Description of problem: ATI graphics driver conflicts with SELinux targeted policy Version-Release number of selected component (if applicable): selinux-policy-targeted-2.4.6-62.fc6 How reproducible: always Steps to Reproduce: 1. install ati-driver http://ati.amd.com/support/drivers/linux/linux-radeon.html # ./ati-driver-installer-8.35.5-x86.x86_64.run Actual results: # cat /var/log/audit/audit.log ... type=AVC msg=audit(1178795107.133:59): avc: denied { execmod } for pid=14782 comm="gnome-screensav" name="libGL.so.1.2" dev=sda2 ino=693581 scontext=user_u: system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1178795107.133:59): arch=40000003 syscall=125 success=no exit=-13 a0=7bb000 a1=98000 a2=5 a3=bfb8f8d0 items=0 ppid=8551 pid=14782 auid=5 00 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" sub j=user_u:system_r:unconfined_t:s0 key=(null) type=AVC_PATH msg=audit(1178795107.133:59): path="/usr/lib/xorg/libGL.so.1.2" type=AVC msg=audit(1178795107.154:60): avc: denied { execmod } for pid=14783 comm="gnome-screensav" name="libGL.so.1.2" dev=sda2 ino=693581 scontext=user_u: system_r:unconfined_t:s0 tcontext=user_u:object_r:lib_t:s0 tclass=file type=SYSCALL msg=audit(1178795107.154:60): arch=40000003 syscall=125 success=no exit=-13 a0=6b5000 a1=98000 a2=5 a3=bf8fee40 items=0 ppid=8551 pid=14783 auid=5 00 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" sub j=user_u:system_r:unconfined_t:s0 key=(null) type=AVC_PATH msg=audit(1178795107.154:60): path="/usr/lib/xorg/libGL.so.1.2" $ ls -Z /usr/lib/xorg/lib* -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_dm.a -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_dm.so.1.0 -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_gamma.a lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_gamma.so.1 -> libfglrx_gamma.so.1.0 -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_gamma.so.1.0 -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_pp.a -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_pp.so.1.0 -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_tvout.a lrwxrwxrwx root root system_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_tvout.so.1 -> libfglrx_tvout.so.1.0 -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libfglrx_tvout.so.1.0 lrwxrwxrwx root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libGL.so -> /usr/lib/xorg/libGL.so.1.2 lrwxrwxrwx root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libGL.so.1 -> /usr/lib/xorg/libGL.so.1.2 -rw-r--r-- root root user_u:object_r:lib_t:s0 /usr/lib/xorg/libGL.so.1.2
I'm not sure which party is culprit - http://ati.cchtml.com/show_bug.cgi?id=664 Temporary solution: # yum install selinux-policy-devel # grep libGL /var/log/audit/audit.log | audit2allow -M MyATIlibGLFix # /usr/sbin/setenforce 0 # semodule -i MyATIlibGLFix.pp # /usr/sbin/setenforce 1
If you just chcon -t textrel_shlib_t /usr/lib/xorg/libGL.so.1.2 Does that fix the problem? Or do you get other execmod errors?
Made that change to selinux-policy-2.4.6-69.fc6
Yes, it fixes the problem :-).
Fixed in current release