Bug 239661 - ATI libGL.so.1.2 avc: denied
ATI libGL.so.1.2 avc: denied
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy-targeted (Show other bugs)
6
All Linux
medium Severity medium
: ---
: ---
Assigned To: Daniel Walsh
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-05-10 08:24 EDT by Josef Kubin
Modified: 2007-11-30 17:12 EST (History)
0 users

See Also:
Fixed In Version: Current
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-08-22 10:11:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josef Kubin 2007-05-10 08:24:17 EDT
Description of problem:
ATI graphics driver conflicts with SELinux targeted policy

Version-Release number of selected component (if applicable):
selinux-policy-targeted-2.4.6-62.fc6

How reproducible:
always

Steps to Reproduce:
1. install ati-driver http://ati.amd.com/support/drivers/linux/linux-radeon.html
# ./ati-driver-installer-8.35.5-x86.x86_64.run
  
Actual results:
# cat /var/log/audit/audit.log
...
type=AVC msg=audit(1178795107.133:59): avc:  denied  { execmod } for  pid=14782
comm="gnome-screensav" name="libGL.so.1.2" dev=sda2 ino=693581 scontext=user_u:
system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1178795107.133:59): arch=40000003 syscall=125 success=no
exit=-13 a0=7bb000 a1=98000 a2=5 a3=bfb8f8d0 items=0 ppid=8551 pid=14782 auid=5
00 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" sub
j=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC_PATH msg=audit(1178795107.133:59):  path="/usr/lib/xorg/libGL.so.1.2"
type=AVC msg=audit(1178795107.154:60): avc:  denied  { execmod } for  pid=14783
comm="gnome-screensav" name="libGL.so.1.2" dev=sda2 ino=693581 scontext=user_u:
system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file
type=SYSCALL msg=audit(1178795107.154:60): arch=40000003 syscall=125 success=no
exit=-13 a0=6b5000 a1=98000 a2=5 a3=bf8fee40 items=0 ppid=8551 pid=14783 auid=5
00 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500
tty=(none) comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" sub
j=user_u:system_r:unconfined_t:s0 key=(null)
type=AVC_PATH msg=audit(1178795107.154:60):  path="/usr/lib/xorg/libGL.so.1.2"

$ ls -Z /usr/lib/xorg/lib*
-rw-r--r--  root root user_u:object_r:lib_t:s0         /usr/lib/xorg/libfglrx_dm.a
-rw-r--r--  root root user_u:object_r:lib_t:s0        
/usr/lib/xorg/libfglrx_dm.so.1.0
-rw-r--r--  root root user_u:object_r:lib_t:s0        
/usr/lib/xorg/libfglrx_gamma.a
lrwxrwxrwx  root root system_u:object_r:lib_t:s0      
/usr/lib/xorg/libfglrx_gamma.so.1 -> libfglrx_gamma.so.1.0
-rw-r--r--  root root user_u:object_r:lib_t:s0        
/usr/lib/xorg/libfglrx_gamma.so.1.0
-rw-r--r--  root root user_u:object_r:lib_t:s0         /usr/lib/xorg/libfglrx_pp.a
-rw-r--r--  root root user_u:object_r:lib_t:s0        
/usr/lib/xorg/libfglrx_pp.so.1.0
-rw-r--r--  root root user_u:object_r:lib_t:s0        
/usr/lib/xorg/libfglrx_tvout.a
lrwxrwxrwx  root root system_u:object_r:lib_t:s0      
/usr/lib/xorg/libfglrx_tvout.so.1 -> libfglrx_tvout.so.1.0
-rw-r--r--  root root user_u:object_r:lib_t:s0        
/usr/lib/xorg/libfglrx_tvout.so.1.0
lrwxrwxrwx  root root user_u:object_r:lib_t:s0         /usr/lib/xorg/libGL.so ->
/usr/lib/xorg/libGL.so.1.2
lrwxrwxrwx  root root user_u:object_r:lib_t:s0         /usr/lib/xorg/libGL.so.1
-> /usr/lib/xorg/libGL.so.1.2
-rw-r--r--  root root user_u:object_r:lib_t:s0         /usr/lib/xorg/libGL.so.1.2
Comment 1 Josef Kubin 2007-05-10 16:18:30 EDT
I'm not sure which party is culprit - http://ati.cchtml.com/show_bug.cgi?id=664

Temporary solution:
# yum install selinux-policy-devel
# grep libGL /var/log/audit/audit.log | audit2allow -M MyATIlibGLFix
# /usr/sbin/setenforce 0
# semodule -i MyATIlibGLFix.pp
# /usr/sbin/setenforce 1
Comment 2 Daniel Walsh 2007-05-14 14:17:25 EDT
If you just 

chcon -t textrel_shlib_t /usr/lib/xorg/libGL.so.1.2

Does that fix the problem?  Or do you get other execmod errors?
Comment 3 Daniel Walsh 2007-05-14 14:19:47 EDT
Made that change to selinux-policy-2.4.6-69.fc6
Comment 4 Josef Kubin 2007-05-14 14:45:13 EDT
Yes, it fixes the problem :-).
Comment 5 Daniel Walsh 2007-08-22 10:11:50 EDT
Fixed in current release

Note You need to log in before you can comment on or make changes to this bug.