Bug 484569 - SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx.so which requires text relocation.
SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx...
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: selinux-policy (Show other bugs)
10
i686 Linux
low Severity medium
: ---
: ---
Assigned To: Miroslav Grepl
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-02-08 08:51 EST by John Mellor
Modified: 2009-03-23 09:39 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-03-23 09:39:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description John Mellor 2009-02-08 08:51:07 EST
Description of problem:
SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx.so which requires text relocation. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Detailed Description: The gnome-screensav application attempted to load /usr/lib/fglrx/libatiadlxx.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/fglrx/libatiadlxx.so to use relocation as a workaround, until the library is fixed. Please file a bug report against this package.

Source Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:lib_t:s0
Target Objects:  /usr/lib/fglrx/libatiadlxx.so [ file ]
Source:  gnome-screensav
Source Path:  /usr/libexec/gnome-screensaver-gl-helper
Port:  <Unknown>Host:  john.mellor.dyndns.org
Source RPM Packages:  gnome-screensaver-2.24.1-2.fc10
Target RPM Packages:  xorg-x11-drv-fglrx-libs-8.573-1.9.1.fc10
Policy RPM:  selinux-policy-3.5.13-41.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  allow_execmod
Host Name:  john.mellor.dyndns.org
Platform:  Linux john.mellor.dyndns.org 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon
Alert Count:  8
First Seen:  Thu 05 Feb 2009 10:48:10 PM EST
Last Seen:  Sat 07 Feb 2009 03:33:52 PM EST
Local ID:  bedd32eb-ed51-41c9-8dbf-d427ecc3e719
Line Numbers:

Raw Audit Messages :node=john.mellor.dyndns.org type=AVC msg=audit(1234038832.191:203): avc: denied { execmod } for pid=2533 comm="gnome-screensav" path="/usr/lib/fglrx/libatiadlxx.so" dev=dm-0 ino=12566896 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=john.mellor.dyndns.org type=SYSCALL msg=audit(1234038832.191:203): arch=40000003 syscall=125 success=no exit=-13 a0=598000 a1=1f000 a2=5 a3=bffeda00 items=0 ppid=27248 pid=2533 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=6 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-02-09 08:38:18 EST
Miroslav, just add

/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	system_u:object_r:textrel_shlib_t:s0

To F9 and F10.

Trying to get this closed source stuff right is just impossible.


John if you just execute, 

chcon -t textrel_shlib_t /usr/lib/fglrx/*.so

You will be fine until this gets fixed in an update.
Comment 2 Miroslav Grepl 2009-02-12 10:06:39 EST
Fixed in selinux-policy-3.5.13-45.fc10
Comment 3 John Mellor 2009-03-21 14:40:31 EDT
Seems to be fixed no.
Comment 4 Daniel Walsh 2009-03-23 09:39:37 EDT
If you verify a bug as fixed, you can close it.

Note You need to log in before you can comment on or make changes to this bug.