Bug 467045 - SELinux is preventing gnome-screensav from changing a writable memory segment executable
Summary: SELinux is preventing gnome-screensav from changing a writable memory segment...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: gnome-screensaver
Version: 9
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: jmccann
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-10-15 13:28 UTC by Allan Engelhardt
Modified: 2015-01-14 23:21 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-10-16 14:12:37 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)

Description Allan Engelhardt 2008-10-15 13:28:54 UTC
Description of problem:

gnome-screensaver causes a SELinux exception when allow_execmem is off.


Version-Release number of selected component (if applicable):
gnome-screensaver-2.22.1-1.fc9.x86_64

How reproducible: Always


Steps to Reproduce:
1. unset the allow_execmem (and allow_execstack?) [semanage boolean --off allow_execmem]
2. wait for screen saver
3. see error in setroubleshoot
  
Actual results: From setroubleshoot:

---[cut]---
Summary:

SELinux is preventing gnome-screensav from changing a writable memory segment
executable.

Detailed Description:

The gnome-screensav application attempted to change the access protection of
memory (e.g., allocated using malloc). This is a potential security problem.
Applications should not be doing this. Applications are sometimes coded
incorrectly and request this permission. The SELinux Memory Protection Tests
(http://people.redhat.com/drepper/selinux-mem.html) web page explains how to
remove this requirement. If gnome-screensav does not work and you need it to
work, you can configure SELinux temporarily to allow this access until the
application is fixed. Please file a bug report
(http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package.

Allowing Access:

If you trust gnome-screensav to run correctly, you can change the context of the
executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t
'/usr/libexec/gnome-screensaver-gl-helper'". You must also change the default
file context files on the system in order to preserve them even on a full
relabel. "semanage fcontext -a -t unconfined_execmem_exec_t
'/usr/libexec/gnome-screensaver-gl-helper'"

Fix Command:

chcon -t unconfined_execmem_exec_t '/usr/libexec/gnome-screensaver-gl-helper'

Additional Information:

Source Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Context                unconfined_u:unconfined_r:unconfined_t:SystemLow-
                              SystemHigh
Target Objects                None [ process ]
Source                        gnome-screensav
Source Path                   /usr/libexec/gnome-screensaver-gl-helper
Port                          <Unknown>
Host                          server.cybaea.net
Source RPM Packages           gnome-screensaver-2.22.1-1.fc9
Target RPM Packages           
Policy RPM                    selinux-policy-3.3.1-95.fc9
Selinux Enabled               True
Policy Type                   targeted
MLS Enabled                   True
Enforcing Mode                Enforcing
Plugin Name                   allow_execmem
Host Name                     xxx
Platform                      Linux server.cybaea.net 2.6.26.5-45.fc9.x86_64 #1
                              SMP Sat Sep 20 03:23:12 EDT 2008 x86_64 x86_64
Alert Count                   1
First Seen                    Wed 15 Oct 2008 13:47:01 BST
Last Seen                     Wed 15 Oct 2008 13:47:01 BST
Local ID                      056ea6f4-cdfb-479d-8907-716459ae5099
Line Numbers                  

Raw Audit Messages            

host=xxx type=AVC msg=audit(1224074821.460:1807): avc:  denied  { execmem } for  pid=29268 comm="gnome-screensav" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process

host=xxx type=SYSCALL msg=audit(1224074821.460:1807): arch=c000003e syscall=9 success=no exit=-13 a0=2c7000 a1=34000 a2=7 a3=812 items=0 ppid=3321 pid=29268 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

---[cut]---



Expected results:

No SELinux exceptions

Additional info:

Comment 1 Allan Engelhardt 2008-10-16 07:42:09 UTC
Reported as Bug 465583 for the i386 platform

Comment 2 Allan Engelhardt 2008-10-16 14:12:37 UTC
Removing the Livna nvidia package (and also preload) fixes it for me.


Note You need to log in before you can comment on or make changes to this bug.