Description of problem: gnome-screensaver causes a SELinux exception when allow_execmem is off. Version-Release number of selected component (if applicable): gnome-screensaver-2.22.1-1.fc9.x86_64 How reproducible: Always Steps to Reproduce: 1. unset the allow_execmem (and allow_execstack?) [semanage boolean --off allow_execmem] 2. wait for screen saver 3. see error in setroubleshoot Actual results: From setroubleshoot: ---[cut]--- Summary: SELinux is preventing gnome-screensav from changing a writable memory segment executable. Detailed Description: The gnome-screensav application attempted to change the access protection of memory (e.g., allocated using malloc). This is a potential security problem. Applications should not be doing this. Applications are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests (http://people.redhat.com/drepper/selinux-mem.html) web page explains how to remove this requirement. If gnome-screensav does not work and you need it to work, you can configure SELinux temporarily to allow this access until the application is fixed. Please file a bug report (http://bugzilla.redhat.com/bugzilla/enter_bug.cgi) against this package. Allowing Access: If you trust gnome-screensav to run correctly, you can change the context of the executable to unconfined_execmem_exec_t. "chcon -t unconfined_execmem_exec_t '/usr/libexec/gnome-screensaver-gl-helper'". You must also change the default file context files on the system in order to preserve them even on a full relabel. "semanage fcontext -a -t unconfined_execmem_exec_t '/usr/libexec/gnome-screensaver-gl-helper'" Fix Command: chcon -t unconfined_execmem_exec_t '/usr/libexec/gnome-screensaver-gl-helper' Additional Information: Source Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Context unconfined_u:unconfined_r:unconfined_t:SystemLow- SystemHigh Target Objects None [ process ] Source gnome-screensav Source Path /usr/libexec/gnome-screensaver-gl-helper Port <Unknown> Host server.cybaea.net Source RPM Packages gnome-screensaver-2.22.1-1.fc9 Target RPM Packages Policy RPM selinux-policy-3.3.1-95.fc9 Selinux Enabled True Policy Type targeted MLS Enabled True Enforcing Mode Enforcing Plugin Name allow_execmem Host Name xxx Platform Linux server.cybaea.net 2.6.26.5-45.fc9.x86_64 #1 SMP Sat Sep 20 03:23:12 EDT 2008 x86_64 x86_64 Alert Count 1 First Seen Wed 15 Oct 2008 13:47:01 BST Last Seen Wed 15 Oct 2008 13:47:01 BST Local ID 056ea6f4-cdfb-479d-8907-716459ae5099 Line Numbers Raw Audit Messages host=xxx type=AVC msg=audit(1224074821.460:1807): avc: denied { execmem } for pid=29268 comm="gnome-screensav" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process host=xxx type=SYSCALL msg=audit(1224074821.460:1807): arch=c000003e syscall=9 success=no exit=-13 a0=2c7000 a1=34000 a2=7 a3=812 items=0 ppid=3321 pid=29268 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) ---[cut]--- Expected results: No SELinux exceptions Additional info:
Reported as Bug 465583 for the i386 platform
Removing the Livna nvidia package (and also preload) fixes it for me.