Red Hat Bugzilla – Bug 430454
selinux denials libGL.so writable memory segment executable
Last modified: 2008-01-28 06:13:21 EST
Version-Release number of selected component (if applicable): mesa-libGL-7.1-0.8.fc9.i386 selinux-policy-3.2.5-19.fc9.noarch kernel-2.6.24-2.fc9.i686 Summary: SELinux is preventing gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper) from changing a writable memory segment executable. Detailed Description: The gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper) application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper) does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper) to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper)". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper)" The following command will allow this access: chcon -t unconfined_execmem_exec_t gnome-screensav(/usr/libexec/gnome-screensaver-gl-helper) Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Context unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Target Objects None [ process ] Source gnome-screensav(/usr/libexec/gnome-screensaver-gl- helper) Port <Unknown> Host cirithungol Source RPM Packages Target RPM Packages Policy RPM selinux-policy-3.2.5-19.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmem Host Name cirithungol Platform Linux cirithungol 2.6.24-2.fc9 #1 SMP Fri Jan 25 13:14:54 EST 2008 i686 i686 Alert Count 2 First Seen Sun 27 Jan 2008 07:01:57 AM EST Last Seen Sun 27 Jan 2008 06:29:46 PM EST Local ID 10c8826c-0d04-4c04-987f-277adcf3009e Line Numbers Raw Audit Messages host=cirithungol type=AVC msg=audit(1201487386.879:70): avc: denied { execmem } for pid=4159 comm="gnome-screensav" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=cirithungol type=SYSCALL msg=audit(1201487386.879:70): arch=40000003 syscall=192 success=no exit=-13 a0=48f000 a1=1b000 a2=7 a3=812 items=0 ppid=2993 pid=4159 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) Errors from glxgears and glxinfo as well: Jan 28 01:41:38 cirithungol setroubleshoot: SELinux is preventing glxinfo(/usr/bin/glxinfo) from making the program stack executable. For complete SELinux messages. run sealert -l a17416c0-8543-45b9-93e9-cc834af042ab - Jan 28 01:37:11 cirithungol setroubleshoot: SELinux is preventing glxinfo(/usr/bin/glxinfo) from changing a writable memory segment executable. For complete SELinux messages. run sealert -l 10c8826c-0d04-4c04-987f-277adcf3009e - llz /usr/lib/libGL* 818229 4 lrwxrwxrwx+ 1 system_u:object_r:lib_t:s0 0 0 1 2008-01-24 21:14 /usr/lib/libGL.so -> libGL.so.1 816847 4 lrwxrwxrwx+ 1 system_u:object_r:lib_t:s0 0 0 1 2008-01-24 18:55 /usr/lib/libGL.so.1 -> libGL.so.1.2 818352 456 -rwxr-xr-x+ 1 system_u:object_r:textrel_shlib_t:s0 0 0 448 2008-01-22 13:41 /usr/lib/libGL.so.1.2 816746 4 lrwxrwxrwx+ 1 system_u:object_r:lib_t:s0 0 0 1 2008-01-24 18:52 /usr/lib/libGLU.so.1 -> libGLU.so.1.3.070100 817972 536 -rwxr-xr-x+ 1 system_u:object_r:textrel_shlib_t:s0 0 0 526 2008-01-22 13:41 /usr/lib/libGLU.so.1.3.070100 Running the 'nv' X driver, although nvidia libs installed via livna (relocated). After setenforce 0 glxinfo outputs expected results.
The question.. is that executable memory required here (so a policy issue)?
Opps... ldd shows this one really is the nvidia libs instead. They seem to be labeled correctly as per policy, so it could be a problem with their latest driver itself, or just the fact that the nvidia module isn't loaded while attempting to use those libs. Closing this, I'll clone it to policy if I can get the nvidia module loaded and still have policy problems (currently module wont work with X ABI anyway).