Bug 466940 - fglrx to start because of an AVC denial (libGL text relocations)
Summary: fglrx to start because of an AVC denial (libGL text relocations)
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: rawhide
Hardware: All
OS: Linux
medium
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-14 16:49 UTC by Viktor Erdelyi
Modified: 2008-10-15 19:28 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2008-10-15 13:01:48 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Viktor Erdelyi 2008-10-14 16:49:08 UTC 
Zusammenfassung:

SELinux is preventing ksmserver from loading /usr/lib/xorg/libGL.so.1.2 which
requires text relocation.

Detaillierte Beschreibung:

The ksmserver application attempted to load /usr/lib/xorg/libGL.so.1.2 which
requires text relocation. This is a potential security problem. Most libraries
do not need this permission. Libraries are sometimes coded incorrectly and
request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. You can configure SELinux temporarily to allow
/usr/lib/xorg/libGL.so.1.2 to use relocation as a workaround, until the library
is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Zugriff erlauben:

If you trust /usr/lib/xorg/libGL.so.1.2 to run correctly, you can change the
file context to textrel_shlib_t. "chcon -t textrel_shlib_t
'/usr/lib/xorg/libGL.so.1.2'" You must also change the default file context
files on the system in order to preserve them even on a full relabel. "semanage
fcontext -a -t textrel_shlib_t '/usr/lib/xorg/libGL.so.1.2'"

Fixer Befehl:

chcon -t textrel_shlib_t '/usr/lib/xorg/libGL.so.1.2'

Zusätzliche Informationen:

Quellkontext                  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
                              023
Zielkontext                   unconfined_u:object_r:lib_t:s0
Zielobjekte                   /usr/lib/xorg/libGL.so.1.2 [ file ]
Quelle                        fglrxinfo
Quellen-Pfad                  /usr/bin/fglrxinfo
Port                          <Unbekannt>
Host                          sierravista.nyetwork
Quellen-RPM-Pakete            kdebase-workspace-4.1.2-5.fc10
Ziel-RPM-Pakete               
RPM-Richtlinie                selinux-policy-3.5.10-3.fc10
SELinux aktiviert             True
Richtlinienversion            targeted
MLS aktiviert                 True
Enforcing-Modus               Enforcing
Plugin-Name                   allow_execmod
Hostname                      sierravista.nyetwork
Plattform                     Linux sierravista.nyetwork 2.6.26.5-45.fc9.i686 #1
                              SMP Sat Sep 20 03:45:00 EDT 2008 i686 i686
Anzahl der Alarme             12
Zuerst gesehen                So 12 Okt 2008 19:19:37 CEST
Zuletzt gesehen               Di 14 Okt 2008 18:39:27 CEST
Lokale ID                     5df7bd81-1dd8-4fdb-b1ab-61a9646687c6
Zeilennummern                 

Raw-Audit-Meldungen           

node=sierravista.nyetwork type=AVC msg=audit(1224002367.171:25): avc:  denied  { execmod } for  pid=3468 comm="ksmserver" path="/usr/lib/xorg/libGL.so.1.2" dev=sda7 ino=1448835 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:lib_t:s0 tclass=file

node=sierravista.nyetwork type=SYSCALL msg=audit(1224002367.171:25): arch=40000003 syscall=125 success=no exit=-13 a0=f9f000 a1=76000 a2=5 a3=bf953f90 items=0 ppid=3452 pid=3468 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=2 comm="ksmserver" exe="/usr/bin/ksmserver" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Rex Dieter 2008-10-14 18:05:52 UTC 
Where is 
/usr/lib/xorg/libGL.so.1.2
coming from?
(I suspect some non-fedora binary driver is at play here)
Comment 2 Viktor Erdelyi 2008-10-14 19:20:25 UTC 
Maybe it's the fglrx driver, BUT: I now use radeonhd because fglrx doesn't work with xserver 1.4. I mean fglrx is installed but I changed the driver in xorg.conf to radeonhd.

Anyway, I think fglrx will need that relocation even when it will actually work.
Comment 3 Rex Dieter 2008-10-14 19:30:56 UTC 
adjusting summary to closer match reality.

In the meantime, I'd suggest you also report this to the distributor of said fglrx driver.
Comment 4 Viktor Erdelyi 2008-10-14 19:44:54 UTC 
Well, that's the official binary, there's no distributor (afaik). For now, I used the given two commands to allow that operation.
Comment 5 Rex Dieter 2008-10-14 19:51:46 UTC 
Then tell ATI/AMD.
Comment 6 Viktor Erdelyi 2008-10-14 20:14:31 UTC 
Ok, but I think I'll wait until FC10 is released, because I see no point in writing them a mail and complaining that fglrx doesn't work on my beta version of Fedora (which is far from a "clean install") with an unsupported version of X server and conflicts with an under-development selinux policy.
Comment 7 Daniel Walsh 2008-10-15 13:01:48 UTC 
Well the point is that most likely

/usr/lib/xorg/libGL.so.1.2 is built incorrectly.  We can fix SELinux to allow it this access, but unless they hear about the bug, they will never fix the problem.

Seems this library not only gets built incorrectly, it moves around a lot.  current selinux policy has it labeled.

/usr/lib(64)?/(nvidia/)?libGL(core)?\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/fglrx/libGL\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib(64)?/libGLU\.so(\.[^/]*)*	--	gen_context(system_u:object_r:textrel_shlib_t,s0)

Now it seems the library is in 

/usr/lib/xorg/libGL.so.1.2

This is why my life sucks...  :^(

Fixed in selinux-policy-3.5.12-2.fc10
Comment 8 Viktor Erdelyi 2008-10-15 19:28:54 UTC 
Thanks. I posted the link to ATI at the "Linux Crew Feedback" page.
Note You need to log in before you can comment on or make changes to this bug.