0 old_enforcing=1 auid=0
type=SYSCALL msg=audit(1153692103.842:53): arch=40000003 syscall=4 success=yes
exit=1 a0=3 a1=bfddd7c4 a2=1 a3=bfddd7c4 items=0 ppid=2544 pid=2621 auid=0 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=tty1 comm="setenforce"
exe="/usr/sbin/setenforce" subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null)
type=AVC msg=audit(1153692103.858:54): avc:  denied  { dac_override } for 
pid=1695 comm="python" capability=1
scontext=system_u:system_r:setroubleshoot_t:s0
tcontext=system_u:system_r:setroubleshoot_t:s0 tclass=capability
type=SYSCALL msg=audit(1153692103.858:54): arch=40000003 syscall=33 success=yes
exit=0 a0=8c24588 a1=2 a2=1045a64 a3=0 items=1 ppid=1660 pid=1695
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) comm="python" exe="/usr/bin/python"
subj=system_u:system_r:setroubleshoot_t:s0 key=(null)
type=CWD msg=audit(1153692103.858:54):  cwd="/"
type=PATH msg=audit(1153692103.858:54): item=0 name="/var/lib/rpm" inode=195650
dev=03:06 mode=040755 ouid=37 ogid=37 rdev=00:00
obj=system_u:object_r:rpm_var_lib_t:s0
type=AVC msg=audit(1153692118.295:55): avc:  denied  { execmem } for pid=2623
comm="metacity" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=SYSCALL msg=audit(1153692118.295:55): arch=40000003 syscall=192 success=yes
exit=67481600 a0=405b000 a1=5000 a2=7 a3=812 items=0 ppid=2598 pid=2623 auid=500
uid=500 gid=501 euid=500 suid=500 fsuid=500 egid=501 sgid=501 fsgid=501 tty=pts2
comm="metacity" exe="/usr/bin/metacity" subj=user_u:system_r:unconfined_t:s0
key=(null)
Comment 1 Jim Cornette 2006-07-24 06:52:11 EDT
Another option to allow successful booting is to use allow_execmem=0 into the
grub.conf file by following the discussion on the fedora-test-list
Comment 2 marc verbeke 2006-07-27 13:38:40 EDT
I confirm that on my PC FC6 yum updated till yesterday 26/07/2006 
the "metacity"/"no window manager" bug is gone.
I tested it by removing setenforcing 0 in (example) S99loccal (/etc/rc5.d)
I have a (small)issue on the "how long it took" to solve the problem, since on 
MY PC,  fc6 downloaded from internet, weeks ago...,  already contained the bug.
Only a few days ago I encountered the setenforcing temporarily fix.
However I'm very happy it's fixed in/with SELinux,..
Marc Verbeke.  
Comment 3 Jim Cornette 2006-07-27 20:45:35 EDT
Thanks for testing.
I do not have development installed currently and noticed a patch to mesa which
pinpointed the SELinux issue. I had development installed a day before the
removal of the patch to mesa.
I'll change resolution to fixed in rawhide.

Note You need to log in before you can comment on or make changes to this bug.