Zusammenfassung: SELinux is preventing ksmserver from loading /usr/lib/xorg/libGL.so.1.2 which requires text relocation. Detaillierte Beschreibung: The ksmserver application attempted to load /usr/lib/xorg/libGL.so.1.2 which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/xorg/libGL.so.1.2 to use relocation as a workaround, until the library is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Zugriff erlauben: If you trust /usr/lib/xorg/libGL.so.1.2 to run correctly, you can change the file context to textrel_shlib_t. "chcon -t textrel_shlib_t '/usr/lib/xorg/libGL.so.1.2'" You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t textrel_shlib_t '/usr/lib/xorg/libGL.so.1.2'" Fixer Befehl: chcon -t textrel_shlib_t '/usr/lib/xorg/libGL.so.1.2' Zusätzliche Informationen: Quellkontext unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 Zielkontext unconfined_u:object_r:lib_t:s0 Zielobjekte /usr/lib/xorg/libGL.so.1.2 [ file ] Quelle fglrxinfo Quellen-Pfad /usr/bin/fglrxinfo Port <Unbekannt> Host sierravista.nyetwork Quellen-RPM-Pakete kdebase-workspace-4.1.2-5.fc10 Ziel-RPM-Pakete RPM-Richtlinie selinux-policy-3.5.10-3.fc10 SELinux aktiviert True Richtlinienversion targeted MLS aktiviert True Enforcing-Modus Enforcing Plugin-Name allow_execmod Hostname sierravista.nyetwork Plattform Linux sierravista.nyetwork 2.6.26.5-45.fc9.i686 #1 SMP Sat Sep 20 03:45:00 EDT 2008 i686 i686 Anzahl der Alarme 12 Zuerst gesehen So 12 Okt 2008 19:19:37 CEST Zuletzt gesehen Di 14 Okt 2008 18:39:27 CEST Lokale ID 5df7bd81-1dd8-4fdb-b1ab-61a9646687c6 Zeilennummern Raw-Audit-Meldungen node=sierravista.nyetwork type=AVC msg=audit(1224002367.171:25): avc: denied { execmod } for pid=3468 comm="ksmserver" path="/usr/lib/xorg/libGL.so.1.2" dev=sda7 ino=1448835 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file node=sierravista.nyetwork type=SYSCALL msg=audit(1224002367.171:25): arch=40000003 syscall=125 success=no exit=-13 a0=f9f000 a1=76000 a2=5 a3=bf953f90 items=0 ppid=3452 pid=3468 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ksmserver" exe="/usr/bin/ksmserver" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Where is /usr/lib/xorg/libGL.so.1.2 coming from? (I suspect some non-fedora binary driver is at play here)
Maybe it's the fglrx driver, BUT: I now use radeonhd because fglrx doesn't work with xserver 1.4. I mean fglrx is installed but I changed the driver in xorg.conf to radeonhd. Anyway, I think fglrx will need that relocation even when it will actually work.
adjusting summary to closer match reality. In the meantime, I'd suggest you also report this to the distributor of said fglrx driver.
Well, that's the official binary, there's no distributor (afaik). For now, I used the given two commands to allow that operation.
Then tell ATI/AMD.
Ok, but I think I'll wait until FC10 is released, because I see no point in writing them a mail and complaining that fglrx doesn't work on my beta version of Fedora (which is far from a "clean install") with an unsupported version of X server and conflicts with an under-development selinux policy.
Well the point is that most likely /usr/lib/xorg/libGL.so.1.2 is built incorrectly. We can fix SELinux to allow it this access, but unless they hear about the bug, they will never fix the problem. Seems this library not only gets built incorrectly, it moves around a lot. current selinux policy has it labeled. /usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) /usr/lib(64)?/libGLU\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) Now it seems the library is in /usr/lib/xorg/libGL.so.1.2 This is why my life sucks... :^( Fixed in selinux-policy-3.5.12-2.fc10
Thanks. I posted the link to ATI at the "Linux Crew Feedback" page.