Bug 486772 - SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx.so which requires text relocation.
Summary: SELinux is preventing gnome-screensav from loading /usr/lib/fglrx/libatiadlxx...
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: selinux-policy
Version: 10
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Miroslav Grepl
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-02-22 02:32 UTC by rohit
Modified: 2009-02-23 09:49 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-02-23 09:49:14 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description rohit 2009-02-22 02:32:12 UTC 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020410 Fedora/3.0.6-1.fc10 Firefox/3.0.6

Detailed Description:
[SELinux is in permissive mode, the operation would have been denied but was permitted due to permissive mode.]
The gnome-screensav application attempted to load /usr/lib/fglrx/libatiadlxx.so which requires text relocation. This is a potential security problem. Most libraries do not need this permission. Libraries are sometimes coded incorrectly and request this permission. The SELinux Memory Protection Tests web page explains how to remove this requirement. You can configure SELinux temporarily to allow /usr/lib/fglrx/libatiadlxx.so to use relocation as a workaround, until the library is fixed. Please file a bug report against this package.

Additional Information
Source Context:  unconfined_u:unconfined_r:unconfined_t:s0
Target Context:  system_u:object_r:lib_t:s0
Target Objects:  /usr/lib/fglrx/libatiadlxx.so [ file ]
Source:  glxinfo
Source Path:  /usr/bin/glxinfo
Port:  <Unknown>
Host:  localhost.localdomainSource 
RPM Packages:  gnome-screensaver-2.24.1-2.fc10
Target RPM Packages:  xorg-x11-drv-fglrx-libs-8.573-1.9.1.fc10
Policy RPM:  selinux-policy-3.5.13-44.fc10
Selinux Enabled:  True
Policy Type:  targeted
MLS Enabled:  True
Enforcing Mode:  Permissive
Plugin Name:  allow_execmod
Host Name:  localhost.localdomain
Platform:  Linux localhost.localdomain 2.6.27.15-170.2.24.fc10.i686 #1 SMP Wed Feb 11 23:58:12 EST 2009 i686 athlon (AMD Phenom Quad Core)
Alert Count:  1
First Seen:  Sat 21 Feb 2009 11:54:08 PM IST
Last Seen:  Sun 22 Feb 2009 12:18:33 AM IST
Local ID:  3591d9a3-a2dd-417c-a336-4b9e3deca9f7

Raw Audit Messages :

node=localhost.localdomain type=AVC msg=audit(1235242113.561:28): avc: denied { execmod } for pid=12565 comm="gnome-screensav" path="/usr/lib/fglrx/libatiadlxx.so" dev=sda7 ino=2370152 scontext=unconfined_u:unconfined_r:unconfined_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file 

node=localhost.localdomain type=SYSCALL msg=audit(1235242113.561:28): arch=40000003 syscall=125 success=yes exit=0 a0=8ac000 a1=1f000 a2=5 a3=bfe3e7f0 items=0 ppid=3254 pid=12565 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=1 comm="gnome-screensav" exe="/usr/libexec/gnome-screensaver-gl-helper" subj=unconfined_u:unconfined_r:unconfined_t:s0 key=(null) 

Reproducible: Always

Steps to Reproduce:
1.Install fglrx packages from compiz-fusion repo (including deps)
2.reboot the system
3.After reboot with updated kernel, and login, it appears on the top right in Selinux icon.
Actual Results:  
Same as given in results box


As a workaround I used chcon command:

chcon -t textrel_shlib_t '/usr/lib/fglrx/libatiadlxx.so'
Comment 1 Miroslav Grepl 2009-02-23 09:49:14 UTC 
Fixed in current release of selinux-policy:

selinux-policy-3.5.13-45.fc10
Note You need to log in before you can comment on or make changes to this bug.