Bug 467045 - SELinux is preventing gnome-screensav from changing a writable memory segment executable
SELinux is preventing gnome-screensav from changing a writable memory segment...
Product: Fedora
Classification: Fedora
Component: gnome-screensaver (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: jmccann
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-10-15 09:28 EDT by Allan Engelhardt
Modified: 2015-01-14 18:21 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-10-16 10:12:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Allan Engelhardt 2008-10-15 09:28:54 EDT
Description of problem:

gnome-screensaver causes a SELinux exception when allow_execmem is off.

Version-Release number of selected component (if applicable):

How reproducible: Always

Steps to Reproduce:
1. unset the allow_execmem (and allow_execstack?) [semanage boolean --off allow_execmem]
2. wait for screen saver
3. see error in setroubleshoot
Actual results: From setroubleshoot:


SELinux is preventing gnome-screensav from changing a writable memory segment

Detailed Description:

The gnome-screensav application attempted to change the access protection of
memory (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If gnome-screensav does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust gnome-screensav to run correctly, you can change the context of the
executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/libexec/gnome-screensaver-gl-helper'". You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t unconfined_execmem_exec_t

Fix Command:

chcon -t unconfined_execmem_exec_t '/usr/libexec/gnome-screensaver-gl-helper'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
Target Objects                None [ process ]
Source                        gnome-screensav
Source Path                   /usr/libexec/gnome-screensaver-gl-helper
Port                          <Unknown>
Host                          server.cybaea.net
Source RPM Packages           gnome-screensaver-2.22.1-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-95.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmem
Host Name                     xxx
Platform                      Linux server.cybaea.net #1
                              SMP Sat Sep 20 03:23:12 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 15 Oct 2008 13:47:01 BST
Last Seen                     Wed 15 Oct 2008 13:47:01 BST
Local ID                      056ea6f4-cdfb-479d-8907-716459ae5099
Line Numbers                  

Raw Audit Messages            

host=xxx type=AVC msg=audit(1224074821.460:1807): avc:  denied  { execmem } for  pid=29268 comm="gnome-screensav" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=xxx type=SYSCALL msg=audit(1224074821.460:1807): arch=c000003e syscall=9 success=no exit=-13 a0=2c7000 a1=34000 a2=7 a3=812 items=0 ppid=3321 pid=29268 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)


Expected results:

No SELinux exceptions

Additional info:
Comment 1 Allan Engelhardt 2008-10-16 03:42:09 EDT
Reported as Bug 465583 for the i386 platform
Comment 2 Allan Engelhardt 2008-10-16 10:12:37 EDT
Removing the Livna nvidia package (and also preload) fixes it for me.

Note You need to log in before you can comment on or make changes to this bug.