Bug 279841 - allow_execstack boolean broken ?
allow_execstack boolean broken ?
Product: Fedora
Classification: Fedora
Component: xorg-x11 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: X/OpenGL Maintenance List
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2007-09-05 19:50 EDT by Felix Bellaby
Modified: 2007-11-30 17:12 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-14 10:35:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Felix Bellaby 2007-09-05 19:50:23 EDT
textrel_shlib_t context ELF libraries with the execstack flag set are denied
permission to load by selinux even when the allow_execstack and allow_execmem
booleans are true and sys.kernel.exec-shield=0.

I get the following audit log when starting X using the nvidia drivers (these
drivers are distributed with execstack set on all the shared libs & modules).

type=AVC msg=audit(1188779950.152:10): avc:  denied  { execstack } for  pid=2820
comm="X" scontext=system_u:system_r:init_t:s0
context=system_u:system_r:init_t:s0 tclass=process

The Xorg server log highlights that the problem is in the nvidia libs & mods.

The problem disappears when setenforce = 0 or when the execstack flags are
cleared on the nvidia shared libs & mods. 

I am using selinux-policy-3.0.7-2.fc8 with kernel-2.6.23-0.149.rc4.fc8.

Am I missing something or is this a bug?

PS: The devices in the /etc/udev/devices/ directory need to assigned a device_t
context on creation so that udev has permission to copy them into the /dev/
directory when it starts up. This problem also shows up with the livna
distribution of the nvidia drivers.
Comment 1 Daniel Walsh 2007-09-06 09:36:06 EDT
The problem here is that you did not transition to X.  Also why is the program
init_t ever running X.  It should be initrc_t.  This looks like you have some
labeling issues on your machine.  Could you attempt to relabel.

touch /.autorelabel
Comment 2 Felix Bellaby 2007-09-12 18:54:50 EDT
I have had some difficulty relabeling my system because fixfiles has been
failing. It appears that the following file:


includes references on lines 51 and 93 to a invalid context:


Altering this context to 


allows fixfiles to run.

However, relabeling the system has no impact on the bug that I reported other
than changing the contexts in the audit.log entry to:

type=AVC msg=audit(1189636478.397:20): avc:  denied  { execstack } for  pid=2753
 comm="X" scontext=system_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tcontext=syste
m_u:system_r:xdm_xserver_t:s0-s0:c0.c1023 tclass=process

The nvidia drivers still fail to start in exactly the same way unless the
execstack flags on their shared libraries are cleared, while the nv drivers work
without any difficulty.

Does this bug really relate to a transition to X ?

Comment 3 Daniel Walsh 2007-09-13 12:16:36 EDT
This looks like an X Problem. 
Right now you can install a custom policy to allow execstack.

# grep execstack /var/log/audit/audit.log | audit2allow -M myxserv
# semodule -i myxserv.pp

What kind of video card are you using.  We have policy to let the X server run
execmem and execheap but nothing for execstack.
Comment 4 Daniel Walsh 2007-09-13 12:17:10 EDT
I am reassigning to the X Server to see if they have an idea.
Comment 5 Felix Bellaby 2007-09-13 13:49:07 EDT
nvidia seem to have been shipping their drivers with execstack set on the
libraries and modules for a considerable time now so I would expect this problem
to show up on most systems with a proprietory nvidia driver. 

I am using the nvidia 100.14.11 drivers with an GeForce 8800 video card. So far
as I can tell, clearing the execstack flag has no impact on the operation of
these recent drivers with this card, but nvidia might still be using an
executable stack somewhere.
Comment 6 Adam Jackson 2007-09-14 10:35:52 EDT
I can't imagine why it would need execstack, but it's not something we can fix
until we start shipping selinux policy in each package.

NVIDIA could certainly do so of their own volition if they wanted, but this
isn't our bug to fix.
Comment 7 Felix Bellaby 2007-09-17 07:33:50 EDT
I have informed nvidia that this will cause a problem and they have added to
their bug tracking system under reference 224775.

Note You need to log in before you can comment on or make changes to this bug.