Bug 466940 – fglrx to start because of an AVC denial (libGL text relocations)

Bug 466940 - fglrx to start because of an AVC denial (libGL text relocations)

Summary:	fglrx to start because of an AVC denial (libGL text relocations)

Status:	CLOSED RAWHIDE

Aliases:	None

Product:	Fedora
Classification:	Fedora
Component:	selinux-policy (Show other bugs)
Sub Component:
Version:	rawhide
Hardware:	All Linux

Priority	medium Severity high
Target Milestone:	---
Target Release:	---
Assigned To:	Daniel Walsh
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:

URL:
Whiteboard:
Keywords:

Depends On:
Blocks:
	Show dependency tree / graph

Reported:	2008-10-14 12:49 EDT by Viktor Erdelyi
Modified:	2008-10-15 15:28 EDT (History)
CC List:	3 users (show)

See Also:
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2008-10-15 09:01:48 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Viktor Erdelyi 2008-10-14 12:49:08 EDT

Zusammenfassung:

SELinux is preventing ksmserver from loading /usr/lib/xorg/libGL.so.1.2 which
requires text relocation.

Detaillierte Beschreibung:

The ksmserver application attempted to load /usr/lib/xorg/libGL.so.1.2 which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/xorg/libGL.so.1.2 to use relocation as a workaround, until the library
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Zugriff erlauben:

If you trust /usr/lib/xorg/libGL.so.1.2 to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/xorg/libGL.so.1.2'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/usr/lib/xorg/libGL.so.1.2'"

Fixer Befehl:

chcon -t textrel_shlib_t '/usr/lib/xorg/libGL.so.1.2'

Zusätzliche Informationen:

Quellkontext                  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Zielkontext                   unconfined_u:object_r:lib_t:s0
Zielobjekte                   /usr/lib/xorg/libGL.so.1.2 [ file ]
Quelle                        fglrxinfo
Quellen-Pfad                  /usr/bin/fglrxinfo
Port                          <Unbekannt>
Host                          sierravista.nyetwork
Quellen-RPM-Pakete            kdebase-workspace-4.1.2-5.fc10
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.10-3.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   allow_execmod
Hostname                      sierravista.nyetwork
Plattform                     Linux sierravista.nyetwork 2.6.26.5-45.fc9.i686 #1
                              SMP Sat Sep 20 03:45:00 EDT 2008 i686 i686
Anzahl der Alarme             12
Zuerst gesehen                So 12 Okt 2008 19:19:37 CEST
Zuletzt gesehen               Di 14 Okt 2008 18:39:27 CEST
Lokale ID                     5df7bd81-1dd8-4fdb-b1ab-61a9646687c6
Zeilennummern                 

Raw-Audit-Meldungen           

node=sierravista.nyetwork type=AVC msg=audit(1224002367.171:25): avc:  denied  { execmod } for  pid=3468 comm="ksmserver" path="/usr/lib/xorg/libGL.so.1.2" dev=sda7 ino=1448835 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file

node=sierravista.nyetwork type=SYSCALL msg=audit(1224002367.171:25): arch=40000003 syscall=125 success=no exit=-13 a0=f9f000 a1=76000 a2=5 a3=bf953f90 items=0 ppid=3452 pid=3468 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ksmserver" exe="/usr/bin/ksmserver" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Comment 1 Rex Dieter 2008-10-14 14:05:52 EDT

Where is 
/usr/lib/xorg/libGL.so.1.2
coming from?
(I suspect some non-fedora binary driver is at play here)

Comment 2 Viktor Erdelyi 2008-10-14 15:20:25 EDT

Maybe it's the fglrx driver, BUT: I now use radeonhd because fglrx doesn't work with xserver 1.4. I mean fglrx is installed but I changed the driver in xorg.conf to radeonhd.

Anyway, I think fglrx will need that relocation even when it will actually work.

Comment 3 Rex Dieter 2008-10-14 15:30:56 EDT

adjusting summary to closer match reality.

In the meantime, I'd suggest you also report this to the distributor of said fglrx driver.

Comment 4 Viktor Erdelyi 2008-10-14 15:44:54 EDT

Well, that's the official binary, there's no distributor (afaik). For now, I used the given two commands to allow that operation.

Comment 5 Rex Dieter 2008-10-14 15:51:46 EDT

Then tell ATI/AMD.

Comment 6 Viktor Erdelyi 2008-10-14 16:14:31 EDT

Ok, but I think I'll wait until FC10 is released, because I see no point in writing them a mail and complaining that fglrx doesn't work on my beta version of Fedora (which is far from a "clean install") with an unsupported version of X server and conflicts with an under-development selinux policy.

Comment 7 Daniel Walsh 2008-10-15 09:01:48 EDT

Well the point is that most likely

/usr/lib/xorg/libGL.so.1.2 is built incorrectly.  We can fix SELinux to allow it this access, but unless they hear about the bug, they will never fix the problem.

Seems this library not only gets built incorrectly, it moves around a lot.  current selinux policy has it labeled.

/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)

Now it seems the library is in 

/usr/lib/xorg/libGL.so.1.2

This is why my life sucks...  :^(

Fixed in selinux-policy-3.5.12-2.fc10

Comment 8 Viktor Erdelyi 2008-10-15 15:28:54 EDT

Thanks. I posted the link to ATI at the "Linux Crew Feedback" page.

Note You need to log in before you can comment on or make changes to this bug.