Bug 484569 - SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx.so which requires text relocation.
Summary: SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: i686
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-08 13:51 UTC by John Mellor
Modified: 2009-03-23 13:39 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-03-23 13:39:37 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description John Mellor 2009-02-08 13:51:07 UTC 
Description of problem:
SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx.so which requires text relocation. 

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:

Detailed Description: The gnome-screensav application attempted to load /usr/lib/fglrx/libatiadlxx.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/fglrx/libatiadlxx.so to use relocation as a workaround, until the library is fixed. Please file a bug report against this package.

Source Context:  unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
Target Context:  system_u:object_r:lib_t:s0
Target Objects:  /usr/lib/fglrx/libatiadlxx.so [ file ]
Source:  gnome-screensav
Source Path:  /usr/libexec/gnome-screensaver-gl-helper
Port:  <Unknown>Host:  john.mellor.dyndns.org
Source RPM Packages:  gnome-screensaver-2.24.1-2.fc10
Target RPM Packages:  xorg-x11-drv-fglrx-libs-8.573-1.9.1.fc10
Policy RPM:  selinux-policy-3.5.13-41.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Enforcing
Plugin Name:  allow_execmod
Host Name:  john.mellor.dyndns.org
Platform:  Linux john.mellor.dyndns.org 2.6.27.12-170.2.5.fc10.i686 #1 SMP Wed Jan 21 02:09:37 EST 2009 i686 athlon
Alert Count:  8
First Seen:  Thu 05 Feb 2009 10:48:10 PM EST
Last Seen:  Sat 07 Feb 2009 03:33:52 PM EST
Local ID:  bedd32eb-ed51-41c9-8dbf-d427ecc3e719
Line Numbers:

Raw Audit Messages :node=john.mellor.dyndns.org type=AVC msg=audit(1234038832.191:203): avc: denied { execmod } for pid=2533 comm="gnome-screensav" path="/usr/lib/fglrx/libatiadlxx.so" dev=dm-0 ino=12566896 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=system_u:object_r:lib_t:s0 tclass=file node=john.mellor.dyndns.org type=SYSCALL msg=audit(1234038832.191:203): arch=40000003 syscall=125 success=no exit=-13 a0=598000 a1=1f000 a2=5 a3=bffeda00 items=0 ppid=27248 pid=2533 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=6 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
Comment 1 Daniel Walsh 2009-02-09 13:38:18 UTC 
Miroslav, just add

/usr/lib(64)?/fglrx/.*\.so(\.[^/]*)*	--	system_u:object_r:textrel_shlib_t:s0

To F9 and F10.

Trying to get this closed source stuff right is just impossible.


John if you just execute, 

chcon -t textrel_shlib_t /usr/lib/fglrx/*.so

You will be fine until this gets fixed in an update.
Comment 2 Miroslav Grepl 2009-02-12 15:06:39 UTC 
Fixed in selinux-policy-3.5.13-45.fc10
Comment 3 John Mellor 2009-03-21 18:40:31 UTC 
Seems to be fixed no.
Comment 4 Daniel Walsh 2009-03-23 13:39:37 UTC 
If you verify a bug as fixed, you can close it.
Note You need to log in before you can comment on or make changes to this bug.