Description of problem: SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx.so which requires text relocation. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info: Detailed Description: The gnome-screensav application attempted to load /usr/lib/fglrx/libatiadlxx.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/fglrx/libatiadlxx.so to use relocation as a workaround, until the library is fixed. Please file a bug report against this package. Source Context: unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 Target Context: system_u:object_r:lib_t:s0 Target Objects: /usr/lib/fglrx/libatiadlxx.so [ file ] Source: gnome-screensav Source Path: /usr/libexec/gnome-screensaver-gl-helper Port: <Unknown>Host: john.mellor.dyndns.org Source RPM Packages: gnome-screensaver-2.24.1-2.fc10 Target RPM Packages: xorg-x11-drv-fglrx-libs-8.573-1.9.1.fc10 Policy RPM: selinux-policy-3.5.13-41.fc10 Selinux Enabled: True Policy Type: targeted MLS Enabled: True Enforcing Mode: Enforcing Plugin Name: allow_execmod Host Name: john.mellor.dyndns.org Platform: Linux john.mellor.dyndns.org 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon Alert Count: 8 First Seen: Thu 05 Feb 2009 10:48:10 PM EST Last Seen: Sat 07 Feb 2009 03:33:52 PM EST Local ID: bedd32eb-ed51-41c9-8dbf-d427ecc3e719 Line Numbers: Raw Audit Messages :node=john.mellor.dyndns.org type=AVC msg=audit(1234038832.191:203): avc: denied { execmod } for pid=2533 comm="gnome-screensav" path="/usr/lib/fglrx/libatiadlxx.so" dev=dm-0 ino=12566896 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=john.mellor.dyndns.org type=SYSCALL msg=audit(1234038832.191:203): arch=40000003 syscall=125 success=no exit=-13 a0=598000 a1=1f000 a2=5 a3=bffeda00 items=0 ppid=27248 pid=2533 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=6 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Miroslav, just add /usr/lib(64)?/fglrx/.*\.so(\.[^/]*)* -- system_u:object_r:textrel_shlib_t:s0 To F9 and F10. Trying to get this closed source stuff right is just impossible. John if you just execute, chcon -t textrel_shlib_t /usr/lib/fglrx/*.so You will be fine until this gets fixed in an update.
Fixed in selinux-policy-3.5.13-45.fc10
Seems to be fixed no.
If you verify a bug as fixed, you can close it.